[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Cfrg] Re: [saag] Bad day at the hash function factory

To: Russ Housley <housley at vigilsec.com>
Subject: Re: [Cfrg] Re: [saag] Bad day at the hash function factory
From: RJ Atkinson <rja at extremenetworks.com>
Date: Fri, 20 Aug 2004 11:27:29 -0400
Cc: saag at mit.edu, cfrg at ietf.org
In-reply-to: <6.1.1.1.2.20040820101325.03cbfad8@mail.binhost.com>
List-help: <mailto:cfrg-request@ietf.org?subject=help>
List-id: Crypto Forum Research Group <cfrg.ietf.org>
List-post: <mailto:cfrg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
References: <20040818191747.E2C147199@sierra.rtfm.com> <1B38BDAC-F1FC-11D8-B277-0003935495EC@cisco.com> <2FBAEDD6-F244-11D8-8FDC-000A95A27482@stortek.com> <6.1.1.1.2.20040820101325.03cbfad8@mail.binhost.com>
Sender: cfrg-bounces at ietf.org

On Aug 20, 2004, at 10:17, Russ Housley wrote:

Can we withdraw the MD5 RFC as obsolete?
Nope. There are a lot of mechanisms that use it. And MD5 is the only integrity mechanism that we have for BGP (see draft-iesg-tcpmd5app-00.txt). It will take a long time to completely move away from MD5.

If folks know of a specific attack against either Keyed-MD5 (which is used by at least TCP MD5, OSPFv2 MD5, and RIPv2 MD5) or HMAC-MD5 (which is used by at least ESP/AH), please publish the full bibliographic citation(s) here. I am not aware of any openly published attacks against either application of MD5, though clearly the compression issue with MD5 (which dates back at least as far as Dobbertin's paper) is cause for concern.

That said, there are a number of reasons that make it sensible to migrate existing uses of Keyed-MD5 or HMAC-MD5 to HMAC-SHA-1. (One not yet stated here is that some governments (plural) insist on SHA-1 rather than MD5 if one wants one's implementation to obtain government certification and/or accrediation. FIPS 140-2 is an example of such a certification.)

Any migration will likely take years, not months, in the deployed Internet. A useful first step would be to draft specs on use of SHA-1 with TCP, OSPFv2, and RIPv2 -- probably using HMAC-hash rather than Keyed-hash at the same time.

Given the existence of the RPsec WG, I imagine that doing such work as an independent submission, which is faster and simpler, would be erroneously viewed as an end-run, so maybe the Security ADs could take up the issue with RPsec -- hopefully on some sort of fast-track over there. The sooner the enhanced specs get to RFC -- whether standards-track or not (implementers need stable openly published specs, but aren't too hung up about what is standards-track) -- the sooner that the SHA-1 versions will be coded and available in shipping router images.

And yes, algorithm-independence is a good thing, as I argued in an article published in IEEE Computer magazine back in the mid-90s. I think that one can specify TCP-hash, OSPFv2 hash, and RIPv2 hash in an algorithm- independent way without breaking backward compatibility with the Keyed-MD5 variant that is currently deployed.

Yours,

Ran
rja at extremenetworks.com


_______________________________________________
Cfrg mailing list
Cfrg at ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

References:
- [Cfrg] Re: [saag] Bad day at the hash function factory
  - From: David A. McGrew
- [Cfrg] Re: [saag] Bad day at the hash function factory
  - From: james hughes
- Re: [Cfrg] Re: [saag] Bad day at the hash function factory
  - From: Russ Housley

Prev by Date: Re: [Cfrg] Re: [saag] Bad day at the hash function factory
Next by Date: RE: [Cfrg] Re: [saag] Bad day at the hash function factory
Previous by thread: Re: [Cfrg] Re: [saag] Bad day at the hash function factory
Next by thread: Re: [Cfrg] Re: [saag] Bad day at the hash function factory
Index(es):
- Date
- Thread