[Cfrg] Re: [saag] Bad day at the hash function factory

[Stephen Kent <kent at bbn.com>]

At 8:59 PM -0400 8/19/04, james hughes wrote:
> One comment and two discussion points.
>
> Can we withdraw the MD5 RFC as obsolete?
>
> On Aug 19, 2004, at 12:23 PM, David A. McGrew wrote:
> > > WHAT'S SAFE?
> > > First, anything that's already been signed is definitely safe.  If you
> > > stop using MD5 today, nothing you signed already puts you at risk.
>
> I sign a document (in the clear) which says "... pay me $100.00 ... 
> " and now I can create a document that to  "... pay me $10,000 ... " 
> with a collision. Just because the original is old, why are old 
> these documents safe?

because you would have to generate a collision with a fixed value, 
the old has, and the techniques presented do not do that. They find a 
collision for MD5 based on the ability to create both messages from 
scratch. This is fundamentally different, in the same way that 
"birthday paradox" attacks have always been different from fixed 
message attacks.


Steve

_______________________________________________
Cfrg mailing list
Cfrg at ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg