Re: [Cfrg] HMAC-MD5

["Steven M. Bellovin" <smb at cs.columbia.edu>]

On Tue, 28 Mar 2006 16:20:59 -0500, Russ Housley <housley at vigilsec.com>
wrote:

> At the SAAG session last week, Sam and I were asked about 
> HMAC-MD5.  Is it safe to keep using it?  Should we encourage people 
> to use HMAC-SHA1 or HMAC-SHA256 instead?  Why?
> 
> Please provide advice on this matter in the next two weeks.  We have 
> on working group that needs this advice very soon.
> 
There are no risks from HMAC-MD5 from collision attacks.  Hash function
design has suddenly become a very hot topic, though.  Collision-
finding attacks on MD5 have gotten a lot faster, and people are
starting to look very hard at the basic design.  I personally will not
be surprised if a preimage attack is found in the next two or three
years, in which case all bets are off.  (I've made this statement
before; others have disagreed with me on the likelihood of collision
attacks.) I'd rather avoid HMAC-MD5, just as a matter of
future-proofing.


		--Steven M. Bellovin, http://www.cs.columbia.edu/~smb

_______________________________________________
Cfrg mailing list
Cfrg at ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg