Re: [Cfrg] HMAC-MD5

[Ben Laurie <ben at algroup.co.uk>]

Steven M. Bellovin wrote:
> On Tue, 28 Mar 2006 16:20:59 -0500, Russ Housley <housley at vigilsec.com>
> wrote:
> 
>> At the SAAG session last week, Sam and I were asked about 
>> HMAC-MD5.  Is it safe to keep using it?  Should we encourage people 
>> to use HMAC-SHA1 or HMAC-SHA256 instead?  Why?
>>
>> Please provide advice on this matter in the next two weeks.  We have 
>> on working group that needs this advice very soon.
>>
> There are no risks from HMAC-MD5 from collision attacks.  Hash function
> design has suddenly become a very hot topic, though.  Collision-
> finding attacks on MD5 have gotten a lot faster, and people are
> starting to look very hard at the basic design.  I personally will not
> be surprised if a preimage attack is found in the next two or three
> years, in which case all bets are off.  (I've made this statement
> before; others have disagreed with me on the likelihood of collision
> attacks.) I'd rather avoid HMAC-MD5, just as a matter of
> future-proofing.

Just an extra data point, I believe the latest s/w for collisions has it
down to just two seconds!

Cheers,

Ben.

-- 
http://www.apache-ssl.org/ben.html           http://www.links.org/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

_______________________________________________
Cfrg mailing list
Cfrg at ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg