| < draft-turner-md5-seccon-update-01.txt | draft-turner-md5-seccon-update-02.txt > | |||
|---|---|---|---|---|
| Network Working Group S. Turner | Network Working Group S. Turner | |||
| Internet Draft IECA | Internet Draft IECA | |||
| Updates: 1321, 2202 (once approved) L. Chen | Updates: 1321, 2202 (once approved) L. Chen | |||
| Intended Status: Informational NIST | Intended Status: Informational NIST | |||
| Expires: January 8, 2011 July 8, 2010 | Expires: January 12, 2011 July 12, 2010 | |||
| Updated Security Considerations for the | Updated Security Considerations for the | |||
| MD5 Message-Digest Algorithm and HMAC-MD5 | MD5 Message-Digest and the HMAC-MD5 Algorithms | |||
| draft-turner-md5-seccon-update-01.txt | draft-turner-md5-seccon-update-02.txt | |||
| Abstract | Abstract | |||
| This document updates the security considerations for the MD5 message | This document updates the security considerations for the MD5 message | |||
| digest algorithm. It also updates the security considerations for | digest algorithm. It also updates the security considerations for | |||
| HMAC-MD5. | HMAC-MD5. | |||
| Status of this Memo | Status of this Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| skipping to change at page 1, line 41 ¶ | skipping to change at page 1, line 41 ¶ | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
| http://www.ietf.org/ietf/1id-abstracts.txt. | http://www.ietf.org/ietf/1id-abstracts.txt. | |||
| The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
| http://www.ietf.org/shadow.html. | http://www.ietf.org/shadow.html. | |||
| This Internet-Draft will expire on January 8, 2011. | This Internet-Draft will expire on January 12, 2011. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2010 IETF Trust and the persons identified as the | Copyright (c) 2010 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 49 ¶ | skipping to change at page 2, line 49 ¶ | |||
| MD5 has been studied extensively. What follows are recent attacks | MD5 has been studied extensively. What follows are recent attacks | |||
| against MD5's collisions, pre-image, and second pre-image resistance. | against MD5's collisions, pre-image, and second pre-image resistance. | |||
| Additionally, attacks against MD5 used in message authentication with | Additionally, attacks against MD5 used in message authentication with | |||
| a shared secret (i.e., HMAC-MD5) are discussed. | a shared secret (i.e., HMAC-MD5) are discussed. | |||
| Some may find the guidance for key lengths and algorithm strengths in | Some may find the guidance for key lengths and algorithm strengths in | |||
| [SP800-57] and [SP800-131] useful. | [SP800-57] and [SP800-131] useful. | |||
| 2.1. Collision Resistance | 2.1. Collision Resistance | |||
| The first paper that demonstrates actual collisions of MD5 was | Psuedo-collisions for the compress function of MD5 were first | |||
| published in 2004 [WFLY2004]. The detailed attack techniques for MD5 | described in 1993 [denBBO1993]. In 1996, [DOB1995] demonstrated a | |||
| were published at EUROCRYPT 2005 [WAYU2005]. Since then, a lot of | collision pair for the MD5 compression function with a chosen initial | |||
| research results have been published to improve collision attacks on | value. The first paper that demonstrated two collision pairs for | |||
| MD5. The attacks presented in [KLIM2006] can find MD5 collision in | regular MD5 was published in 2004 [WFLY2004]. The detailed attack | |||
| about one minute on a standard notebook PC (Intel Pentium, 1.6 GHz.). | techniques for MD5 were published at EUROCRYPT 2005 [WAYU2005]. Since | |||
| In [STEV2007], he claim that it takes 10 seconds or less on a 2.6Ghz | then, a lot of research results have been published to improve | |||
| Pentium4 to find collisions. In | collision attacks on MD5. The attacks presented in [KLIM2006] can | |||
| find MD5 collision in about one minute on a standard notebook PC | ||||
| (Intel Pentium, 1.6 GHz.). In [STEV2007], he claim that it takes 10 | ||||
| seconds or less on a 2.6Ghz Pentium4 to find collisions. In | ||||
| [STEV2007][SLdeW2007][SSALMOdeW2009][SLdeW2009], the collision | [STEV2007][SLdeW2007][SSALMOdeW2009][SLdeW2009], the collision | |||
| attacks on MD5 were successfully applied to X.509 certificates. | attacks on MD5 were successfully applied to X.509 certificates. | |||
| Notice that the collision attack on MD5 can also be applied to | Notice that the collision attack on MD5 can also be applied to | |||
| password based challenge-and-response authentication protocols such | password based challenge-and-response authentication protocols such | |||
| as APOP protocol used in post office authentication as presented in | as APOP protocol used in post office authentication as presented in | |||
| [LEUR2007]. | [LEUR2007]. | |||
| In fact, more delicate attacks on MD5 to improve the speed of finding | In fact, more delicate attacks on MD5 to improve the speed of finding | |||
| collisions have published recently. However, the aforementioned | collisions have published recently. However, the aforementioned | |||
| skipping to change at page 4, line 19 ¶ | skipping to change at page 4, line 22 ¶ | |||
| The attacks on HMAC-MD5 do not seem to indicate a practical | The attacks on HMAC-MD5 do not seem to indicate a practical | |||
| vulnerability when used as a message authentication code. Considering | vulnerability when used as a message authentication code. Considering | |||
| that the distinguishing-H attack is different from distinguishing-R | that the distinguishing-H attack is different from distinguishing-R | |||
| attack, which distinguishes an HMAC from a random function, the | attack, which distinguishes an HMAC from a random function, the | |||
| practical impact on HMAC usage as a PRF such as in a key derivation | practical impact on HMAC usage as a PRF such as in a key derivation | |||
| function is not well understood. | function is not well understood. | |||
| Therefore, it may not be urgent to remove HMAC-MD5 from the existing | Therefore, it may not be urgent to remove HMAC-MD5 from the existing | |||
| protocols. However, since MD5 must not be used for digital | protocols. However, since MD5 must not be used for digital | |||
| signatures, for a new protocol design, a ciphersuite with HMAC-MD5 | signatures, for a new protocol design, a ciphersuite with HMAC-MD5 | |||
| should not be included. | should not be included. Options include HMAC-SHA256 [HMAC][HMAC- | |||
| SHA256] and [AES-CMAC] when AES is more readily available than a hash | ||||
| function. | ||||
| 3. IANA Considerations | 3. IANA Considerations | |||
| None. | None. | |||
| 4. Normative References | 4. Acknowledgements | |||
| Obviously, we have to thank all the cryptographers who produced the | ||||
| results we refer to in this document. We'd also like to thank Martin | ||||
| Rex and Benne de Weger for their comments. | ||||
| 5. Normative References | ||||
| [AES-CMAC] Song, J., Poovendran, R., Lee., J., and T. Iwata, | ||||
| "The AES-CMAC Algorithm", RFC 4493, June 2006. | ||||
| [COYI2006] S. Contini, Y.L. Yin. Forgery and partial key- | [COYI2006] S. Contini, Y.L. Yin. Forgery and partial key- | |||
| recovery attacks on HMAC and NMAC using hash | recovery attacks on HMAC and NMAC using hash | |||
| collisions. ASIACRYPT 2006. LNCS 4284, Springer, | collisions. ASIACRYPT 2006. LNCS 4284, Springer, | |||
| 2006. | 2006. | |||
| [denBBO1993] den Boer, B. and A. Bosselaers, "Collisions for the | ||||
| compression function of MD5", Eurocrypt 1993. | ||||
| [DOB1995] Dobbertin, H., "Cryptanalysis of MD5 Compress", | ||||
| Eurocrypt 1996. | ||||
| [FLN2007] Fouque, P.-A., Leurent, G., Nguyen, P.Q.: Full key- | [FLN2007] Fouque, P.-A., Leurent, G., Nguyen, P.Q.: Full key- | |||
| recovery attacks on HMAC/NMAC-MD4 and NMAC-MD5. | recovery attacks on HMAC/NMAC-MD4 and NMAC-MD5. | |||
| CRYPTO 2007. LNCS, 4622, Springer, 2007. | CRYPTO 2007. LNCS, 4622, Springer, 2007. | |||
| [HASH-Attack] Hoffman, P., and B. Schneier, "Attacks on | [HASH-Attack] Hoffman, P., and B. Schneier, "Attacks on | |||
| Cryptographic Hashes in Internet Protocols", RFC | Cryptographic Hashes in Internet Protocols", RFC | |||
| 4270, November 2005. | 4270, November 2005. | |||
| [HMAC] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: | [HMAC] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: | |||
| Keyed-Hashing for Message Authentication", RFC | Keyed-Hashing for Message Authentication", RFC | |||
| 2104, February 1997. | 2104, February 1997. | |||
| [HMAC-MD5] Cheng, P., and R. Glenn, "Test Cases for HMAC-MD5 | [HMAC-MD5] Cheng, P., and R. Glenn, "Test Cases for HMAC-MD5 | |||
| and HMAC-SHA-1", RC 2201, September 1997. | and HMAC-SHA-1", RC 2201, September 1997. | |||
| [HMAC-SHA256] Nystrom, M., "Identifiers and Test Vectors for | ||||
| HMAC-SHA-224, HMAC-SHA-256, HMAC-SHA-384, and | ||||
| HMAC-SHA-512", RFC 4231, December 2005. | ||||
| [KLIM2006] V. Klima. Tunnels in Hash Functions: MD5 Collisions | [KLIM2006] V. Klima. Tunnels in Hash Functions: MD5 Collisions | |||
| within a Minute. Cryptology ePrint Archive, Report | within a Minute. Cryptology ePrint Archive, Report | |||
| 2006/105 (2006), http://eprint.iacr.org/2006/105. | 2006/105 (2006), http://eprint.iacr.org/2006/105. | |||
| [LEUR2007] G. Leurent, Message freedom in MD4 and MD5 | [LEUR2007] G. Leurent, Message freedom in MD4 and MD5 | |||
| collisions: Application to APOP. Proceedings of | collisions: Application to APOP. Proceedings of | |||
| FSE 2007. Lecture Notes in Computer Science 4715. | FSE 2007. Lecture Notes in Computer Science 4715. | |||
| Springer 2007. | Springer 2007. | |||
| [MD5] Rivest, R., "The MD5 Message-Digest Algorithm", RFC | [MD5] Rivest, R., "The MD5 Message-Digest Algorithm", RFC | |||
| End of changes. 8 change blocks. | ||||
| 14 lines changed or deleted | 38 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||