| < draft-turner-md5-seccon-update-02.txt | draft-turner-md5-seccon-update-03.txt > | |||
|---|---|---|---|---|
| Network Working Group S. Turner | Network Working Group S. Turner | |||
| Internet Draft IECA | Internet Draft IECA | |||
| Updates: 1321, 2202 (once approved) L. Chen | Updates: 1321, 2202 (once approved) L. Chen | |||
| Intended Status: Informational NIST | Intended Status: Informational NIST | |||
| Expires: January 12, 2011 July 12, 2010 | Expires: March 23, 2011 September 23, 2010 | |||
| Updated Security Considerations for the | Updated Security Considerations for the | |||
| MD5 Message-Digest and the HMAC-MD5 Algorithms | MD5 Message-Digest and the HMAC-MD5 Algorithms | |||
| draft-turner-md5-seccon-update-02.txt | draft-turner-md5-seccon-update-03.txt | |||
| Abstract | Abstract | |||
| This document updates the security considerations for the MD5 message | This document updates the security considerations for the MD5 message | |||
| digest algorithm. It also updates the security considerations for | digest algorithm. It also updates the security considerations for | |||
| HMAC-MD5. | HMAC-MD5. | |||
| Status of this Memo | Status of this Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| skipping to change at page 1, line 41 ¶ | skipping to change at page 1, line 41 ¶ | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
| http://www.ietf.org/ietf/1id-abstracts.txt. | http://www.ietf.org/ietf/1id-abstracts.txt. | |||
| The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
| http://www.ietf.org/shadow.html. | http://www.ietf.org/shadow.html. | |||
| This Internet-Draft will expire on January 12, 2011. | This Internet-Draft will expire on March 23, 2011. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2010 IETF Trust and the persons identified as the | Copyright (c) 2010 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 20 ¶ | skipping to change at page 2, line 20 ¶ | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| 1. Introduction | 1. Introduction | |||
| MD5 [MD5] is a message digest algorithm that takes as input a message | MD5 [MD5] is a message digest algorithm that takes as input a message | |||
| of arbitrary length and produces as output a 128-bit "fingerprint" or | of arbitrary length and produces as output a 128-bit "fingerprint" or | |||
| "message digest" of the input. The published attacks against MD5 | "message digest" of the input. The published attacks against MD5 | |||
| show and that it is not prudent to use MD5 when collision resistance | show that it is not prudent to use MD5 when collision resistance is | |||
| is required. This document replaces the security considerations in | required. This document replaces the security considerations in RFC | |||
| RFC 1321 [MD5]. | 1321 [MD5]. | |||
| [HMAC] defined a mechanism for message authentication using | [HMAC] defined a mechanism for message authentication using | |||
| cryptographic hash functions. Any message digest algorithm can be | cryptographic hash functions. Any message digest algorithm can be | |||
| used, but the cryptographic strength of HMAC depends on the | used, but the cryptographic strength of HMAC depends on the | |||
| properties of the underlying hash function. [HMAC-MD5] defined test | properties of the underlying hash function. [HMAC-MD5] defined test | |||
| cases for HMAC-MD5. This document updates the security | cases for HMAC-MD5. This document updates the security | |||
| considerations in [HMAC-MD5]. | considerations in [HMAC-MD5]. | |||
| [HASH-Attack] summarizes the use of hashes in many protocols and | [HASH-Attack] summarizes the use of hashes in many protocols and | |||
| discusses how attacks against a message digest algorithm's one-way | discusses how attacks against a message digest algorithm's one-way | |||
| skipping to change at page 3, line 9 ¶ | skipping to change at page 3, line 9 ¶ | |||
| Psuedo-collisions for the compress function of MD5 were first | Psuedo-collisions for the compress function of MD5 were first | |||
| described in 1993 [denBBO1993]. In 1996, [DOB1995] demonstrated a | described in 1993 [denBBO1993]. In 1996, [DOB1995] demonstrated a | |||
| collision pair for the MD5 compression function with a chosen initial | collision pair for the MD5 compression function with a chosen initial | |||
| value. The first paper that demonstrated two collision pairs for | value. The first paper that demonstrated two collision pairs for | |||
| regular MD5 was published in 2004 [WFLY2004]. The detailed attack | regular MD5 was published in 2004 [WFLY2004]. The detailed attack | |||
| techniques for MD5 were published at EUROCRYPT 2005 [WAYU2005]. Since | techniques for MD5 were published at EUROCRYPT 2005 [WAYU2005]. Since | |||
| then, a lot of research results have been published to improve | then, a lot of research results have been published to improve | |||
| collision attacks on MD5. The attacks presented in [KLIM2006] can | collision attacks on MD5. The attacks presented in [KLIM2006] can | |||
| find MD5 collision in about one minute on a standard notebook PC | find MD5 collision in about one minute on a standard notebook PC | |||
| (Intel Pentium, 1.6 GHz.). In [STEV2007], he claim that it takes 10 | (Intel Pentium, 1.6 GHz.). [STEV2007] claims that it takes 10 | |||
| seconds or less on a 2.6Ghz Pentium4 to find collisions. In | seconds or less on a 2.6Ghz Pentium4 to find collisions. In | |||
| [STEV2007][SLdeW2007][SSALMOdeW2009][SLdeW2009], the collision | [STEV2007][SLdeW2007][SSALMOdeW2009][SLdeW2009], the collision | |||
| attacks on MD5 were successfully applied to X.509 certificates. | attacks on MD5 were successfully applied to X.509 certificates. | |||
| Notice that the collision attack on MD5 can also be applied to | Notice that the collision attack on MD5 can also be applied to | |||
| password based challenge-and-response authentication protocols such | password based challenge-and-response authentication protocols such | |||
| as APOP protocol used in post office authentication as presented in | as the APOP option in the Post Office Protocol (POP) used in post | |||
| [LEUR2007]. | office authentication as presented in [LEUR2007]. | |||
| In fact, more delicate attacks on MD5 to improve the speed of finding | In fact, more delicate attacks on MD5 to improve the speed of finding | |||
| collisions have published recently. However, the aforementioned | collisions have been published recently. However, the aforementioned | |||
| results have provided sufficient reason to eliminate MD5 usage in | results have provided sufficient reason to eliminate MD5 usage in | |||
| applications where collision resistance is required such as digital | applications where collision resistance is required such as digital | |||
| signatures. | signatures. | |||
| 2.2. Pre-image and Second Pre-image Resistance | 2.2. Pre-image and Second Pre-image Resistance | |||
| Even though the best result can find a pre-image attack of MD5 faster | Even though the best result can find a pre-image attack of MD5 faster | |||
| than exhaustive search as presented in [SAAO2009], the complexity | than exhaustive search as presented in [SAAO2009], the complexity | |||
| 2^123.4 is still pretty high. | 2^123.4 is still pretty high. | |||
| 2.3. HMAC | 2.3. HMAC | |||
| The cryptanalysis of HMAC-MD5 usually conducted together with NMAC | The cryptanalysis of HMAC-MD5 is usually conducted together with NMAC | |||
| (Nested MAC) since they are closely related. NMAC uses two | (Nested MAC) since they are closely related. NMAC uses two | |||
| independent keys K1 and K2 such that NMAC(K1, K2, M) = H(K1, H(K2, | independent keys K1 and K2 such that NMAC(K1, K2, M) = H(K1, H(K2, | |||
| M), where K1 and K2 are used as secret IVs for hash functions | M), where K1 and K2 are used as secret IVs for hash functions | |||
| H(IV,M). If we re-write HMAC equation using two secret IVs such that | H(IV,M). If we re-write the HMAC equation using two secret IVs such | |||
| IV2 = H(K Xor ipad) and IV1 = H(K Xor opad), then HMAC(K, M) = | that IV2 = H(K Xor ipad) and IV1 = H(K Xor opad), then HMAC(K, M) = | |||
| NMAC(IV1, IV2, M). Here it is very important to notice that IV1 and | NMAC(IV1, IV2, M). Here it is very important to notice that IV1 and | |||
| IV2 are not independently selected. | IV2 are not independently selected. | |||
| The first analysis was explored on NMAC-MD5 using related keys in | The first analysis was explored on NMAC-MD5 using related keys in | |||
| [COYI2006]. The partial key recovery attack cannot be extended to | [COYI2006]. The partial key recovery attack cannot be extended to | |||
| HMAC-MD5, since for HMAC, recovering partial secret IVs can hardly | HMAC-MD5, since for HMAC, recovering partial secret IVs can hardly | |||
| lead to recovering (partial) key K. Another paper presented at Crypto | lead to recovering (partial) key K. Another paper presented at Crypto | |||
| 2007 [FLN2007] extended results of [COYI2006] to a full key recovery | 2007 [FLN2007] extended results of [COYI2006] to a full key recovery | |||
| attack on NMAC-MD5. Since it also uses related key attack, it does | attack on NMAC-MD5. Since it also uses related key attack, it does | |||
| not seem applicable to HMAC-MD5. | not seem applicable to HMAC-MD5. | |||
| A EUROCRYPT 2009 paper presented a distinguishing attack on HMAC-MD5 | A EUROCRYPT 2009 paper presented a distinguishing attack on HMAC-MD5 | |||
| [WYWZZ2009] without using related keys. It can distinguish an | [WYWZZ2009] without using related keys. It can distinguish an | |||
| instantiation of HMAC with MD5 from an instantiation with a random | instantiation of HMAC with MD5 from an instantiation with a random | |||
| function with 2^97 queries with probability 0.87. This is called | function with 2^97 queries with probability 0.87. This is called | |||
| distinguishing-H. Using the distinguishing attack, it can recover | distinguishing-H. Using the distinguishing attack, it can recover | |||
| some bits of the intermediate status of the second block. However, as | some bits of the intermediate status of the second block. However, as | |||
| it is pointed in [WYWZZ2009], it cannot be used to recover the | it is pointed out in [WYWZZ2009], it cannot be used to recover the | |||
| (partial) inner key H(K Xor ipad). It is not obvious how the attack | (partial) inner key H(K Xor ipad). It is not obvious how the attack | |||
| can be used to form a forgery attack either. | can be used to form a forgery attack either. | |||
| The attacks on HMAC-MD5 do not seem to indicate a practical | The attacks on HMAC-MD5 do not seem to indicate a practical | |||
| vulnerability when used as a message authentication code. Considering | vulnerability when used as a message authentication code. Considering | |||
| that the distinguishing-H attack is different from distinguishing-R | that the distinguishing-H attack is different from a distinguishing-R | |||
| attack, which distinguishes an HMAC from a random function, the | attack, which distinguishes an HMAC from a random function, the | |||
| practical impact on HMAC usage as a PRF such as in a key derivation | practical impact on HMAC usage as a PRF such as in a key derivation | |||
| function is not well understood. | function is not well understood. | |||
| Therefore, it may not be urgent to remove HMAC-MD5 from the existing | Therefore, it may not be urgent to remove HMAC-MD5 from the existing | |||
| protocols. However, since MD5 must not be used for digital | protocols. However, since MD5 must not be used for digital | |||
| signatures, for a new protocol design, a ciphersuite with HMAC-MD5 | signatures, for a new protocol design, a ciphersuite with HMAC-MD5 | |||
| should not be included. Options include HMAC-SHA256 [HMAC][HMAC- | should not be included. Options include HMAC-SHA256 [HMAC][HMAC- | |||
| SHA256] and [AES-CMAC] when AES is more readily available than a hash | SHA256] and [AES-CMAC] when AES is more readily available than a hash | |||
| function. | function. | |||
| 3. IANA Considerations | 3. IANA Considerations | |||
| None. | None. | |||
| 4. Acknowledgements | 4. Acknowledgements | |||
| Obviously, we have to thank all the cryptographers who produced the | Obviously, we have to thank all the cryptographers who produced the | |||
| results we refer to in this document. We'd also like to thank Martin | results we refer to in this document. We'd also like to thank Alfred | |||
| Rex and Benne de Weger for their comments. | Hoenes, Martin Rex, and Benne de Weger for their comments. | |||
| 5. Normative References | 5. Normative References | |||
| [AES-CMAC] Song, J., Poovendran, R., Lee., J., and T. Iwata, | [AES-CMAC] Song, J., Poovendran, R., Lee., J., and T. Iwata, | |||
| "The AES-CMAC Algorithm", RFC 4493, June 2006. | "The AES-CMAC Algorithm", RFC 4493, June 2006. | |||
| [COYI2006] S. Contini, Y.L. Yin. Forgery and partial key- | [COYI2006] S. Contini, Y.L. Yin. Forgery and partial key- | |||
| recovery attacks on HMAC and NMAC using hash | recovery attacks on HMAC and NMAC using hash | |||
| collisions. ASIACRYPT 2006. LNCS 4284, Springer, | collisions. ASIACRYPT 2006. LNCS 4284, Springer, | |||
| 2006. | 2006. | |||
| End of changes. 12 change blocks. | ||||
| 17 lines changed or deleted | 17 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||