Diff: draft-turner-md5-seccon-update-06.txt - draft-turner-md5-seccon-update-07.txt

	< draft-turner-md5-seccon-update-06.txt	draft-turner-md5-seccon-update-07.txt >
	Network Working Group S. Turner	Network Working Group S. Turner
	Internet Draft IECA	Internet Draft IECA
	Updates: 1321, 2104 (once approved) L. Chen	Updates: 1321, 2104 (once approved) L. Chen
	Intended Status: Informational NIST	Intended Status: Informational NIST

	Expires: April 25, 2011 October 25, 2010	Expires: May 8, 2011 November 8, 2010

	Updated Security Considerations for the	Updated Security Considerations for the
	MD5 Message-Digest and the HMAC-MD5 Algorithms	MD5 Message-Digest and the HMAC-MD5 Algorithms

	draft-turner-md5-seccon-update-06.txt	draft-turner-md5-seccon-update-07.txt

	Abstract	Abstract

	This document updates the security considerations for the MD5 message	This document updates the security considerations for the MD5 message
	digest algorithm. It also updates the security considerations for	digest algorithm. It also updates the security considerations for
	HMAC-MD5.	HMAC-MD5.

	Status of this Memo	Status of this Memo

	This Internet-Draft is submitted in full conformance with the	This Internet-Draft is submitted in full conformance with the

	skipping to change at page 1, line 41 ¶	skipping to change at page 1, line 41 ¶
	and may be updated, replaced, or obsoleted by other documents at any	and may be updated, replaced, or obsoleted by other documents at any
	time. It is inappropriate to use Internet-Drafts as reference	time. It is inappropriate to use Internet-Drafts as reference
	material or to cite them other than as "work in progress."	material or to cite them other than as "work in progress."

	The list of current Internet-Drafts can be accessed at	The list of current Internet-Drafts can be accessed at
	http://www.ietf.org/ietf/1id-abstracts.txt.	http://www.ietf.org/ietf/1id-abstracts.txt.

	The list of Internet-Draft Shadow Directories can be accessed at	The list of Internet-Draft Shadow Directories can be accessed at
	http://www.ietf.org/shadow.html.	http://www.ietf.org/shadow.html.


	This Internet-Draft will expire on April 25, 2011.	This Internet-Draft will expire on May 8, 2011.

	Copyright Notice	Copyright Notice

	Copyright (c) 2010 IETF Trust and the persons identified as the	Copyright (c) 2010 IETF Trust and the persons identified as the
	document authors. All rights reserved.	document authors. All rights reserved.

	This document is subject to BCP 78 and the IETF Trust's Legal	This document is subject to BCP 78 and the IETF Trust's Legal
	Provisions Relating to IETF Documents	Provisions Relating to IETF Documents
	(http://trustee.ietf.org/license-info) in effect on the date of	(http://trustee.ietf.org/license-info) in effect on the date of
	publication of this document. Please review these documents	publication of this document. Please review these documents

	skipping to change at page 2, line 40 ¶	skipping to change at page 2, line 40 ¶

	[HASH-Attack] summarizes the use of hashes in many protocols and	[HASH-Attack] summarizes the use of hashes in many protocols and
	discusses how attacks against a message digest algorithm's one-way	discusses how attacks against a message digest algorithm's one-way
	and collision-free properties affect and do not affect Internet	and collision-free properties affect and do not affect Internet
	protocols. Familiarity with [HASH-Attack] is assumed.	protocols. Familiarity with [HASH-Attack] is assumed.

	2. Security Considerations	2. Security Considerations

	MD5 was published in 1992 as an Informational RFC. Since that time,	MD5 was published in 1992 as an Informational RFC. Since that time,
	MD5 has been studied extensively. What follows are recent attacks	MD5 has been studied extensively. What follows are recent attacks

	against MD5's collisions, pre-image, and second pre-image resistance.	against MD5's collision, pre-image, and second pre-image resistance.
	Additionally, attacks against MD5 used in message authentication with	Additionally, attacks against MD5 used in message authentication with
	a shared secret (i.e., HMAC-MD5) are discussed.	a shared secret (i.e., HMAC-MD5) are discussed.

	Some may find the guidance for key lengths and algorithm strengths in	Some may find the guidance for key lengths and algorithm strengths in
	[SP800-57] and [SP800-131] useful.	[SP800-57] and [SP800-131] useful.

	2.1. Collision Resistance	2.1. Collision Resistance

	Psuedo-collisions for the compress function of MD5 were first	Psuedo-collisions for the compress function of MD5 were first
	described in 1993 [denBBO1993]. In 1996, [DOB1995] demonstrated a	described in 1993 [denBBO1993]. In 1996, [DOB1995] demonstrated a
	collision pair for the MD5 compression function with a chosen initial	collision pair for the MD5 compression function with a chosen initial

	value. The first paper that demonstrated two collision pairs for	value. The first paper that demonstrated two collision pairs for MD5
	regular MD5 was published in 2004 [WFLY2004]. The detailed attack	was published in 2004 [WFLY2004]. The detailed attack techniques for
	techniques for MD5 were published at EUROCRYPT 2005 [WAYU2005]. Since	MD5 were published at EUROCRYPT 2005 [WAYU2005]. Since then, a lot of
	then, a lot of research results have been published to improve	research results have been published to improve collision attacks on
	collision attacks on MD5. The attacks presented in [KLIM2006] can	MD5. The attacks presented in [KLIM2006] can find MD5 collision in
	find MD5 collision in about one minute on a standard notebook PC	about one minute on a standard notebook PC (Intel Pentium, 1.6 GHz.).
	(Intel Pentium, 1.6 GHz.). [STEV2007] claims that it takes 10	[STEV2007] claims that it takes 10 seconds or less on a 2.6Ghz
	seconds or less on a 2.6Ghz Pentium4 to find collisions. In	Pentium4 to find collisions. In
	[STEV2007][SLdeW2007][SSALMOdeW2009][SLdeW2009], the collision	[STEV2007][SLdeW2007][SSALMOdeW2009][SLdeW2009], the collision
	attacks on MD5 were successfully applied to X.509 certificates.	attacks on MD5 were successfully applied to X.509 certificates.

	Notice that the collision attack on MD5 can also be applied to	Notice that the collision attack on MD5 can also be applied to
	password based challenge-and-response authentication protocols such	password based challenge-and-response authentication protocols such
	as the APOP option in the Post Office Protocol (POP) used in post	as the APOP option in the Post Office Protocol (POP) used in post
	office authentication as presented in [LEUR2007].	office authentication as presented in [LEUR2007].

	In fact, more delicate attacks on MD5 to improve the speed of finding	In fact, more delicate attacks on MD5 to improve the speed of finding
	collisions have been published recently. However, the aforementioned	collisions have been published recently. However, the aforementioned

	skipping to change at page 3, line 36 ¶	skipping to change at page 3, line 36 ¶

	Even though the best result can find a pre-image attack of MD5 faster	Even though the best result can find a pre-image attack of MD5 faster
	than exhaustive search as presented in [SAAO2009], the complexity	than exhaustive search as presented in [SAAO2009], the complexity
	2^123.4 is still pretty high.	2^123.4 is still pretty high.

	2.3. HMAC	2.3. HMAC

	The cryptanalysis of HMAC-MD5 is usually conducted together with NMAC	The cryptanalysis of HMAC-MD5 is usually conducted together with NMAC
	(Nested MAC) since they are closely related. NMAC uses two	(Nested MAC) since they are closely related. NMAC uses two
	independent keys K1 and K2 such that NMAC(K1, K2, M) = H(K1, H(K2,	independent keys K1 and K2 such that NMAC(K1, K2, M) = H(K1, H(K2,

	M), where K1 and K2 are used as secret IVs for hash functions	M), where K1 and K2 are used as secret IVs for hash function H(IV,M).
	H(IV,M). If we re-write the HMAC equation using two secret IVs such	If we re-write the HMAC equation using two secret IVs such that IV2 =
	that IV2 = H(K Xor ipad) and IV1 = H(K Xor opad), then HMAC(K, M) =	H(K Xor ipad) and IV1 = H(K Xor opad), then HMAC(K, M) = NMAC(IV1,
	NMAC(IV1, IV2, M). Here it is very important to notice that IV1 and	IV2, M). Here it is very important to notice that IV1 and IV2 are
	IV2 are not independently selected.	not independently selected.

	The first analysis was explored on NMAC-MD5 using related keys in	The first analysis was explored on NMAC-MD5 using related keys in
	[COYI2006]. The partial key recovery attack cannot be extended to	[COYI2006]. The partial key recovery attack cannot be extended to
	HMAC-MD5, since for HMAC, recovering partial secret IVs can hardly	HMAC-MD5, since for HMAC, recovering partial secret IVs can hardly
	lead to recovering (partial) key K. Another paper presented at Crypto	lead to recovering (partial) key K. Another paper presented at Crypto
	2007 [FLN2007] extended results of [COYI2006] to a full key recovery	2007 [FLN2007] extended results of [COYI2006] to a full key recovery
	attack on NMAC-MD5. Since it also uses related key attack, it does	attack on NMAC-MD5. Since it also uses related key attack, it does
	not seem applicable to HMAC-MD5.	not seem applicable to HMAC-MD5.

	A EUROCRYPT 2009 paper presented a distinguishing attack on HMAC-MD5	A EUROCRYPT 2009 paper presented a distinguishing attack on HMAC-MD5

End of changes. 6 change blocks.
	17 lines changed or deleted	17 lines changed or added
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/