< draft-turner-md4-to-historic-10.txt   draft-turner-md4-to-historic-11.txt >
Network Working Group S. Turner Network Working Group S. Turner
Internet-Draft IECA Internet-Draft IECA
Obsoletes: 1320 (once approved) L. Chen Obsoletes: 1320 (once approved) L. Chen
Intended Status: Informational NIST Intended Status: Informational NIST
Expires: June 29, 2011 December 29, 2010 Expires: July 6, 2011 January 6, 2011
MD4 to Historic Status MD4 to Historic Status
draft-turner-md4-to-historic-10.txt draft-turner-md4-to-historic-11.txt
Abstract Abstract
This document recommends the retirement of MD4 and discusses the This document retires RFC 1320, which documents the MD4 algorithm,
reasons for doing so. This document recommends RFC 1320 be moved to and discusses the reasons for doing so. This document moves RFC 1320
Historic status. to Historic status.
Status of this Memo Status of this Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
skipping to change at page 2, line 5 skipping to change at page 1, line 50
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Internet-Draft MD4 to Historic 2010-12-29
1. Introduction 1. Introduction
Internet-Draft MD4 to Historic 2011-01-06
MD4 [MD4] is a message digest algorithm that takes as input a message MD4 [MD4] is a message digest algorithm that takes as input a message
of arbitrary length and produces as output a 128-bit "fingerprint" or of arbitrary length and produces as output a 128-bit "fingerprint" or
"message digest" of the input. This document recommends that MD4 be "message digest" of the input. This document retires [MD4].
retired. Specifically, this document recommends RFC 1320 [MD4] be Specifically, this document moves RFC 1320 [MD4] to Historic status.
moved to Historic status. The reasons for taking this action are The reasons for taking this action are discussed.
discussed.
[HASH-Attack] summarizes the use of hashes in many protocols and [HASH-Attack] summarizes the use of hashes in many protocols and
discusses how attacks against a message digest algorithm's one-way discusses how attacks against a message digest algorithm's one-way
and collision-free properties affect and do not affect Internet and collision-free properties affect and do not affect Internet
protocols. Familiarity with [HASH-Attack] is assumed. protocols. Familiarity with [HASH-Attack] is assumed.
2. Rationale 2. Rationale
MD4 was published in 1992 as an Informational RFC. Since its MD4 was published in 1992 as an Informational RFC. Since its
publication, MD4 has been under attack [denBORBOS1992] [DOBB1995] publication, MD4 has been under attack [denBORBOS1992] [DOBB1995]
skipping to change at page 3, line 5 skipping to change at page 2, line 52
o [RFC1629] Guidelines for OSI NSAP Allocation in the Internet. o [RFC1629] Guidelines for OSI NSAP Allocation in the Internet.
Proposed Standard (PS): Proposed Standard (PS):
o [RFC3961] Encryption and Checksum Specifications for Kerberos 5. o [RFC3961] Encryption and Checksum Specifications for Kerberos 5.
Best Current Practice (BCP): Best Current Practice (BCP):
o [RFC4086] Randomness Requirements for Security. o [RFC4086] Randomness Requirements for Security.
Internet-Draft MD4 to Historic 2010-12-29
Informational: Informational:
Internet-Draft MD4 to Historic 2011-01-06
o [RFC1760] The S/KEY One-Time Password System. o [RFC1760] The S/KEY One-Time Password System.
o [RFC1983] Internet Users' Glossary. o [RFC1983] Internet Users' Glossary.
o [RFC2433] Microsoft PPP CHAP Extensions. o [RFC2433] Microsoft PPP CHAP Extensions.
o [RFC2759] Microsoft PPP CHAP Extensions, Version 2. o [RFC2759] Microsoft PPP CHAP Extensions, Version 2.
o [RFC3174] US Secure Hash Algorithm 1 (SHA1). o [RFC3174] US Secure Hash Algorithm 1 (SHA1).
skipping to change at page 3, line 35 skipping to change at page 3, line 33
Historic or Obsoleted. References and discussions about these RFCs Historic or Obsoleted. References and discussions about these RFCs
are omitted. The notable exceptions are: are omitted. The notable exceptions are:
o [RFC2313] PKCS #1: RSA Encryption Version 1.5. o [RFC2313] PKCS #1: RSA Encryption Version 1.5.
o [RFC2437] PKCS #1: RSA Cryptography Specifications Version 2.0. o [RFC2437] PKCS #1: RSA Cryptography Specifications Version 2.0.
o [RFC3447] Public-Key Cryptography Standards (PKCS) #1: RSA o [RFC3447] Public-Key Cryptography Standards (PKCS) #1: RSA
Cryptography Specifications Version 2.1. Cryptography Specifications Version 2.1.
4. Impact on Moving MD4 to Historic 4. Impact of Moving MD4 to Historic
The impact of moving MD4 to Historic is minimal with the one The impact of moving MD4 to Historic is minimal with the one
exception of Microsoft's use of MD4 as part of RC4-HMAC in Windows, exception of Microsoft's use of MD4 as part of RC4-HMAC in Windows,
the as described below. as described below.
Regarding DS, PS, and BCP RFCs: Regarding DS, PS, and BCP RFCs:
o The initial One-Time Password systems, based on [RFC2289], have o The initial One-Time Password systems, based on [RFC2289], have
ostensibly been replaced by HMAC based mechanism, as specified in ostensibly been replaced by HMAC based mechanism, as specified in
HOTP: An HMAC-Based One-Time Password Algorithm [RFC4226]. HOTP: An HMAC-Based One-Time Password Algorithm [RFC4226].
[RFC4226] suggests following recommendations in [RFC4086] for [RFC4226] suggests following recommendations in [RFC4086] for
random input, and in [RFC4086] weaknesses of MD4 are discussed. random input, and in [RFC4086] weaknesses of MD4 are discussed.
o MD4 was used in the Inter-Domain Routing Protocol (IDRP); each IDRP o MD4 was used in the Inter-Domain Routing Protocol (IDRP); each IDRP
message carries a 16-octet hash that is computed by applying the message carries a 16-octet hash that is computed by applying the
MD-4 algorithm (RFC 1320) to the context of the message itself. MD-4 algorithm (RFC 1320) to the context of the message itself.
Over time IDRP was replaced by BGP-4. Over time IDRP was replaced by BGP-4 [RFC4271], which required at
least [MD5].
o Kerberos Version 5 [RFC3961] specifies the use of MD4 for DES o Kerberos Version 5 [RFC3961] specifies the use of MD4 for DES
encryption types and checksum types. They were specified, never
Internet-Draft MD4 to Historic 2010-12-29 Internet-Draft MD4 to Historic 2011-01-06
encryption types and checksum types. They were specified, never
really used, and are in the process of being deprecated by [I- really used, and are in the process of being deprecated by [I-
D.des-die-die-die]. Further, the mandatory-to-implement encrypted D.des-die-die-die]. Further, the mandatory-to-implement encrypted
types and checksum types specified by Kerberos are based on AES-256 types and checksum types specified by Kerberos are based on AES-256
and HMAC-SHA1 [RFC3962]. and HMAC-SHA1 [RFC3962].
Regarding Informational RFCs: Regarding Informational RFCs:
o PKCS#1 v1.5 [RFC2313] indicated that there was no reason to not use o PKCS#1 v1.5 [RFC2313] indicated that there was no reason to not use
MD4. PKCS#1 v2.0 [RFC2437] and v2.1 [RFC3447] recommend against MD4 MD4. PKCS#1 v2.0 [RFC2437] and v2.1 [RFC3447] recommend against MD4
due to cryptoanalytic progess having uncovered weaknesses in the due to cryptoanalytic progess having uncovered weaknesses in the
skipping to change at page 4, line 38 skipping to change at page 4, line 37
So S/Key was replaced by OTP, at least in theory. Additonally, the So S/Key was replaced by OTP, at least in theory. Additonally, the
S/Key implementations in the wild have started to use MD5 in lieu S/Key implementations in the wild have started to use MD5 in lieu
of MD4. of MD4.
o The CAdES document [RFC5126] lists MD4 as hash algorithm, o The CAdES document [RFC5126] lists MD4 as hash algorithm,
disparages it, and then does not mention it again. disparages it, and then does not mention it again.
o The SHA-1 document [RFC3174] mentions MD4 in the acknowledgements o The SHA-1 document [RFC3174] mentions MD4 in the acknowledgements
section. section.
o The three Microsoft RFCs, [RFC2433], [RFC2759], and [RFC4757], are o The three RFCs describing Microsoft protocols, [RFC2433],
very widely deployed, MS-CHAP v1, MS-CHAP v2, and RC4-HMAC, [RFC2759], and [RFC4757], are very widely deployed, MS-CHAP v1, MS-
respectively. CHAP v2, and RC4-HMAC, respectively.
o MS-CHAP Version 1 is supported in Microsoft's Windows XP, 2000, o MS-CHAP Version 1 is supported in Microsoft's Windows XP, 2000,
98, 95, NT 4.0, NT 3.51, NT 3.5, but support has been dropped in 98, 95, NT 4.0, NT 3.51, NT 3.5, but support has been dropped in
Vista. MS-CHAP Version 2 is supported in Microsoft's Windows 7, Vista. MS-CHAP Version 2 is supported in Microsoft's Windows 7,
Vista, XP, 2000, 98, 95, and NT 4.0. Both versions of MS-CHAP Vista, XP, 2000, 98, 95, and NT 4.0. Both versions of MS-CHAP
are also supported by RADIUS [RFC2548], and EAP [RFC5281]. In are also supported by RADIUS [RFC2548], and EAP [RFC5281]. In
2007, [RFC4962] listed MS-CHAP v1 and v2 as flawed and 2007, [RFC4962] listed MS-CHAP v1 and v2 as flawed and
recommended against their use; these incidents were presented as recommended against their use; these incidents were presented as
a strong indication for the necessity of built-in crypto- a strong indication for the necessity of built-in crypto-
algorithm agility in AAA protocols. algorithm agility in AAA protocols.
o The RC4-HMAC is supported in Microsoft's Windows 2000 and later o The RC4-HMAC is supported in Microsoft's Windows 2000 and later
versions of Windows for backwards compatibility with Windows versions of Windows for backwards compatibility with Windows
2000. As [RFC4757] stated, RC4-HMAC doesn't rely on the 2000. As [RFC4757] stated, RC4-HMAC doesn't rely on the
collision resistance property of MD4, but uses it to generate a
Internet-Draft MD4 to Historic 2010-12-29 Internet-Draft MD4 to Historic 2011-01-06
collision resistance property of MD4, but uses it to generate a
key from a password, which is then used as input to HMAC-MD5. key from a password, which is then used as input to HMAC-MD5.
For an attacker to recover the password from RC4-HMAC, the For an attacker to recover the password from RC4-HMAC, the
attacker first needs to recover the key that is used with HMAC- attacker first needs to recover the key that is used with HMAC-
MD5. As noted in [ID.turner-md5-seccon-update], key recovery MD5. As noted in [ID.turner-md5-seccon-update], key recovery
attacks on HMAC-MD5 are not yet practical. attacks on HMAC-MD5 are not yet practical.
5. Other Considerations 5. Other Considerations
rsync [RSYNC], a non-IETF protocol, once specified the use of MD4, rsync [RSYNC], a non-IETF protocol, once specified the use of MD4,
but as of version 3.0.0 published in 2008 it has adopted MD5 [MD5]. but as of version 3.0.0 published in 2008 it has adopted MD5 [MD5].
skipping to change at page 6, line 4 skipping to change at page 5, line 54
image attacks on MD4 are practical. It cannot be used as a one-way image attacks on MD4 are practical. It cannot be used as a one-way
function. For example, it must not be used to hash a cryptographic function. For example, it must not be used to hash a cryptographic
key of 80 bits or longer. key of 80 bits or longer.
6.3. HMAC 6.3. HMAC
The attacks on Hash-based Message Authentication Code (HMAC) The attacks on Hash-based Message Authentication Code (HMAC)
algorithms [RFC2104] presented so far can be classified in three algorithms [RFC2104] presented so far can be classified in three
types: distinguishing attacks, existential forgery attacks, and key types: distinguishing attacks, existential forgery attacks, and key
recovery attacks. Of course, among all these attacks, key recovery recovery attacks. Of course, among all these attacks, key recovery
Internet-Draft MD4 to Historic 2010-12-29
attacks are the most severe attacks. attacks are the most severe attacks.
Internet-Draft MD4 to Historic 2011-01-06
The best results on key recovery attacks on HMAC-MD4 were published The best results on key recovery attacks on HMAC-MD4 were published
at EUROCRYPT 2008 with 2^72 queries and 2^77 MD4 computations at EUROCRYPT 2008 with 2^72 queries and 2^77 MD4 computations
[WOK2008]. [WOK2008].
7. Recommendation 7. Recommendation
Despite MD4 seeing some deployment on the Internet, this Despite MD4 seeing some deployment on the Internet, this
specification recommends obsoleting MD4 because MD4 is not a specification obsoletes [MD4] because MD4 is not a reasonable
reasonable candidate for further standardization and should be candidate for further standardization and should be deprecated in
deprecated in favor of one or more existing hash algorithms (e.g., favor of one or more existing hash algorithms (e.g., SHA-256 [SHS]).
SHA-256 [SHS]).
RSA Security considers it appropriate to move the MD4 algorithm to RSA Security considers it appropriate to move the MD4 algorithm to
Historic status. Historic status.
It takes a number of years to deploy crypto and it also takes a It takes a number of years to deploy crypto and it also takes a
number of years to withdraw it. Algorithms need to be withdrawn number of years to withdraw it. Algorithms need to be withdrawn
before a catastrophic break is discovered. MD4 is clearly showing before a catastrophic break is discovered. MD4 is clearly showing
signs of weakness and implementations should strongly consider signs of weakness and implementations should strongly consider
removing support and migrating to another hash algorithm. removing support and migrating to another hash algorithm.
skipping to change at page 7, line 5 skipping to change at page 6, line 53
pages 194-203, Springer-Verlag, 1992. pages 194-203, Springer-Verlag, 1992.
[DOBB1995] H. Dobbertin. Alf swindles Ann. CryptoBytes, 1(3): 5, [DOBB1995] H. Dobbertin. Alf swindles Ann. CryptoBytes, 1(3): 5,
1995. 1995.
[DOBB1996] H. Dobbertin. Cryptanalysis of MD4. In Proceedings of the [DOBB1996] H. Dobbertin. Cryptanalysis of MD4. In Proceedings of the
3rd Workshop on Fast Software Encryption, Cambridge, U.K., 3rd Workshop on Fast Software Encryption, Cambridge, U.K.,
pages 53-70, Lecture Notes in Computer Science 1039, pages 53-70, Lecture Notes in Computer Science 1039,
Springer-Verlag, 1996. Springer-Verlag, 1996.
Internet-Draft MD4 to Historic 2010-12-29
[GLRW2010] Guo, J., Ling, S., Rechberger, C., and H. Wang, "Advanced [GLRW2010] Guo, J., Ling, S., Rechberger, C., and H. Wang, "Advanced
Meet-in-the-Middle Preimage Attacks: First Results on Full Meet-in-the-Middle Preimage Attacks: First Results on Full
Internet-Draft MD4 to Historic 2011-01-06
Tiger, and Improved Results on MD4 and SHA-2", Tiger, and Improved Results on MD4 and SHA-2",
http://eprint.iacr.org/2010/016.pdf. http://eprint.iacr.org/2010/016.pdf.
[HASH-Attack] Hoffman, P., and B. Schneier, "Attacks on Cryptographic [HASH-Attack] Hoffman, P., and B. Schneier, "Attacks on Cryptographic
Hashes in Internet Protocols", RFC 4270, November 2005. Hashes in Internet Protocols", RFC 4270, November 2005.
[LUER2008] G. Leurent. MD4 is Not One-Way. Fast Software Encryption [LUER2008] G. Leurent. MD4 is Not One-Way. Fast Software Encryption
2008, Lausanne, Switzerland, February 10-13, 2008, LNCS 2008, Lausanne, Switzerland, February 10-13, 2008, LNCS
5086. Springer, 2008. 5086. Springer, 2008.
skipping to change at page 8, line 5 skipping to change at page 7, line 53
[RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-
Hashing for Message Authentication", RFC 2104, February Hashing for Message Authentication", RFC 2104, February
1997. 1997.
[RFC2433] Zorn, G. and S. Cobb, "Microsoft PPP CHAP Extensions", RFC [RFC2433] Zorn, G. and S. Cobb, "Microsoft PPP CHAP Extensions", RFC
2433, October 1998. 2433, October 1998.
[RFC2437] Kaliski, B., and J. Staddon, "PKCS #1: RSA Cryptography [RFC2437] Kaliski, B., and J. Staddon, "PKCS #1: RSA Cryptography
Specifications Version 2.0", RFC 2437, October 1998. Specifications Version 2.0", RFC 2437, October 1998.
Internet-Draft MD4 to Historic 2010-12-29
[RFC2548] Zorn, G., "Microsoft Vendor-specific RADIUS Attributes", [RFC2548] Zorn, G., "Microsoft Vendor-specific RADIUS Attributes",
RFC 2548, March 1998. RFC 2548, March 1998.
Internet-Draft MD4 to Historic 2011-01-06
[RFC2759] Zorn, G., "Microsoft PPP CHAP Extensions, Version 2", RFC [RFC2759] Zorn, G., "Microsoft PPP CHAP Extensions, Version 2", RFC
2759, January 2000. 2759, January 2000.
[RFC3174] Eastlake, D. and P. Jones, "US Secure Hash Algorithm 1 [RFC3174] Eastlake, D. and P. Jones, "US Secure Hash Algorithm 1
(SHA1)", RFC 3174, September 2001. (SHA1)", RFC 3174, September 2001.
[RFC3447] Jonsson, J. and B. Kaliski, "Public-Key Cryptography [RFC3447] Jonsson, J. and B. Kaliski, "Public-Key Cryptography
Standards (PKCS) #1: RSA Cryptography Specifications Standards (PKCS) #1: RSA Cryptography Specifications
Version 2.1" RFC 3447, February 2003. Version 2.1" RFC 3447, February 2003.
skipping to change at page 8, line 34 skipping to change at page 8, line 31
for Kerberos 5", RFC 3962, February 2005. for Kerberos 5", RFC 3962, February 2005.
[RFC4086] R Eastlake, D., 3rd, Schiller, J., and S. Crocker, [RFC4086] R Eastlake, D., 3rd, Schiller, J., and S. Crocker,
"Randomness Requirements for Security", BCP 106, RFC 4086, "Randomness Requirements for Security", BCP 106, RFC 4086,
June 2005. June 2005.
[RFC4226] Nikander, P., Arkko, J., Aura, T., Montenegro, G., and E. [RFC4226] Nikander, P., Arkko, J., Aura, T., Montenegro, G., and E.
Nordmark, "Mobile IP Version 6 Route Optimization Security Nordmark, "Mobile IP Version 6 Route Optimization Security
Design Background", RFC 4226, December 2005. Design Background", RFC 4226, December 2005.
[RFC4271] Rekhter, Y., Li, T., and S. Hares, "A Border Gateway
Protocol 4 (BGP-4)", RFC 4271, January 2006.
[RFC4757] Jaganathan, K., Zhu, L., and J. Brezak, "The RC4-HMAC [RFC4757] Jaganathan, K., Zhu, L., and J. Brezak, "The RC4-HMAC
Kerberos Encryption Types Used by Microsoft Windows," RFC Kerberos Encryption Types Used by Microsoft Windows," RFC
4757, December 2006. 4757, December 2006.
[RFC4962] Housley, R., and Aboba, B., "Guidance for Authentication, [RFC4962] Housley, R., and Aboba, B., "Guidance for Authentication,
Authorization, and Accounting (AAA) Key Management", RFC Authorization, and Accounting (AAA) Key Management", RFC
4962, July 2007. 4962, July 2007.
[RFC5126] Pinkas, D., Pope, N., and J. Ross, "CMS Advanced Electronic [RFC5126] Pinkas, D., Pope, N., and J. Ross, "CMS Advanced Electronic
Signatures (CAdES)", RFC 5126, February 2008. Signatures (CAdES)", RFC 5126, February 2008.
skipping to change at page 9, line 5 skipping to change at page 9, line 5
Protocol Tunneled Transport Layer Security Authenticated Protocol Tunneled Transport Layer Security Authenticated
Protocol Version 0 (EAP-TTLSv0)", RFC 5281, August 2008. Protocol Version 0 (EAP-TTLSv0)", RFC 5281, August 2008.
[ID.turner-md5-seccon-update] Turner, S., and L. Chen, "Updated [ID.turner-md5-seccon-update] Turner, S., and L. Chen, "Updated
Security Considerations for the MD5 Message-Digest and the Security Considerations for the MD5 Message-Digest and the
HMAC-MD5 Algorithms," draft-turner-md5-seccon-update, work- HMAC-MD5 Algorithms," draft-turner-md5-seccon-update, work-
in-progress. in-progress.
[RSA-AdviceOnMD4] Robshaw, M.J.B., "On Recent Results for MD2, MD4 [RSA-AdviceOnMD4] Robshaw, M.J.B., "On Recent Results for MD2, MD4
Internet-Draft MD4 to Historic 2010-12-29 Internet-Draft MD4 to Historic 2011-01-06
and MD5", November 1996, and MD5", November 1996,
ftp://ftp.rsasecurity.com/pub/pdfs/bulletn4.pdf ftp://ftp.rsasecurity.com/pub/pdfs/bulletn4.pdf
[RSYNC] http://www.samba.org/rsync/ [RSYNC] http://www.samba.org/rsync/
[SHS] National Institute of Standards and Technology (NIST), FIPS [SHS] National Institute of Standards and Technology (NIST), FIPS
Publication 180-3: Secure Hash Standard, October 2008. Publication 180-3: Secure Hash Standard, October 2008.
[SP800-57] National Institute of Standards and Technology (NIST), [SP800-57] National Institute of Standards and Technology (NIST),
 End of changes. 27 change blocks. 
35 lines changed or deleted 36 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/