[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: on a more serious note... do we want MD5?

To: perry@imsi.com
Subject: Re: on a more serious note... do we want MD5?
From: uri@watson.ibm.com
Date: Thu, 26 Jan 1995 10:57:49 -0500 (EST)
Cc: ipsec@ans.net
In-Reply-To: <9501260018.AA04504@webster.imsi.com> from "Perry E. Metzger" at Jan 25, 95 07:18:56 pm
Reply-To: uri@watson.ibm.com

Perry E. Metzger says:
> On a more serious note, as I stated in the security issues section of
> the MD5 draft, there has been some progress of late on the cracking of
> MD5. Its still rudimentary, but it has been made.

I'd say - the reason is similar to why DES-based MAC functions aren't
all that great. Birthday Paradox attacks are very much feasible, when
you have 64 bits (need 2^32), and on the margin today for 128 bits,as
you need 2^64... SHA with it's 160 bits would require 2^80, still not
practical...

Besides, what a coincidence - where have I seen that number 80? (:-)

> Given that there are legitimate cryptographic concerns about MD5 itself,
> should we be looking at SHA (mark 2 :-) as the mandatory base transform
> rather than MD5?

I would vote yes for this. Probably nobody today knows exactly how
strong authentication based on hash-functions is...  Probably 2^64
is good enough...  But obviously if attacker needs 2^80 messages,
it's much safer. I'd go with SHA [besides, it's designers will
be pleased :-].
--
Regards,
Uri         uri@watson.ibm.com      N2RIU
===========
<Disclamer>

References:

on a more serious note... do we want MD5?

From: perry@imsi.com (Perry E. Metzger)

Prev by Date: Re: on a more serious note... do we want MD5?
Next by Date: Re: keyed-MD5 placement of secret
Prev by thread: Re: on a more serious note... do we want MD5?
Next by thread: Re: keyed-MD5 placement of secret
Index(es):
- Main
- Thread