[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: on a more serious note... do we want MD5?
Perry E. Metzger says:
> On a more serious note, as I stated in the security issues section of
> the MD5 draft, there has been some progress of late on the cracking of
> MD5. Its still rudimentary, but it has been made.
I'd say - the reason is similar to why DES-based MAC functions aren't
all that great. Birthday Paradox attacks are very much feasible, when
you have 64 bits (need 2^32), and on the margin today for 128 bits,as
you need 2^64... SHA with it's 160 bits would require 2^80, still not
practical...
Besides, what a coincidence - where have I seen that number 80? (:-)
> Given that there are legitimate cryptographic concerns about MD5 itself,
> should we be looking at SHA (mark 2 :-) as the mandatory base transform
> rather than MD5?
I would vote yes for this. Probably nobody today knows exactly how
strong authentication based on hash-functions is... Probably 2^64
is good enough... But obviously if attacker needs 2^80 messages,
it's much safer. I'd go with SHA [besides, it's designers will
be pleased :-].
--
Regards,
Uri uri@watson.ibm.com N2RIU
===========
<Disclamer>
References: