[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Use of Keyed MD5

To: atkinson@itd.nrl.navy.mil, ipsec@ans.net, hugo@watson.ibm.com
Subject: Re: Use of Keyed MD5
From: "Housley, Russ" <rhousley@spyrus.com>
Date: Fri, 27 Jan 95 13:00:28
Encoding: 1606 Text



Hugo:

Jim Galvin has not written the RFC yet, but Burt Kaliski from RSA Data Security 
has volunteered to help Jim with the document.

That is the only new news that I am aware of....

Russ

______________________________ Reply Separator _________________________________
Subject: Use of Keyed MD5
Author:  hugo@watson.ibm.com at internet
Date:    01/25/95 11:29


Ref:  Your note of Wed, 25 Jan 1995 09:06:40 -0500 (attached)


 > Sender: rja@bodhi.itd.nrl.navy.mil 
 >
 > Folks,
 >
 >   It is NOT accurate to state that a "vulnerability" was discussed
 > by the Security Directorate.  I mentioned that Russ Housely had sent 
 > me an email expressing concern about the use of MD5, nothing more.
 > To my knowledge (and I have mostly been in the loop), there is no
 > known vulnerability.  It is true that MD5 was designed as a message 
 > digest function and not for cryptographic authentication in the
 > manner becoming commonplace within the IETF.  I believe that an 
 > Informational RFC on the use of keyed MD5 for authentication is 
 > a good idea and I think one is likely to appear.

Ran, I was just citing the published (by Jeff Schiller) minutes of the 
SAAG meeting (I was not there personally). They read:

  Ran Atkinson reported on a vulnerability in using keyed MD5 that had 
  been brought to his attention.  Since several protocols are 
  considering using keyed MD5 -- SNMPv2 already does -- Jim Galvin 
  volunteered to document the issues in an informational RFC.

I thought that we have the right to know the status of that issue.

Hugo

Prev by Date: Re: AH-MD5
Next by Date: Re: AH-MD5
Prev by thread: Use of Keyed MD5
Next by thread: Re: AH-MD5
Index(es):
- Main
- Thread