Re: AH-MD5

["Perry E. Metzger" <perry@imsi.com>]

"Theodore Ts'o" says:
> You will recall that MD5 was designed and pushed out the door not
> because the author could prove any weaknesses about MD4 --- as far as
> he knew there are been no attacks on MD4 ---

Other than the ones by Bert den Boer, Antoon Bosselaers, Ralph Merkle,
and Elli Biham, all of whom broke two out of three rounds? I'll point
out that they used different techniques, adding insult to injury!
If you insist, I'll post references.

> but because he felt "uncomfortable" with some of the design
> decisions that had been made, and so he added some complexity to
> MD5, even though this came at the cost of slowing it down.

This is untrue, Ted. There ARE partial attacks against MD4 that cannot
be performed against MD5. The decision was not made on a hunch, but
because of solid evidence that MD4 was weak. If the decision had been
made on a hunch, I would not want to use either MD4 or MD5 because I
would have not the slightest trust in the designer's judgement.

If we are to make our decisions on "hunches", then why should we
assume that appending is more secure than embedding the length? How do
we know that appending doesn't somehow reduce our security?

> Those of us who are advocating a similar prepend+data+postpend system
> are making the same sort of argument which led Ron Rvist to design, and
> us to use, MD5 instead of the faster MD4.

Nope. You are following hunches -- hunches that don't have any
justification. He was following about three refereed math papers.

Perry

---

Follow-Ups:

• Re: AH-MD5
• From: Theodore Ts'o <tytso@MIT.EDU>

References:

• Re: AH-MD5
• From: Theodore Ts'o <tytso@MIT.EDU>

---

• Prev by Date: Re: AH-MD5
• Next by Date: SHA document
• Prev by thread: Re: AH-MD5
• Next by thread: Re: AH-MD5
• Index(es):
  • Main
  • Thread