[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: AH-MD5



	 And on another serious note, I again raise the question: should we
	 adopt MD5, or SHA, or something else?

If we're shooting for the long run, we need SHA.

SHA (and for that matter Skipjack) were designed to meet a stated
a priori requirement of 80 bits of strength.  That number seems reasonable
to me, given the historic hardware speed-doubling time.  There's already
been progress at brute-force cracking of MD5; see the paper by Wiener
and someone else at the November '94 Fairfax conference.  For that
matter, we can say that MD5's 64 bits of strength (against a birthday
attack) should be vulnerable 12 years after DES is vulnerable, purely
based on exhaustive search time considerations.  And we know that that's
economically feasble now.

(On the other hand, one could argue that there's no point in our
authentication function being much stronger than our cryptosystem...)


		--Steve Bellovin


Follow-Ups: