[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: AH-MD5

To: Phil Karn <karn@qualcomm.com>
Subject: Re: AH-MD5
From: "Perry E. Metzger" <perry@imsi.com>
Date: Tue, 31 Jan 1995 10:05:18 -0500
Cc: smb@research.att.com, ipsec@ans.net
In-Reply-To: Your message of "Mon, 30 Jan 1995 19:57:16 PST." <199501310357.TAA09674@servo.qualcomm.com>
Reply-To: perry@imsi.com


Phil Karn says:
> >SHA (and for that matter Skipjack) were designed to meet a stated
> >a priori requirement of 80 bits of strength.  That number seems reasonable
> 
> On the other hand, SHA was designed by NSA. And NSA cannot be unaware
> of the ease of using crypto hash functions for encryption.  This makes
> me as skeptical of SHA as I am of Skipjack and DSS.
> 
> I'd stick to MD5 for now, with a door open for other algorithms of
> course. After SHA has undergone a thorough and open civilian review,
> we can revisit the issue.

I'm actually much less suspicious of SHA than I am of MD5; there are
already some crude attacks on MD5 but none known against SHA. (There
are, for example, ways to induce collisions in the MD5 compression
function that don't in practice cause harm but are disturbing. Also,
there is the Oorschot and Weiner machine, which isn't yet practical
but is still in the realm of possibility but is even less practical an
attack on SHA...)

The best argument I've seen against SHA is the performance problems it
induces. A factor of two is *not* ignorable.

Perry

References:

Re: AH-MD5

From: Phil Karn <karn@qualcomm.com>

Prev by Date: Re: risks of MACs associated with packets
Next by Date: Re: risks of MACs associated with packets
Prev by thread: Re: AH-MD5
Next by thread: ICMP messages document
Index(es):
- Main
- Thread