[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

64 vs 80 bit strength

To: IPSEC@ans.net
Subject: 64 vs 80 bit strength
From: hugo@watson.ibm.com
Date: Thu, 2 Feb 95 17:36:25 EST

Several messages in the last days suggested the need for SHA instead of MD5
based on the arguments of 128 vs. 160 length (or 64 vs. 80 bit strength),
as well as for recent works (most notably, van Oorschot and Wiener in
Fairfax'94) attacking MD5 with better success than SHA.

These considerations are important for judging these functions as
collision-free (or collision intractable) hash functions, for which
these functions were designed. However, they are mostly irrelevant
for the use of these functions as keyed-authenticators (when
used with PREpended key) as is the case in IPSP.
In particular, the (straightforward) birthday attack that gives a strength
of 80 bits to SHA and 64 to MD5 is irrelevant.
As authentication functions the finding of collisions via birthday attacks
is immaterial.  Same as for buliding Van-OOrshot/Weiner machine.

This is not to suggest that, for example, MD5 is better than SHA.
It is just to emphasize that we lack any good analysis of these
functions as keyed-authentication, and their quality as
collision-intactable is not the right measure to accept any of them,
or to prefer one to the other. (True, is the only measure cryptanalysts
have seriously studied).

Hugo

Prev by Date: How to authenticate ESP (was risks of MACs)
Next by Date: Re: comments on Photuris
Prev by thread: comments on Photuris
Next by thread: Re: risks of MACs associated with packets
Index(es):
- Main
- Thread