[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: WG last call for IPv4 MD5

To: ipsec@ans.net
Subject: Re: WG last call for IPv4 MD5
From: "William Allen Simpson" <bsimpson@morningstar.com>
Date: Mon, 27 Feb 95 17:32:29 GMT

Late breaking news!

The {key,text,key} hash is the wrong way to go for MD5.

Because of the way that MD5 is designed, MD5 dilutes the effect of the
key over multiple blocks.  (I remember Jim Hughes pointed this out, too.)

According to reports from the PSRG meeting (two weeks ago), Kalisky says
we should first hash the text without a key, then hash the {hash,key}.
This gives the key greater strength in the final hash.

If he had been designing MD5 for keying, he would have added the key in
at each step of the block hashing.

(I got this from Schiller over the phone, so any mistake in reporting is
entirely mine, as this is a third hand report.)

Any objections?

Bill.Simpson@um.cc.umich.edu

Follow-Ups:

Re: WG last call for IPv4 MD5

From: "Perry E. Metzger" <perry@imsi.com>

Prev by Date: Re[2]: (IPng) Proposed Standard or no?
Next by Date: Re: WG last call for IPv4 AH and ESP
Prev by thread: Re: WG last call for IPv4 MD5
Next by thread: Re: WG last call for IPv4 MD5
Index(es):
- Main
- Thread