[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

MD5 for Authentication


Bill Simpson said the following:

     The {key,text,key} hash is the wrong way to go for MD5.

     Because of the way that MD5 is designed, MD5 dilutes the effect of 
     the key over multiple blocks.  (I remember Jim Hughes pointed this 
     out, too.)

     According to reports from the PSRG meeting (two weeks ago), Kalisky 
     says we should first hash the text without a key, then hash the 
     {hash,key}. This gives the key greater strength in the final hash.

     If he had been designing MD5 for keying, he would have added the 
     key in at each step of the block hashing.

     (I got this from Schiller over the phone, so any mistake in reporting 
     is entirely mine, as this is a third hand report.)

Burt, in our discussions on this topic, you raised this alternative.  I 
pointed out that this requires two hash operations instead of one, so this 
will be slower on crypto implementations that are in peripherals like 
PCMCIA cards.  An that point, you did not say that one approach was 
stronger than another.

Has recent research shown one approach to be significantly stronger than 
the other?

If so, please explain why MD5(key,data,key) is weaker than 
MD5(MD5(data),key).  Also, I am curious if the same analysis would apply to