[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re[2]: WG last call for IPv4 MD5

The reason I recommended MD5(MD5(text),key) is that MD5(text) is 
something well understood; including the key requires additional 

MD5(text) is also input to digital signatures, so this gives a common 
mechanism for several applications.

MD5(hash,key) is likely to involve only one application of MD5's 
compression function, and so should be easier to analyze than 

I agree that there's not much difference given the comments about 
folding you mention. But for other algorithms there may be a 
significant difference. It would be good to design in such a way that 
one can replace MD5 with another hash function, without worrying about 
unstated properties (e.g., must fold in a certain way). Or, at least 
to state the properties. We're working on some text for an RFC that 
Jim Galvin is drafting, which will address these concerns.

-- Burt

______________________________ Reply Separator _________________________________
Subject: Re: WG last call for IPv4 MD5
Author:  "William Allen Simpson" <bsimpson@morningstar.com> at INTERNET
Date:    2/27/95 7:44 PM

> Date: Mon, 27 Feb 1995 13:31:09 -0500
> From: "Perry E. Metzger" <perry@imsi.com>
> Other than that, no objections; if the commentary is true I'm not
> about to argue with Kaliski, although frankly having glanced at it I'm 
> not sure why MD5(MD5(text),key) would be stronger than MD5(text+key)
> given MD5's way of folding in new text into a hash. It would be nice 
> to get some comments straight from the horse's mouth, as it
> were. Anyone remember Burt Kaliski's email address? 
Please copy ipsec@ans.net