[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re[2]: WG last call for IPv4 MD5
The reason I recommended MD5(MD5(text),key) is that MD5(text) is
something well understood; including the key requires additional
analysis.
MD5(text) is also input to digital signatures, so this gives a common
mechanism for several applications.
MD5(hash,key) is likely to involve only one application of MD5's
compression function, and so should be easier to analyze than
MD5(text,key).
I agree that there's not much difference given the comments about
folding you mention. But for other algorithms there may be a
significant difference. It would be good to design in such a way that
one can replace MD5 with another hash function, without worrying about
unstated properties (e.g., must fold in a certain way). Or, at least
to state the properties. We're working on some text for an RFC that
Jim Galvin is drafting, which will address these concerns.
-- Burt
______________________________ Reply Separator _________________________________
Subject: Re: WG last call for IPv4 MD5
Author: "William Allen Simpson" <bsimpson@morningstar.com> at INTERNET
Date: 2/27/95 7:44 PM
> Date: Mon, 27 Feb 1995 13:31:09 -0500
> From: "Perry E. Metzger" <perry@imsi.com>
> Other than that, no objections; if the commentary is true I'm not
> about to argue with Kaliski, although frankly having glanced at it I'm
> not sure why MD5(MD5(text),key) would be stronger than MD5(text+key)
> given MD5's way of folding in new text into a hash. It would be nice
> to get some comments straight from the horse's mouth, as it
> were. Anyone remember Burt Kaliski's email address?
>
Please copy ipsec@ans.net
Bill.Simpson@um.cc.umich.edu
Follow-Ups: