[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: End of WG Last Call for AH+MD5 and ESP+DES+3DES

Hilarie Orman says:
> I think that MD5(key, text, key) may be more secure than the double hash.
> My understanding is that Kaliski's suggestion was based on the idea
> that MD5(text) might be a useful subfunction.  However, I'm uneasy at
> the idea of a possible cryptanalysis of MD5(foo,key); not a question I've
> seen examined before.

All I know is that this was the suggestion being recommended by the
PSRG. I've heard that Kaliski thinks this is actually better than
MD5(key, text, key).

Of course, at this point, I'm sufficiently flexible (i.e. my
resistance has been crushed) that I'll take whatever the security area
directorate, in their wisdom, deem to be secure. (Let it never be said
that Bill and I haven't listened to what people have asked for.)

I've come to this conclusion because we are going to have to move from
the base transforms with time anyway -- the DES transform is already
inadequate for most real uses. Given this, I'll happily accept what
the experts say at the moment knowing that we're going to have to
change it every few years no matter what we do.

Therefore, I'd suggest that people bring up this issue with Jeff
Schiller and the area directorate. At the moment, we are just doing
what we are told.

Bill Simpson may, of course disagree with me -- no one will ever
accuse him of being a follower :-)