[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

MD5 hash calculation

I thank you for your belated comments, but as the Subject announced
"End of WG Last Call", this is a bit late.

Please keep in mind that unless and until the WG Chair(s) announce that
this is now a Proposed Standard, this is our individual effort.

> From: Hilarie Orman <ho@cs.arizona.edu>
> I think that MD5(key, text, key) may be more secure than the double hash.

If you think this, then perhaps you could give us a proof?  Until I see
such a proof, I am not willing to make yet another last minute chnage.

> My understanding is that Kaliski's suggestion was based on the idea
> that MD5(text) might be a useful subfunction.  However, I'm uneasy at
> the idea of a possible cryptanalysis of MD5(foo,key); not a question I've
> seen examined before.
No, it was based on the idea that MD5( key, text, key ) provides
insufficient mixing of the key bits when the text part is long.

MD5(key,MD5(text)) provides a dominance of the key bits in the mixing.
Cryptanalysis requires unrolling MD5.

We did _NOT_ use MD5(MD5(text),key)), because this only requires
cryptanalysis of the _last_ block hash of MD5 and the key, which may be
an easier problem.