[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
MD5 hash calculation
I thank you for your belated comments, but as the Subject announced
"End of WG Last Call", this is a bit late.
Please keep in mind that unless and until the WG Chair(s) announce that
this is now a Proposed Standard, this is our individual effort.
> From: Hilarie Orman <firstname.lastname@example.org>
> I think that MD5(key, text, key) may be more secure than the double hash.
If you think this, then perhaps you could give us a proof? Until I see
such a proof, I am not willing to make yet another last minute chnage.
> My understanding is that Kaliski's suggestion was based on the idea
> that MD5(text) might be a useful subfunction. However, I'm uneasy at
> the idea of a possible cryptanalysis of MD5(foo,key); not a question I've
> seen examined before.
No, it was based on the idea that MD5( key, text, key ) provides
insufficient mixing of the key bits when the text part is long.
MD5(key,MD5(text)) provides a dominance of the key bits in the mixing.
Cryptanalysis requires unrolling MD5.
We did _NOT_ use MD5(MD5(text),key)), because this only requires
cryptanalysis of the _last_ block hash of MD5 and the key, which may be
an easier problem.