[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

MD5 hash calculation

To: ipsec@ans.net
Subject: MD5 hash calculation
From: "William Allen Simpson" <Bill.Simpson@um.cc.umich.edu>
Date: Tue, 14 Mar 95 12:33:51 GMT

I thank you for your belated comments, but as the Subject announced
"End of WG Last Call", this is a bit late.

Please keep in mind that unless and until the WG Chair(s) announce that
this is now a Proposed Standard, this is our individual effort.


> From: Hilarie Orman <ho@cs.arizona.edu>
> I think that MD5(key, text, key) may be more secure than the double hash.

If you think this, then perhaps you could give us a proof?  Until I see
such a proof, I am not willing to make yet another last minute chnage.


> My understanding is that Kaliski's suggestion was based on the idea
> that MD5(text) might be a useful subfunction.  However, I'm uneasy at
> the idea of a possible cryptanalysis of MD5(foo,key); not a question I've
> seen examined before.
>
No, it was based on the idea that MD5( key, text, key ) provides
insufficient mixing of the key bits when the text part is long.

MD5(key,MD5(text)) provides a dominance of the key bits in the mixing.
Cryptanalysis requires unrolling MD5.

We did _NOT_ use MD5(MD5(text),key)), because this only requires
cryptanalysis of the _last_ block hash of MD5 and the key, which may be
an easier problem.

Bill.Simpson@um.cc.umich.edu

Prev by Date: Re: Proposed message on perfect forward security
Next by Date: MD5 hash calculation
Prev by thread: Re: (IPng) Principle Statement on Patents and Exports
Next by thread: MD5 hash calculation
Index(es):
- Main
- Thread