[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

MD5 hash calculation

Ref:  Your note of Tue, 14 Mar 95 12:33:51 GMT (attached)


 > MD5(key,MD5(text)) provides a dominance of the key bits in the mixing.
 > Cryptanalysis requires unrolling MD5.

You asked for proofs: here is an attack that breaks the authentication
without "unrolling" MD5. (And thus cryptanalysis does NOT require unrolling):

   If you know text and text' for which
   MD5(text)=MD5(text') then you can replace text by text' without even knowing
   the key. (See my previous note for more discussion on the importance to
   protect from such collision attacks).

One solution to this problem is MD5(key,text,key).
An even better solution (very close to your suggestion - and inspired by it):
                MD5(key, MD5(key,text)).

(collisions in plain MD5 won't help here and, in addition, you keep all
the bennefits of your construction).

I suggest you go for the later and, as said in my previous note, you give
a reference to an (eventual) RFC on keyed-MD5, where we'll (hopefully)
converge to the best acceptable solution.


PS: Burt, can you please comment on this