[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

MD5 hash calculation

To: Bill.Simpson@um.cc.umich.edu, ipsec@ans.net
Subject: MD5 hash calculation
From: hugo@watson.ibm.com
Date: Tue, 14 Mar 95 10:33:56 EST
Cc: BURT@RSA.COM

Ref:  Your note of Tue, 14 Mar 95 12:33:51 GMT (attached)

Bill,

 > MD5(key,MD5(text)) provides a dominance of the key bits in the mixing.
 > Cryptanalysis requires unrolling MD5.

You asked for proofs: here is an attack that breaks the authentication
without "unrolling" MD5. (And thus cryptanalysis does NOT require unrolling):

   If you know text and text' for which
   MD5(text)=MD5(text') then you can replace text by text' without even knowing
   the key. (See my previous note for more discussion on the importance to
   protect from such collision attacks).

One solution to this problem is MD5(key,text,key).
An even better solution (very close to your suggestion - and inspired by it):
                MD5(key, MD5(key,text)).

(collisions in plain MD5 won't help here and, in addition, you keep all
the bennefits of your construction).

I suggest you go for the later and, as said in my previous note, you give
a reference to an (eventual) RFC on keyed-MD5, where we'll (hopefully)
converge to the best acceptable solution.

Hugo

PS: Burt, can you please comment on this

Prev by Date: MD5 hash calculation
Next by Date: Re: Proposed message on perfect forward security
Prev by thread: MD5 hash calculation
Next by thread: Re: MD5 hash calculation
Index(es):
- Main
- Thread