[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

key-ed MD5 again (and before any final call)

Ran's draft (draft-ietf-ipsec-auth-00.txt)
requires MD5(key,text,key) but also requires compliance with:

   [MS95]  Perry Metzger & Bill Simpson, "IP Authentication with Keyed MD5",
           Work in Progress, 21 March 1995.

which I did not see.

However, in the document by these authors titled
"draft-ietf-ipsec-ah-md5-02.txt" it says:

   The invariant fields of the entire IP datagram are hashed first.  The
   variable length secret authentication key is concatenated with
   (immediately followed by) this initial 128-bit digest, and the
   combination is hashed again.  This final 128-bit digest is inserted
   into the Authentication Data field.

So there seems to be a potential contradiction here.

MOST IMPORTANTLY, the later proposal (i.e., MD5(key,MD5(text)) )
can be easily and significantly improved to MD5(key,MD5(key,text))
(key included in the internal MD5).

In other words, MD5(key,MD5(text)) must be abandoned
(at least, I strongly oppose it)