[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
key-ed MD5 again (and before any final call)
Ran's draft (draft-ietf-ipsec-auth-00.txt)
requires MD5(key,text,key) but also requires compliance with:
[MS95] Perry Metzger & Bill Simpson, "IP Authentication with Keyed MD5",
Work in Progress, 21 March 1995.
which I did not see.
However, in the document by these authors titled
"draft-ietf-ipsec-ah-md5-02.txt" it says:
The invariant fields of the entire IP datagram are hashed first. The
variable length secret authentication key is concatenated with
(immediately followed by) this initial 128-bit digest, and the
combination is hashed again. This final 128-bit digest is inserted
into the Authentication Data field.
So there seems to be a potential contradiction here.
MOST IMPORTANTLY, the later proposal (i.e., MD5(key,MD5(text)) )
can be easily and significantly improved to MD5(key,MD5(key,text))
(key included in the internal MD5).
In other words, MD5(key,MD5(text)) must be abandoned
(at least, I strongly oppose it)