[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: key-ed MD5 again

> From: hugo@watson.ibm.com
> Ran's draft (draft-ietf-ipsec-auth-00.txt)
> requires MD5(key,text,key)

You are incorrect.  This does not appear anywhere in the text.

The text does contain an error, left over from an earlier verion of the
draft, which should be removed.

     When a keyed message digest algorithm (e.g. MD5) is used, the secret
   key is fed into the algorithm first, followed by the invariant fields
   of the IP datagram in sequence and then concluding by feeding the
   secret key in a second time.

We long ago agreed that these transform dependent information must be in
the transforms, not the AH text.  Thank you for the reminder.

> MOST IMPORTANTLY, the later proposal (i.e., MD5(key,MD5(text)) )
> can be easily and significantly improved to MD5(key,MD5(key,text))
> (key included in the internal MD5).
This is silly.  It might be stronger (although this mere conjecture was
not proven in your message), but there are even stronger possibilities
that have been previously mentioned, including using the key on every
MD5 block.

This type of criticism is based on wishful thinking.  Ultimate
"strength" is not an issue.

Some significant analysts think that a single key at the beginning of
MD5 does not provide enough key material when the text is long.  The
MD5(key,MD5(text)) was suggested to improve the effect of the key in the
final hash.

> In other words, MD5(key,MD5(text)) must be abandoned
> (at least, I strongly oppose it)
You've said this before.  Why do you waste our time repeating yourself?