[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: A Modest Proposal

To: perry@imsi.com
Subject: Re: A Modest Proposal
From: " " <amir@watson.ibm.com>
Date: Wed, 29 Mar 1995 09:35:16 -0500
Cc: "Theodore Ts'o" <tytso@MIT.EDU>, ipsec@ans.net
In-Reply-To: Your message of "Tue, 28 Mar 1995 21:47:21 EST." <199503290247.AA42072@interlock.ans.net>


Perry,

Nice joke. But I think you wanted also a serious reply, and here is one.

There are really two very different questions being discussed in the list
re message authentication algs:

1. What is the right mode of keyed MD5? (Hugo and Bill's friendly exchange)

2. Is MD5 fast enough or do we need something new (and what that is)? (Joe,
Hillarie, Ted,... )

If MD5 is not good (Q2) then of course Q1 becomes irrelevant... but...

We need a solution NOW, to get standard-complying (as much as possible)
products
this year. Finding a faster auth function is not a possibility; the only
reasonable candidates are MD5 and DES based. I'll be happy with either as they
have roughly complementing merits: MD5 is faster in SW, DES is faster in HW
and
more scalable (to even faster HW). I think MD5 should be required
as most implementations would be sw based (which we found to give acceptable
performance for many purposes). So my answer to Q2 is: we'll use MD5 for now,
and let's do research to come up with a faster alternative in 3 years.

As to Q1, I agree with you, we need an answer to that NOW too... and we should
try to be productive (for a change). For technical reasons, I agree with Hugo:
we need either the `traditional' MD5(key, data, key) or the `improved'
MD5(key, MD5(key, data)). I don't see Bill's point in saying essentially
`I don't understand why MD5(key, MD5(data)) is not enough so that's it!',
as the performance is negligibly affected by Hugo's variant, while the only
crypto expert voicing an opion on the two so far is Hugo... [I think; my
apologies if I missed/forgot some relevant note - too much pressure etc...)
(let me add my two cents to support Hugo's technical view)

But let's not despair; there is an easy way to resolve this. We need opinion
of additional crypto folks, preferably Burt (who proposed MD5(key, MD5(data))
but so far did not compare it to MD5(key, MD5(key, data)). If these would
support Hugo (as I'm quite sure they would) then we are done. Let me state
clearly that while I'm sorry Bill got so upset about this, I do support his
(and your) urge to get this issue resolved already. The right method is to
put more pressure on additional crypto experts (esp. Burt) to voice their
opinion NOW.

Best, Amir Herzberg

References:

A Modest Proposal

From: "Perry E. Metzger" <perry@imsi.com>

Prev by Date: Re: MD5 versus SHA
Next by Date: Re: MD5 versus SHA
Prev by thread: A Modest Proposal
Next by thread: Re: A Modest Proposal
Index(es):
- Main
- Thread