[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: MD5 versus SHA

> Date: Wed, 29 Mar 95 08:36:08 EST
> From: shirey@mitre.org (Robert W. Shirey)
> At 9:17 AM 3/28/95, touch@ISI.EDU wrote:
> >b) the IP security community has (as far as I have read from RFCs)
> >        stated that software is preferable for several reasons:
> >
> >        - compatibility with existing hardware base
> >        - agility (ability to change the algorithm if the need arises,
> >                e.g., someone cracks DES :-)
> >
> As we, the PSRG, note in our Internet-Draft
> <draft-irtf-psrg-secarch-sect1-00.txt>:
>  Preference for Software
> To maximize interoperability in the Internet, security designs that can
> be implemented in either software or hardware should be preferred over
> those that require hardware.  Also, security designs should prefer
> software security mechanisms that are freely and publicly available in

<draft-ietf-ipngwg-sec-00.txt> states (page 2):

   ... Standard default algorithms (i.e. keyed MD5, DES CBC)
   are specified to ensure interoperability in the global Internet.  The
   selected algorithms are the same as the standard default algorithms
   used in SNMPv2. 

However, the choice of MD5 for SNMP did not include performance
considerations. <rfc1446.txt> states (Page 7):

          An appendix of [3] contains a C Programming Language
          implementation of the algorithm.  This code was written with
          portability being the principal objective.  Implementors may
          wish to optimize the implementation with respect to the
          characteristics of their hardware and software platforms.

This appears to hint that MD5 was believed to have optimization
potential, because only a reference implementation was given. It turned
out that the potential was very limited.

At this time, it may be important to recognize:
	- known limitations in the performance of MD5
	- the fact that hardware doesn't speed-up some things
	  as much as others
		e.g., DES can be accellerated by a factor
		of 100, but MD5 can be accellerated by
		a factor of only 4 or so

		in general:

		algorithms based on bit-wise logical
		operations and table lookups can be
		accellerated rather well in hardware

		algorithms based on multiplication,
		addition (2's or 1's complement),
		etc. are not accellerated well in hardware

At this time, my limited investigation hints at the following
as being better choices, performance-wise, than MD5:

	general Feistel ciphers (of which DES is a member?)
	N-DFA hash mechanisms

(I'm seeking further info on both).