[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: key-ed MD5 again



> An additional note on this subject from Richard Schroeppel
> (rcs@cs.arizona.edu) follows.  As it is a rather detailed missive, let
> me summarize the bottom line as a contribution to rough concensus in
> favor of MD5(key,data,key).

No objections.

But,

>   MD5( Key .conc. VeryLongText .conc. Key )
> 
> then we cancel out all of the intermediate information loss discussed
> above, and also protect against some appending attacks.

I can feel a little more happy, if someone can explain why,

   MD5( Key .conc. Initialtext .conc. VeryLongText .conc. Key )

the forgery of the Initialtext part is less important, and why,
MD5, which also hashes the message length, must be protected
against appending attacks.

						Masataka Ohta


References: