Re[2]: MD5 versus SHA

["burt" <burt@RSA.COM (Burt Kaliski)>]

Jim --

You've represented Ron's position accurately; RFC 1321 states:

> The MD5 algorithm is an extension of the MD4 message-digest algorithm
> 1,2]. MD5 is slightly slower than MD4, but is more "conservative" in
> design. MD5 was designed because it was felt that MD4 was perhaps
> being adopted for use more quickly than justified by the existing
> critical review; because MD4 was designed to be exceptionally fast,
> it is "at the edge" in terms of risking successful cryptanalytic
> attack. MD5 backs off a bit, giving up a little in speed for a much
> greater likelihood of ultimate security. It incorporates some
> suggestions made by various reviewers, and contains additional
> optimizations. The MD5 algorithm is being placed in the public domain
> for review and possible adoption as a standard.
     
While MD5 is designed for fast software implementation and is 
sufficiently fast for many applications, I do agree with Joe Touch's 
observations that there the iterative nature of MD5's design places 
limits on how much it can be sped up with hardware. This is not unique 
to MD5; other hash functions (SHA-1, MDC2) and several modes of block 
ciphers (CBC, OFB, CFB) have similar limitations. A more 
parallelizable design would be worth considering for the next 
generation of hash functions, though MD5 should remain fast enough for 
most applications for a while.

     -- Burt



______________________________ Reply Separator _________________________________
Subject: Re: MD5 versus SHA 
Author:  James M Galvin <galvin@tis.com> at INTERNET
Date:    3/30/95 6:29 AM


Received: by ccmail from RSA.COM

---

• Prev by Date: Re: IPv6 Security Last Call Initial Questions
• Next by Date: IPSEC Working Group Co-Chair
• Prev by thread: Re: MD5 versus SHA
• Next by thread: new Security Drafts available for ftp
• Index(es):
  • Main
  • Thread