re:MD5 for authentication article in RSA's "CryptoBytes"

["paul (p.c.) van oorschot" <paulv@bnr.ca>]

In message "MD5 for authentication article in RSA's "CryptoBytes"", 
'perry@imsi.com' writes:

>There is a new RSADSI newsletter called "CryptoBytes". One of their
>articles in the fist issue is about use of MD5 for authentication.
>
>Perry

Note there is a comment related to this in [crypto95], 
at the end of section 4.3:

   Three MD5-based MAC proposals for the IPSEC 
   working group are made in [kaliski95]: 
   one is the envelope method with 
   $K_1=K_2$ and $k_1=128$ ($K_1$ is padded to a complete block),
   the other two are 
   $MAC(x) = h( K_1  || h( K_2  || x))$ and  
   $MAC(x) = h( K_1  || h( K_1  || x))$. 
   It is suggested that the best known attack on 
   these schemes requires $2^{64}$ chosen messages;
   however, Proposition 4 shows that $2^{56.5}$ known text-MAC 
   pairs are sufficient (if $s=2^{16}$). 
   Also, the second scheme is vulnerable to the 
   divide and conquer attack described above.

[crypto95] Bart Preneel, Paul C. van Oorschot,
   ``MDx-MAC and Building Fast MACs from Hash Functions,''
   Proc. Crypto'95, Springer-Verlag LNCS (to appear, Aug. 1995).
   {ftp: ftp.esat.kuleuven.ac.be, directory pub/COSIC/preneel}

[kaliski95] B. Kaliski, M. Robshaw, ``Message authentication with MD5,'' 
   CryptoBytes (RSA Laboratories Technical Newsletter), 
   Vol.1, No.1, Spring 1995, pp.5--8.


Paul Van Oorschot.

---

• Prev by Date: MD5 for authentication article in RSA's "CryptoBytes"
• Next by Date: re:MD5 for authentication article in RSA's "CryptoBytes"
• Prev by thread: MD5 for authentication article in RSA's "CryptoBytes"
• Next by thread: re:MD5 for authentication article in RSA's "CryptoBytes"
• Index(es):
  • Main
  • Thread