[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
The various incantations of MD5...
So far, what I'm hearing is "MD5 is probably OK in HMAC". It isn't clear to
me what the recommendation is for other uses of MD5, apart from a blanket
statement to "punt it". I tend to see such statements as knee-jerk
reactions, which cause me to have my own knee-jerk reaction (usually
in the opposite direction ;-).
I've been trying to classify the uses of MD5, to get a better sense
of where it's critical to replace MD5 with something else, and where
the use of MD5 isn't a risk.
My off-the-cuff list:
1) MD5 hashes to generate "bits"; something along these lines:
3DES
key1 = MD5(1|secret value)
key2 = MD5(2|secret value)
key3 = MD5(3|secret value)
2) keyed MD5, where the shared secret key is inserted into the digest
field for calculation purposes; this field is then overwritten by the
digest. Examples: OSPF, RIP, ...
3) keyed MD5 used like PPP CHAP [I can't remember how it's done,
except I remember it's different than (2)]
4) HMAC-style hashes
5) MD5 in public-key signed hash functions
6) ...
It sounds like we have more of an answer on #4 than any of the others.
MD5 is already being used by more than IPSEC. I think we should be
more formally describing the characteristics where "MD5 is safe to use"
vs. "MD5 is risky to use", so we can better advise other WGs as to
what they should do. Maybe in some cases MD5 is OK provided that
certain things (e.g. paramters to MD5?) are done differently.
Right now, I wouldn't feel comfortable going to any other WG and
telling them that they absolutely had to replace MD5 with something
else. Maybe it isn't necessary, or maybe more is necessary than
simply replacing the algorithm, in light of HMAC, followed by the
recent news of MD5.
- C