[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

MD5 vs. SHA-1, Selection Criteria

To: HUGO@watson.ibm.com
Subject: MD5 vs. SHA-1, Selection Criteria
From: John Kennedy <jkennedy@cylink.com>
Date: Thu, 23 May 1996 18:00:48 -0400
Cc: rja@cisco.com, ipsec@TIS.COM
Organization: CYLINK
References: <199605232018.QAA61980@mailhub1.watson.ibm.com>
Sender: ipsec-approval@neptune.tis.com

HUGO@watson.ibm.com wrote:
{stuff deleted}
> Due to this fact and the performance advantages of MD5 over other
> alternatives (e.g., SHA-1)...

I'm still not convinced that throughput performance should be a criteria for choosing a default hash function. Just for
reference, could someone repost their best performance times for both algorithms? Are we talking about a factor of 2, 10,
100? My guess is that the difference in performance is not significant when compared with the security requirements for the
algorithm. And one of those requirements most certainly is "user confidence". I think confidence in MD5 is falling rapidly
in the cryptographic community.

The fact that HMAC-MD5 is a mode for MD5 usage that doesn't *currently* seem susceptible to the recent attack described by
Hans Dobbertin says more for the HMAC technique than the long-term viability of MD5.

By not abandoning MD5 outright in favor of SHA-1, I think we are sending the wrong message to the not-so-crypto-saavy
community. What about the people that missed this discussion and use MD5 in its native mode because they don't know any
better?

>From a commercial standpoint, I believe system designers are ill-advised to specify MD5 for new systems and should embrace
SHA-1. Security is an endeavor that it best served by a conservative attitude. You certainly don't see anyone trying to
keep MD2 and MD4 around as an option. And for good reason! It is interesting that that conservative (sometimes radically)
posture usually exhibited by the IPSEC group is not showing up in this case.

My position is that MD5 should be immediately abandoned for use in ANY mode. MD5 is a cryptographic algorithm the strength
of which is serious dispute. It should be removed from consideration by IETF and other standards committee for use in any
form. I also think that implementors should re-examine the cost to move to SHA-1 versus the cost of retaining a hash
function that probably has a limited lifetime. And in case this applies to anyone, let me note that just because a company
is using MD5 in a current system does not mean it is a good reason to lobby for it as an option in IETF IPSEC. Keeping it
around in an existing system is a business decision; it should not be a consideration for a security standard with the
longevity this one is expected to have.

BTW, if/when SHA-1 begins to shows its age, I will be quite happy to see it retired in a timely manner.

-John Kennedy
jkennedy@cylink.com

Follow-Ups:

Re: MD5 vs. SHA-1, Selection Criteria

From: Craig Metz <cmetz@inner.net>

Re: MD5 vs. SHA-1, Selection Criteria

From: Phil Karn Jr <karn@baa01075.slip.digex.net>

References:

WG Last Call: AH Transforms to Proposed Standard

From: HUGO@watson.ibm.com

Prev by Date: WG Last Call: AH Transforms to Proposed Standard
Next by Date: AH HMAC * Last Call
Prev by thread: WG Last Call: AH Transforms to Proposed Standard
Next by thread: Re: MD5 vs. SHA-1, Selection Criteria
Index(es):
- Main
- Thread