[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: MD5 vs. SHA-1, Selection Criteria

To: Craig Metz <cmetz@inner.net>
Subject: Re: MD5 vs. SHA-1, Selection Criteria
From: John Kennedy <jkennedy@cylink.com>
Date: Fri, 24 May 1996 11:35:49 -0400
Cc: ipsec@TIS.COM
Organization: CYLINK
References: <9605240722.aa24902@sundance.itd.nrl.navy.mil>
Sender: ipsec-approval@neptune.tis.com

Craig Metz wrote:
> ----------
> In message <31A4E010.3BA9@cylink.com>, you write:
> >My position is that MD5 should be immediately abandoned for use in ANY mode.
> >MD5 is a cryptographic algorithm the strength
> >of which is serious dispute.  It should be removed from consideration by IETF
> >and other standards committee for use in any
> >form.
> 
>         Then I trust you'd be happy to do a quick demonstration and hijack
> an AH HMAC-MD5 protected TCP connection?
>
> 
>         Until you can show me that, I believe that MD5 has value. The value is
> that random people cannot defeat it. Maybe major governments can. When it comes
> to MY traffic, *I* want to be able to make the trade-off between security and
> performance.
> ----------

I agree that MD5 still has some value, but not as much long-term value as SHA-1.  DES still has 
plenty of value, too, but new standards are moving away from DES to Triple-DES and other 
stronger algorithms.  Not because DES is broken now, but because the safety margin seems to 
be shrinking.

> ----------
> >I also think that implementors should re-examine the cost to move to SH
> >A-1 versus the cost of retaining a hash
> >function that probably has a limited lifetime.
> 
>         The flaw in this line of thinking should be obvious.
> 
>                                                                 -Craig
>-----------

I guess it wasn't obvious to me. :) If I gave you a free implementation of SHA-1 that ran as fast or faster than MD5, 
would that change your mind?

My goal was to solicit debate on Performance vs. Perceived Strength vs. Utility.  We all place different weight
on these criteria depending on the task at hand.  Finding a compromise is one of our unenviable tasks as a working 
group.

Perhaps Steve Bellovin's suggestion of making both HMAC-MD5 and HMAC-SHA1 mandatory to implement is a suitable 
compromise.  However, I think that by keeping HMAC-MD5 as an *optional* transform that we encourage the use of stronger 
cryptography over higher performance where it can be accomodated.

-John Kennedy
jkennedy@cylink.com

Follow-Ups:

Re: MD5 vs. SHA-1, Selection Criteria

From: Craig Metz <cmetz@inner.net>

References:

Re: MD5 vs. SHA-1, Selection Criteria

From: Craig Metz <cmetz@inner.net>

Prev by Date: Re: MD5 vs. SHA-1, Selection Criteria
Next by Date: Re: MD5 vs. SHA-1, Selection Criteria
Prev by thread: Re: MD5 vs. SHA-1, Selection Criteria
Next by thread: Re: MD5 vs. SHA-1, Selection Criteria
Index(es):
- Main
- Thread