[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: MD5 vs. SHA-1, Selection Criteria



In message <31A5D755.796C@cylink.com>, you write:
>If I gave you a free implementation of SHA
>-1 that ran as fast or faster than MD5, 
>would that change your mind?

	I'd be very interested in seeing this. All of the SHA code I've seen
thus far is slower than MD5. (Most of it's pretty poorly written, too.)

>Perhaps Steve Bellovin's suggestion of making both HMAC-MD5 and HMAC-SHA1 mand
>atory to implement is a suitable 
>compromise.  However, I think that by keeping HMAC-MD5 as an *optional* transf
>orm that we encourage the use of stronger 
>cryptography over higher performance where it can be accomodated.

	I think a strong argument in favor of making both mandatory is simply
the desire to have at least two options available to the end user.

	If someone posted a short program to sci.crypt tomorrow that could
recover a key from an AH HMAC-SHA stream (extremely unlikely, but just
suppose), would you want to have to wait for a vendor to get you an update (and
how long have certain vendors sat on security fixes in the past?) or would you
like to twiddle a configuration knob to change your local default? I don't know
about you, but I want to have a backup available in all cases that I can choose
to use. Just in case.

	(We should do the same for encryption...)

									-Craig


References: