[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Remove little-used algorithms from IKEv2
At 12:32 PM -0800 3/14/02, Hallam-Baker, Phillip wrote:
>Any reason for keeping the MD5 algorithms given their somewhat compromised
>status?
Yes, two.
- As I understand the argument, the "somewhat" is exactly that: there
is no known break for real-world use, but there is a strong suspicion
that a break could happen.
- We want it in there in case of a catastrophic failure of SHA-1 and
the related bigger SHAs.
>MD5 and SHA are pretty close and share the same internal structure so I
>don't think we can really justify MD5 as a fallback to SHA-1, particularly
>in the light of the Dobbertin results.
I'm happy to add MD5 to the list of "only there because we could" if
folks agree with your analysis.
>We should anticipate that the AES based SHA-2 algorithms will appear in due
>course so it is not as if there would only be one algorithm
If those have the same failure relationship to SHA-1 as MD5 does, the
argument becomes circular.
It is good practice to have a well-understood fallback in case of
catastrophic failure. MD5 has a huge amount of implementation
experience behind it.
--Paul Hoffman, Director
--VPN Consortium