RE: Remove little-used algorithms from IKEv2

[Paul Hoffman / VPNC <paul.hoffman@vpnc.org>]

At 12:32 PM -0800 3/14/02, Hallam-Baker, Phillip wrote:
>Any reason for keeping the MD5 algorithms given their somewhat compromised
>status?

Yes, two.

- As I understand the argument, the "somewhat" is exactly that: there 
is no known break for real-world use, but there is a strong suspicion 
that a break could happen.

- We want it in there in case of a catastrophic failure of SHA-1 and 
the related bigger SHAs.

>MD5 and SHA are pretty close and share the same internal structure so I
>don't think we can really justify MD5 as a fallback to SHA-1, particularly
>in the light of the Dobbertin results.

I'm happy to add MD5 to the list of "only there because we could" if 
folks agree with your analysis.

>We should anticipate that the AES based SHA-2 algorithms will appear in due
>course so it is not as if there would only be one algorithm

If those have the same failure relationship to SHA-1 as MD5 does, the 
argument becomes circular.

It is good practice to have a well-understood fallback in case of 
catastrophic failure. MD5 has a huge amount of implementation 
experience behind it.

--Paul Hoffman, Director
--VPN Consortium