[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: uses of MD5 hashes

To: "Michael C. Richardson" <mcr@sandelman.ottawa.on.ca>
Subject: Re: uses of MD5 hashes
From: Carl Ellison <cme@cybercash.com>
Date: Mon, 17 Nov 1997 00:52:05 -0500
Cc: spki@c2.net
In-Reply-To: <199711100249.VAA27853@istari.sandelman.ottawa.on.ca>
Sender: owner-spki@c2.net

-----BEGIN PGP SIGNED MESSAGE-----

At 09:49 PM 11/9/97 -0500, Michael C. Richardson wrote:
>  The only hash defined in the spec is md5. In general, we are using
>this a lot to identify principals. We always do this with (hash md5 
#deadbeef..#)
>so it is clear that one could eventually have:
>	(hash sha1 #deadbeef..#)  

I'm sorry you got that impression.  We assumed sha1 from the start.  I'll 
have to scan the draft now to see what gave the impression that it wasn't 
defined.

My examples all used MD5 because I didn't have sha1 code available in my 
library at the time I generated the examples.

BTW, the deadbeef attack was not a hash attack.  PGP's keyid was the low 
bits of the public key.

>  Now, my reading of the IPsec lists wrt keyed MD5, keyed SHA1, and
>the HMAC variants says the following to me:
>	1. *keyed* MD5 may be weak.
>	2. *keyed* SHA1 is probably better, but slower.
>	3. *keyed* HMAC-MD5 may both fast and stronger than plain MD5.
>	4. NONE of this applies to non-keyed MD5.

I don't know how to work a secret key into our signatures -- or does your 
reading suggest that a non-secret key makes keyed hashes stronger?  (likely, 
but I haven't seen anything written on the subject)

>  I would prefer to have a single object hash rather than have to
>decide at run-time "oops. I didn't hash those objects with SHA1. Just
>a minute..." 

We worry about having a single hash definition.  What happens when the 
chosen algorithm falters?

>  If I have to potentially hash all things that I read with MD5 and
>SHA1, then let's just use SHA1. It is slower than MD5, but it is
>faster to do one (or the other) and be done with than to have to do
>both.
>
>  So, if anyone thinks we may want SHA1 for object *identification*
>(NOT authentication) then let's switch to it *now*. 

The real enforcer is the verifier of the signature.  It's free to decide 
that MD5 is too weak to trust and just refuse to accept signatures made with 
it.

>  REMEMBER THIS IS NOT KEYED HASHING.

Ah.

 - Carl

-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv

iQCVAwUBNG/bhBN3Wx8QwqUtAQEWtAQAirindyYzF5xdnWIfzygdQTfTG8pK1GWA
JG6gOncpo7VepPz5uEs8asTJeWUvy7hydsP1F/D0pO8FMlrzoHJuOIuXxabXLucs
6l8NgsdtfsOjzP4wR9i0hJBkue+jKR7BueT3Cgge5+DEYaExgJuJoGKX+dfgtRqq
4/89iS8NYOc=
=93JD
-----END PGP SIGNATURE-----

+------------------------------------------------------------------+
|Carl M. Ellison  cme@cybercash.com   http://www.clark.net/pub/cme |
|CyberCash, Inc.                      http://www.cybercash.com/    |
|207 Grindall Street  PGP 08FF BA05 599B 49D2  23C6 6FFD 36BA D342 |
|Baltimore MD 21230-4103  T:(410) 727-4288  F:(410)727-4293        |
+------------------------------------------------------------------+

Follow-Ups:

Re: uses of MD5 hashes

From: Michael Richardson <mcr@sandelman.ottawa.on.ca>

References:

uses of MD5 hashes

From: "Michael C. Richardson" <mcr@sandelman.ottawa.on.ca>

Prev by Date: Re: non-key-sharing
Next by Date: Re: non-repudiation vs. revocation
Prev by thread: uses of MD5 hashes
Next by thread: Re: uses of MD5 hashes
Index(es):
- Main
- Thread