[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Keyed-MD5, and HTTP-NG

To: "baldwin" (Robert W. Baldwin) <[email protected]>
Subject: Re: Keyed-MD5, and HTTP-NG
From: "Perry E. Metzger" <[email protected]>
Date: Tue, 31 Oct 1995 19:02:09 -0500
Cc: [email protected], [email protected], [email protected]
In-Reply-To: Your message of "Mon, 30 Oct 1995 17:34:09 PST." <[email protected]>
Reply-To: [email protected]
Sender: [email protected]

"baldwin" writes:
> Simon,
>         There are a few different ways to add key material to MD5 to
> make it suitable as a shared-secret authenticator function.  Some of these
> are less resistant to attacks than others.  For example, the keyed MD5
> mechanism that is part of the current IPsec specifications can be
> attacked using 2**60 chosen messages.  Fortunately, the IPsec specs
> also require that the shared MD5 key be changed every 2**32 messages,
> so this attack is unlikely to succeed.  Specifically, IPsec uses
> MD5 as follows:  X = MD5(key | keypad | Message), where "|" means
> concatenation and the "keypad" pads out the key to 512 bits.
> Basically, this function is the same as standard MD5 with a
> different initialization vector for the compression operation
> on the first block of the message.
>         RSA Labs recommends that a people use an authenticator like
> X = MD5(key1, MD5(key2, Message)).  This resists the chosen plaintext
> attacks that were published at the crypto conference in Spring 1995.

Pardon me. The amount of vitriol I am going to spew is probably
difficult for people to understand because most folks around here
weren't following the keyed MD5 discussions during the IPSEC work and
have no idea of the sort of crap the professional cryptographic
community put us through.

We spent months, and months, and months, and months, getting advice
from every cryptographer on the planet. Every conceivable combination
of pads, multiple keys, keys before the text, after, before and after,
etc., was discussed over and over and over again.

Finally, the folks at RSA and IBM both agreed that Hugo's scheme, the
one we were putting in to place, was the best possible one. (Thats the
one with the padded key.)

What the flying hell are you doing telling us now, and indeed not even
telling the IPSEC community but instead mumbling on cypherpunks, that
you guys were in possession of information BEFORE the entire
discussion in midsummer that indicated that your own advice was wrong?

Perry

Follow-Ups:
- Re: Keyed-MD5, and HTTP-NG
  - From: [email protected]

References:
- Keyed-MD5, and HTTP-NG
  - From: "baldwin" <[email protected] (Robert W. Baldwin)>

Prev by Date: Re: CJR returned to sender
Next by Date: Re: /dev/random for FreeBSD [was: Re: /dev/random for Linux]
Prev by thread: Keyed-MD5, and HTTP-NG
Next by thread: Re: Keyed-MD5, and HTTP-NG
Index(es):
- Date
- Thread