[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: rsync and md4

To: [email protected]
Subject: Re: rsync and md4
From: Charles Watt <[email protected]>
Date: Mon, 1 Jul 1996 10:52:15 -0400 (EDT)
Cc: [email protected], [email protected]
In-Reply-To: <[email protected]> from "Perry E. Metzger" at Jul 1, 96 10:19:27 am
Sender: [email protected]

-----BEGIN PRIVACY-ENHANCED MESSAGE-----
Proc-Type: 4,MIC-CLEAR
Content-Domain: RFC822
Originator-Certificate:
 MIIBvzCCAWkCEFmOln6ip0w49CuyWr9vDVUwDQYJKoZIhvcNAQECBQAwWTELMAkG
 A1UEBhMCVVMxGDAWBgNVBAoTD1NlY3VyZVdhcmUgSW5jLjEXMBUGA1UECxMOU2Vj
 dXJlV2FyZSBQQ0ExFzAVBgNVBAsTDkVuZ2luZWVyaW5nIENBMB4XDTk1MDUwODIw
 MjMzNVoXDTk3MDUwNzIwMjMzNVowcDELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1Nl
 Y3VyZVdhcmUgSW5jLjEXMBUGA1UECxMOU2VjdXJlV2FyZSBQQ0ExFzAVBgNVBAsT
 DkVuZ2luZWVyaW5nIENBMRUwEwYDVQQDEwxDaGFybGVzIFdhdHQwWTAKBgRVCAEB
 AgICBANLADBIAkEM2ZSp7b6eqDqK5RbPFpd6DGSLjbpHOZU07pUcdgJXiduj9Ytf
 1rsmf/adaplQr+X5FeoIdT/bVSv2MUi3gY0eFwIDAQABMA0GCSqGSIb3DQEBAgUA
 A0EApEjzeBjiSnGImJXgeY1K8HWSufpJ2DpLBF7DYqqIVAX9H7gmfOJhfeGEYVjK
 aTxjgASxqHhzkx7PkOnL4JrN+Q==
MIC-Info: RSA-MD5,RSA,
 BmSwniu8gUasZa1TjPkW32wDQoVcczj8fKdr0iBciiZtHKyz1xXgeHgBI9V0oV8h
 dwcOLMC8bbAL39VVNkGHlxw=

> > Perry, as you are so fond of quoting Dobbertin, let me forward once again to 
> > the list Hans' analysis of the "crack" that he discovered.  He explicitly 
> > agrees with Mr. Ogren's analysis.
> 
> No, he doesn't. Dobbertin's privately circulated document is entitled
> "Cryptanalysis of MD5", not "Possible weaknesses in MD5". The MD4
> results were even more damning. It is true that the attacks aren't
> general, but they are bad enough that the key property of
> cryptographic hashes -- that it is computationally infeasable to
> produce two documents with the same hash (note that the property is
> NOT that you cannot produce a document with the same hash as a
> document selected by the opponent), has been broken. Chosen plaintext,
> in particular, is completely broken.
> 
> Dobbertin explicitly says that although there is no reason to panic,
> that MD5 is not to be trusted.
> 
> I quote from your quote of Dobbertin:
> 
>       5. My conclusions are: no reason for panic, but in future
>       implementations better move away from MD5.
> 
> > Yes it is prudent to move away from MD5.  But there are still plenty
> > of uses where it is more than sufficient.
> 
> Yeah, like if you are looking for a wacky checksum and not a
> cryptographic hash.
> 
> Look the point is that Ogren seems to think this is some sort of a
> minor technicality and that we can safely ignore it most of the
> time. Thats simply not prudent. Once you find that the key properties
> of your cryptographic hash have fallen and you have to be
> exceptionally careful about what you put through the hash lest an
> attacker somehow influence it, you've lost the game. MD5 is no longer
> trustworthy. I agree that one needn't run screaming in the streets,
> but Ogren made it sound as though this wasn't a matter of
> concern. Thats simply wrong. Saying that leads people to a completely
> incorrect conclusion.

I admit I am at a disadvantage having deleted the first few messages on this 
thread without actually reading them -- but when I am out one day and come 
back to 200+ cypherpunk messages of which perhaps 10 are relevant to 
cryptography, I get a little quick with the delete.  However, I am assuming
from the stated speed requirement that the original query was intended for 
just such a hashing scheme.  I interpretted Ogren's comments along the lines
of "choose an algorithm based upon a best fit for the requirements, where
security is just one of the requirements (although the most important)" 
(quotes used to indicate paraphrasing rather than actual quote).  If these
assumptions are valid, then he is quite correct, for a blanket condemnation
of MD5 is unwarranted.  If the intended application is for use with 
signatures, then I too would be quite leary of MD5 -- but only if I am
signing a document that I did not originate OR I need to ensure the
validity of the signature for longer than 12 months.  Condemning an 
application of MD5 without understanding the specific requirements placed 
upon the hashing algorithm is unjustified.  Complacently accepting the 
strength of the algorithm for all applications based upon recent findings 
is foolish.

Charles Watt
SecureWare

-----END PRIVACY-ENHANCED MESSAGE-----

References:
- Re: rsync and md4
  - From: "Perry E. Metzger" <[email protected]>

Prev by Date: SEC lets California retailer trade stock on Internet
Next by Date: Re: rsync and md4 (my final comments)
Prev by thread: Re: rsync and md4
Next by thread: Re: rsync and md4
Index(es):
- Date
- Thread