1995-10-24 - Re: MD5 weakness ? [was Re: Netscape Logic Bomb detailed by IETF]

Header Data

From: hallam@w3.org
To: cypherpunks@toad.com
Message Hash: 3638e65dd9872d68861618c2555d649b55a504cb3086807cc831c99c087a3041
Message ID: <9510241714.AA22217@zorch.w3.org>
Reply To: <9510241442.AA12411@all.net>
UTC Datetime: 1995-10-24 17:15:03 UTC
Raw Date: Tue, 24 Oct 95 10:15:03 PDT

Raw message

From: hallam@w3.org
Date: Tue, 24 Oct 95 10:15:03 PDT
To: cypherpunks@toad.com
Subject: Re: MD5 weakness ? [was Re: Netscape Logic Bomb detailed by IETF]
In-Reply-To: <9510241442.AA12411@all.net>
Message-ID: <9510241714.AA22217@zorch.w3.org>
MIME-Version: 1.0
Content-Type: text/plain



>As to weaknesses, I seem to remember that someone managed to forge a
>modification to a program used to observe networks on a Sun so that it
>had the same MD5 checksum as the official trusted version.  But whether
>this is real is not strictly the issue. 

Ron has not mentioned such an event to me and if that were the case I would 
seriously doubt that he would not have been told about it. The only comment he 
generally makes is that he wrote MD5 because "MD4 was making me nervous".

>In the case of the trust being placed in MD5 by Netscape, the assumption
>being made (without adequate support as far as I can tell) is that an
>MD5 checksum cannot be forced, through a chosen plaintext attack, to

Netscape do not simply use the MD5 of the message, they are using (as I 
understand it) the PKCS#1 standard for makoing the signature. If not they 
probably have severe problems.

>There has been no limit given by anyone on this list to the level of
>trust they place in MD5.  Several people have posted (without
>contention) that MD5 is sufficiently trustworthy to trust billions of
>dollars in commerce to it's being able to prevent a selected plaintext
>attack as eluded to above. 

NIST and the NSA trusted MD4 sufficiently to base SHA upon it. SHA is preferable 
in many ways to MD5, it has a different approach to extending the scheduling and 
resist differential cryptanalysis. There is a problem with the compressor 
function of MD5 which I dislike. This is fairly irrelevant though since SSL 
allows other digests to be used.

	Phill




Thread