1995-10-25 - RE: MD5 weakness ? [was Re: Netscape Log

Header Data

From: agermain@cmp.com (Germain Arthur)
To: hallam@w3.org (hallam)
Message Hash: 6d7f486e2cfc858853c4774d6bbaaab9f2089fa7dc844e5c4e4798e07d4cc7a5
Message ID: <1995Oct25.093455.1151.341099@smtpgate.cmp.com>
Reply To: N/A
UTC Datetime: 1995-10-25 13:35:18 UTC
Raw Date: Wed, 25 Oct 95 06:35:18 PDT

Raw message

From: agermain@cmp.com (Germain Arthur)
Date: Wed, 25 Oct 95 06:35:18 PDT
To: hallam@w3.org (hallam)
Subject: RE: MD5 weakness ? [was Re: Netscape Log
Message-ID: <1995Oct25.093455.1151.341099@smtpgate.cmp.com>
MIME-Version: 1.0
Content-Type: text/plain



I have unsubscribed from this mailing list. Please remove my name from   
your personal address lists. Thanks.

ahg3

 ----------
From:  hallam[SMTP:hallam@w3.org]
Sent:  Tuesday, October 24, 1995 1:14 PM
To:  Dr. Frederick B. Cohen; cypherpunks
Cc:  hallam
Subject:  Re: MD5 weakness ? [was Re: Netscape Logic Bomb detailed by   
IETF]

Precedence: bulk


>As to weaknesses, I seem to remember that someone managed to forge a
>modification to a program used to observe networks on a Sun so that it
>had the same MD5 checksum as the official trusted version.  But whether
>this is real is not strictly the issue.

Ron has not mentioned such an event to me and if that were the case I   
would
seriously doubt that he would not have been told about it. The only   
comment
he
generally makes is that he wrote MD5 because "MD4 was making me nervous".

>In the case of the trust being placed in MD5 by Netscape, the assumption
>being made (without adequate support as far as I can tell) is that an
>MD5 checksum cannot be forced, through a chosen plaintext attack, to

Netscape do not simply use the MD5 of the message, they are using (as I
understand it) the PKCS#1 standard for makoing the signature. If not they   

probably have severe problems.

>There has been no limit given by anyone on this list to the level of
>trust they place in MD5.  Several people have posted (without
>contention) that MD5 is sufficiently trustworthy to trust billions of
>dollars in commerce to it's being able to prevent a selected plaintext
>attack as eluded to above.

NIST and the NSA trusted MD4 sufficiently to base SHA upon it. SHA is
preferable
in many ways to MD5, it has a different approach to extending the   
scheduling
and
resist differential cryptanalysis. There is a problem with the compressor   

function of MD5 which I dislike. This is fairly irrelevant though since   
SSL
allows other digests to be used.

 Phill






Thread