1995-11-02 - Re: Keyed-MD5, and HTTP-NG

Header Data

From: “Perry E. Metzger” <perry@piermont.com>
To: “baldwin” (Robert W. Baldwin) <baldwin@rsa.com>
Message Hash: 162735616b3610332ccae7097b104b7ad8a397c7f286843bbb997fb0029741d8
Message ID: <199511011820.NAA02107@jekyll.piermont.com>
Reply To: <9510018152.AA815244951@snail.rsa.com>
UTC Datetime: 1995-11-02 04:10:21 UTC
Raw Date: Thu, 2 Nov 1995 12:10:21 +0800

Raw message

From: "Perry E. Metzger" <perry@piermont.com>
Date: Thu, 2 Nov 1995 12:10:21 +0800
To: "baldwin" (Robert W. Baldwin) <baldwin@rsa.com>
Subject: Re: Keyed-MD5, and HTTP-NG
In-Reply-To: <9510018152.AA815244951@snail.rsa.com>
Message-ID: <199511011820.NAA02107@jekyll.piermont.com>
MIME-Version: 1.0
Content-Type: text/plain



"baldwin" writes:
>         I also understand your being upset about not hearing about this
> attack the moment it was published.  Actually, as soon as RSA Labs confirmed
> the weakness we did call some of the editors of the IPsec specifications
> to let them know about it.  The consensus was that this was not a show
> stopper.

There were two names on the MD5 document -- mine and Bill
Simpson's. Bill didn't tell me that he was called (I suspect he would
have), and I wasn't called, either. We were the only two editors of
that portion of the specification.

Given that my name was on that document and that I made a large effort
to try to make sure that people examined the algorithms and thought
they were good, and that I have some of my reputation tied to that
document, I am rather unhappy at the fact that I only find out third
hand about what people in the field have determined about our selected
algorithm.

> The IPsec protocols could be rolled out as is.  Later, once a
> better authenticator had been developed and tested, it could be
> substituted for the existing one.  One of the excellent features of the
> IPsec specification is that new algorithms can be substituted easily
> (modulo a "small matter of programming").

I know. I was one of the designers. We all understood extremely well
that crypto algorithms become rapidly obsolete. However, we needed to
specify a reasonably strong baseline transform that would be widely
deployed. I was shocked at the level of trouble we had in getting the
cryptoweenies to successfully agree on a keyed hash based transform no
matter how long was spent on the topic. I've got to say that my
opinion of the academic crypto community dropped substantially after
the experience. I would have thought that people could at least have
agreed on what they knew and didn't know.  This was strikingly
different from my experience with other mathematical fields, in which
the experts seem to agree pretty readily about what is and isn't
known.

>         Perhaps your main complaint is that it took time for the attack
> to be confirmed by other researchers before the issue was brought to
> the IPsec authors.  That is another effect of the current state of the
> art in Cryptography, and an effect of the normal academic process.

People might have noted their suspicions to us. As engineers, we are
capable of avoiding something based on on suspected weakness without
solid confirmation -- we aren't trying to publish papers, we are
trying to get things to work.

Perry





Thread