From: Charles Watt <watt@sware.com>
To: perry@piermont.com
Message Hash: 0ec23110aa56654167d773be4731dd298f2d4a0beb0b5ed2bc50b720a3378748
Message ID: <9607011452.AA15989@mordred.sware.com>
Reply To: <199607011419.KAA20986@jekyll.piermont.com>
UTC Datetime: 1996-07-01 19:54:39 UTC
Raw Date: Tue, 2 Jul 1996 03:54:39 +0800
From: Charles Watt <watt@sware.com>
Date: Tue, 2 Jul 1996 03:54:39 +0800
To: perry@piermont.com
Subject: Re: rsync and md4
In-Reply-To: <199607011419.KAA20986@jekyll.piermont.com>
Message-ID: <9607011452.AA15989@mordred.sware.com>
MIME-Version: 1.0
Content-Type: text
-----BEGIN PRIVACY-ENHANCED MESSAGE-----
Proc-Type: 4,MIC-CLEAR
Content-Domain: RFC822
Originator-Certificate:
MIIBvzCCAWkCEFmOln6ip0w49CuyWr9vDVUwDQYJKoZIhvcNAQECBQAwWTELMAkG
A1UEBhMCVVMxGDAWBgNVBAoTD1NlY3VyZVdhcmUgSW5jLjEXMBUGA1UECxMOU2Vj
dXJlV2FyZSBQQ0ExFzAVBgNVBAsTDkVuZ2luZWVyaW5nIENBMB4XDTk1MDUwODIw
MjMzNVoXDTk3MDUwNzIwMjMzNVowcDELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1Nl
Y3VyZVdhcmUgSW5jLjEXMBUGA1UECxMOU2VjdXJlV2FyZSBQQ0ExFzAVBgNVBAsT
DkVuZ2luZWVyaW5nIENBMRUwEwYDVQQDEwxDaGFybGVzIFdhdHQwWTAKBgRVCAEB
AgICBANLADBIAkEM2ZSp7b6eqDqK5RbPFpd6DGSLjbpHOZU07pUcdgJXiduj9Ytf
1rsmf/adaplQr+X5FeoIdT/bVSv2MUi3gY0eFwIDAQABMA0GCSqGSIb3DQEBAgUA
A0EApEjzeBjiSnGImJXgeY1K8HWSufpJ2DpLBF7DYqqIVAX9H7gmfOJhfeGEYVjK
aTxjgASxqHhzkx7PkOnL4JrN+Q==
MIC-Info: RSA-MD5,RSA,
BmSwniu8gUasZa1TjPkW32wDQoVcczj8fKdr0iBciiZtHKyz1xXgeHgBI9V0oV8h
dwcOLMC8bbAL39VVNkGHlxw=
> > Perry, as you are so fond of quoting Dobbertin, let me forward once again to
> > the list Hans' analysis of the "crack" that he discovered. He explicitly
> > agrees with Mr. Ogren's analysis.
>
> No, he doesn't. Dobbertin's privately circulated document is entitled
> "Cryptanalysis of MD5", not "Possible weaknesses in MD5". The MD4
> results were even more damning. It is true that the attacks aren't
> general, but they are bad enough that the key property of
> cryptographic hashes -- that it is computationally infeasable to
> produce two documents with the same hash (note that the property is
> NOT that you cannot produce a document with the same hash as a
> document selected by the opponent), has been broken. Chosen plaintext,
> in particular, is completely broken.
>
> Dobbertin explicitly says that although there is no reason to panic,
> that MD5 is not to be trusted.
>
> I quote from your quote of Dobbertin:
>
> 5. My conclusions are: no reason for panic, but in future
> implementations better move away from MD5.
>
> > Yes it is prudent to move away from MD5. But there are still plenty
> > of uses where it is more than sufficient.
>
> Yeah, like if you are looking for a wacky checksum and not a
> cryptographic hash.
>
> Look the point is that Ogren seems to think this is some sort of a
> minor technicality and that we can safely ignore it most of the
> time. Thats simply not prudent. Once you find that the key properties
> of your cryptographic hash have fallen and you have to be
> exceptionally careful about what you put through the hash lest an
> attacker somehow influence it, you've lost the game. MD5 is no longer
> trustworthy. I agree that one needn't run screaming in the streets,
> but Ogren made it sound as though this wasn't a matter of
> concern. Thats simply wrong. Saying that leads people to a completely
> incorrect conclusion.
I admit I am at a disadvantage having deleted the first few messages on this
thread without actually reading them -- but when I am out one day and come
back to 200+ cypherpunk messages of which perhaps 10 are relevant to
cryptography, I get a little quick with the delete. However, I am assuming
from the stated speed requirement that the original query was intended for
just such a hashing scheme. I interpretted Ogren's comments along the lines
of "choose an algorithm based upon a best fit for the requirements, where
security is just one of the requirements (although the most important)"
(quotes used to indicate paraphrasing rather than actual quote). If these
assumptions are valid, then he is quite correct, for a blanket condemnation
of MD5 is unwarranted. If the intended application is for use with
signatures, then I too would be quite leary of MD5 -- but only if I am
signing a document that I did not originate OR I need to ensure the
validity of the signature for longer than 12 months. Condemning an
application of MD5 without understanding the specific requirements placed
upon the hashing algorithm is unjustified. Complacently accepting the
strength of the algorithm for all applications based upon recent findings
is foolish.
Charles Watt
SecureWare
-----END PRIVACY-ENHANCED MESSAGE-----
Return to July 1996
Return to ““Perry E. Metzger” <perry@piermont.com>”