From: “David F. Ogren” <ogren@cris.com>
To: watt@sware.com
Message Hash: 364ba344bf7ee94a35fd1b2aa0b58c48a7f33e3d6dd99860fd580c83c8d11880
Message ID: <199607011700.NAA19537@darius.cris.com>
Reply To: N/A
UTC Datetime: 1996-07-01 22:32:05 UTC
Raw Date: Tue, 2 Jul 1996 06:32:05 +0800
From: "David F. Ogren" <ogren@cris.com>
Date: Tue, 2 Jul 1996 06:32:05 +0800
To: watt@sware.com
Subject: Re: rsync and md4
Message-ID: <199607011700.NAA19537@darius.cris.com>
MIME-Version: 1.0
Content-Type: text/plain
-----BEGIN PGP SIGNED MESSAGE-----
> Look the point is that Ogren seems to think this is some sort of a
> minor technicality and that we can safely ignore it most of the
> time. Thats simply not prudent. Once you find that the key properties
> of your cryptographic hash have fallen and you have to be
> exceptionally careful about what you put through the hash lest an
> attacker somehow influence it, you've lost the game. MD5 is no longer
> trustworthy. I agree that one needn't run screaming in the streets,
> but Ogren made it sound as though this wasn't a matter of
> concern. Thats simply wrong. Saying that leads people to a completely
> incorrect conclusion.
And I told myself I wouldn't respond to this thread anymore. Oh well. I
just don't want to be misinterpreted.
I never meant to imply (and don't think that I did), that the attacks
against MD5 were insignificant. As I said, I'm moving to SHA in any
software I develop from now on.
What I said was the attacks were insignificant in the application being
considered (rsync) and that MD5 was not completely broken. Come on, all
the guy wanted was a fast 128 bit checksum.
For example, I am still using PGP clearsigning which, of course, uses MD5.
Dobbertin indicates that his attack cannot be used against me as long as I
only sign messages that I create myself. Yes, PGP would work better with
SHA. I'd be able to sign documents that others created with (more)
certainty. But that doesn't mean that I should stop using PGP.
P.S. I apologize to the list for flooding this list recently.
Unfortunately, I took it a little too personally when Perry told me to
"stop spewing inaccurate information" and to "quit posting". It was late,
and I let him bait me more than I ordinarily would.
Now I find myself running in circles trying to make sure that I've made
myself clear and that no one else (other than Perry) is misintepreting what
I'm saying.
- --
David F. Ogren |
ogren@concentric.net | "A man without religion is like a fish
PGP Key ID: 0x6458EB29 | without a bicycle"
- ------------------------------|----------------------------------------
Don't know what PGP is? | Need my public key? It's available
Send a message to me with the | by server or by sending me a message
subject GETPGPINFO | with the subject GETPGPKEY
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQEVAwUBMdgDbuSLhCBkWOspAQGPeQf/QJB109Gjd3s/ALodykZgH0S6FCs3wHK7
OiTUpxBF5lwojhBSrz7ej1RnAW+Uq5Lcz/GyWqH6rvYPPI1uZ3023UAV3nqH8qXY
nnznPfvTkUQgSjaQu/YRvWlTWwrNsW/KIR6iVbwVDnbUnvuAjUJskWyAg1Wz4zIV
8PV8RnrHSTT06j5LrCtiD0eWr/NgmpgIFS5+ID5z9/ikMV6xF4zSrlubELFFJUUT
M3nZWDlr7SaU0hFLQt3yu6oSqAjKSGrPsU1QCJ/Y1zdS49R/cLIzOzbQ42R1Cyot
hMnAayTqNdUI/goa2WAbda3gYpRodTA2GpciNj7u3xs0Ik/1TIEqlw==
=4x7D
-----END PGP SIGNATURE-----
Return to July 1996
Return to ““David F. Ogren” <ogren@cris.com>”
1996-07-01 (Tue, 2 Jul 1996 06:32:05 +0800) - Re: rsync and md4 - “David F. Ogren” <ogren@cris.com>