Crypographically Strong Software Distribution HOWTO
Jon Callas
jon at callas.org
Mon Jul 2 17:42:03 EDT 2001
In our last episode ("Re: Crypographically Strong Software Distribution
HOWTO", shown on 7/2/01), Kent Crispin said:
>Any references for either the weaknesses of md5, or what the IETF has to
>say on the issue?
>
Hans Dobbertin found some weaknesses in MD5 in 1996. I found two quickie
references, a note by Dobbertin on the issue:
http://www.math.ohio-state.edu/~fiedorow/PGP/MD5_discussion
and his paper on the weaknesses:
http://www.cs.ucsd.edu/users/bsy/dobbertin.ps
The short answer is that he found weaknesses in MD5 similar to the
weaknesses found in MD4 before it was broken. The message since then has
been "don't panic, but use a newer algorithm for new work." (In fact, the
Dobbertin note above says not to panic, but start looking for better
algorithms.)
The answer is that you SHOULD (in IETF terms, see RFC 2119,
<http://www.ietf.org/rfc/rfc2119.txt> for a definition of MAY, SHOULD,
MUST, etc.) use SHA-1. In plain language, what this means is that if you
don't know when to use MD5 and when to use SHA1, then use SHA1. If you pick
MD5, be prepared to answer people when they ask why you did. If for some
reason you don't want to use SHA1, look at RIPE-MD160. If you don't like
either of them, there are other choices, but we now start getting into
subtlety and taste.
On the other hand, in the intervening five years, we haven't seen a break
in MD5 appear. So maybe it's not as bad as we thought. Nonetheless, if you
have a choice and you don't know what to do, pick SHA1. At the very least,
no one will send you an email that starts, "Why did you use MD5? Don't you
know that Hans Dobbertin...."
Jon
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list