MD5 To Be Considered Harmful Someday
John Kelsey
kelsey.j at ix.netcom.com
Wed Dec 8 09:24:41 EST 2004
>From: "James A. Donald" <jamesd at echeque.com>
>Sent: Dec 7, 2004 6:57 PM
>To: cryptography at metzdowd.com
>Subject: MD5 To Be Considered Harmful Someday
>But even back when I implemented Crypto Kong, the orthodoxy was
>that one should use SHA1, even though it is slower than MD5, so
>it seems to me that MD5 was considered harmful back in 1997,
>though I did not know why at the time, and perhaps no one knew
>why.
The pseudocollision on MD5 paper was published in 1994, and Doebbertin's full collisions for MD5's compression function were published in 1996, so there was plenty of reason by 1997 to want to move to a different hash function. People who stuck with MD5 for collision resistance after that were demonstrating seriously bad judgement, since the only argument left for MD5's security was "well, but nobody's published a way to exploit the attack on full messages yet."
> James A. Donald
--John Kelsey
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list