[Cfrg] HMAC-MD5

John Kelsey kelsey.j at ix.netcom.com
Sat Apr 1 12:28:07 EST 2006


From: vlastimil.klima at volny.cz
>Sent: Mar 30, 2006 3:38 PM
>To: cryptography at metzdowd.com
>Subject: Re: [Cfrg] HMAC-MD5

>I think that we have the "evidence". The security MD5 depends
>heavily on a lot of nonlinearities in functions F,G,I and on
>carries in arithmetic additions. Nonlinearities in F,G,I are
>bitwise and very weak. Carries are much stronger, but the collision
>attacks showed that it is possible to controll them also.

The question is, can these still be controlled when the attacker
doesn't know the internal state of the chaining variables?  If not, we
may end up with second preimage attacks (which would finish off MD5
for most hashing applications!), but still not know how to attack
HMAC.  The attack model is really different!  

For what it's worth, though, I agree that we need to get rid of MD5
anywhere it's still in place, since the only thing we know about its
security is that it's a lot less than anyone expected it to be even a
year ago.  In fact, we should have started this when Dobbertin had his
free-start collision result.  If we had, we'd be able to regard the
devastating MD5 collisions we're seeing now in the same way we regard
devastating attacks on FEAL.  (If someone extends the best attack on
FEAL to 64 rounds, that will be cool, but nobody will be scrambling to
replace FEAL in their products and protocols.)

>Vlastimil Klima

--John Kelsey, NIST


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list