MD5 considered harmful today, SHA-1 considered harmful tomorrow

Jon Callas jon at callas.org
Tue Jan 20 13:04:52 EST 2009 

> I have a general outline of a timeline for adoption of new crypto  
> mechanisms (e.g. OAEP, PSS, that sort of thing, and not specifically  
> algorithms) in my Crypto Gardening Guide and Planting Tips, http://www.cs.auckland.ac.nz/~pgut001/pubs/crypto_guide.txt 
> , see "Question J" about 2/3 of the way down.  It's not meant to be  
> definitively accurate for all cases but was created as a rough  
> guideline for people proposing to introduce new crypto mechanisms to  
> give an idea of how long they should expect to wait to see them  
> adopted.

I've always been pleased with your answer to Question J, so I'll say  
what we're doing at PGP.

We deprecated MD5 in '97. That was one of the main points of the new  
formats that became OpenPGP was that agility has its own challenges,  
but it's worth it.

We had a meeting recently to look at what we're going to do. Our first  
thoughts were that we would scrub MD5 from the UI and be done with it.  
Then we realized that we need to leave enough of the old UI so that  
people can *remove* MD5 from their use.

We decided that we'll issue warnings in the annotations when we verify  
MD5 signatures. We can't stop verifying them, but we'll do an  
equivalent to what we do with 40-bit crypto in S/MIME. (40-bit still  
harries S/MIME; it's really a pity that we have to deal with it. Our  
solution is that 40-bit crypto is just a fancy form of plaintext. We  
decode it the way we decode quoted-printable, base64, and other fancy  
forms of plaintext.) We debated removing it from the APIs, and  
concluded that that is asking for trouble, because someone will need  
to do that for diagnostic and testing purposes.

We've started deprecating the 160-bit hashes. There will be comments  
in the UI for both SHA-1 and RIPE-MD/160. We think NIST's advice for  
phasing them out next year is just fine, and so we'll start really  
phasing them out next year.

Lastly, we considered other options for hash algorithms. Presently,  
it's too early to do anything, but we'll look at it again when we do  
more work on the 160-bit hashes.

	Jon

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list