ietf-openpgp
[Top] [All Lists]

Re: MD5 warning

2004-08-21 14:55:02

On Sat, Aug 21, 2004 at 09:23:13PM +0000, Lutz Donnerhacke wrote:

* David Shaw wrote:
That said, the security considerations section of the draft currently
has some language mildly discouraging the use of MD5 ("The MD5 hash
algorithm has been found to have weaknesses (pseudo-collisions in the
compress function) that make some people deprecate its use.  They
consider the SHA-1 algorithm better.")  Can we make this stronger, and
deprecate MD5 use for OpenPGP in general?

Not necessary. All known attacks does not impose a direct risk to md5 based
OpenPGP issues.

True, but would you recommend using MD5 these days?  The time to
deprecate it is before it is completely broken, and the attacks do
pose a direct risk.

MD5 showed some signs of weakness a few years ago.  A few days ago, it
showed some pretty serious problems.  Let's let it go now while it is
relatively easy to do so.

To put my suggestion into a specific proposal for the draft:

In section 9.4, add a note indicating that hash algorithm 1 is MD5,
but MD5 is deprecated, and SHOULD NOT be used.

In section 13, rephrase the current mild note about MD5 to be stronger
and cite the paper giving the MD5 collisions.

David


<Prev in Thread] Current Thread [Next in Thread>