Shevek <spf(_at_)anarres(_dot_)org> [2004-02-11/12:09]:
* The vulnerability in MD5 is theoretical. However...
* Government departments have been told not to use MD5, therefore we must
not use it if we want acceptance.
It is correct that MD5 has some (theoretical) weaknesses, and I would
not recommend building new cryptosystems with it.
However, as pointed out before, we are not building a security system.
We are just increasing the cost of spamming. Think economically.
* Shortening the hash will weaken the algorithm proportionately.
Yes, but only against forgery of a single valid hash, not against
recovering the secret. This is a very important difference. Remember,
there's very little to be gained by the former type of attack here,
compared to the cost. By shortening the hash, we do not make the attack
against our secret significantly easier, and that would be the only
attack which would really hurt us.
Please do correct me if I'm totally wrong here, I am certainly not a
mathematician.
* Being case insensitive will weaken the algorithm by 40%, as expected.
I will consider case insensitivity to be an option.
Again, only against finding single valid hashes, not against recovering
the secret HMAC key.
I think the recommendation by SRS should be: use any cryptographically
strong MAC. HMAC with any of MD5, SHA-1, SHA-256, RIPEMD, Tiger etc
would all be just fine, and so would MAC constructs with a blockcipher.
Cheers,
Dan
--
Daniel Roethlisberger <daniel(_at_)roe(_dot_)ch>
OpenPGP key id 0x804A06B1 (1024/4096 DSA/ElGamal)
144D 6A5E 0C88 E5D7 0775 FCFD 3974 0E98 804A 06B1
!->