HMAC-MD5

I agree with Steven´s "I'd rather avoid HMAC-MD5,
just as a matter
of future-proofing". And more.
In am nearly sure that a preimage attack (MD5) will be found
in the
next two or three years.

Vlastimil Klima
http:/cryptography.hyperlink.cz

----- PŮVODNÍ ZPRÁVA -----
Od: "Steven M. Bellovin" <smbcs.columbia.edu>
Komu: "Russ Housley" <housleyvigilsec.com>
Předmět: Re: [Cfrg] HMAC-MD5
Datum: 29.3.2006 - 1:11:25

> On Tue, 28 Mar 2006 16:20:59 -0500, Russ Housley
> <housleyvigilsec.com>
> wrote:
> 
> > At the SAAG session last week, Sam and I were
asked about 
> > HMAC-MD5.  Is it safe to keep using it?  Should we
encourage
> > people 
> > to use HMAC-SHA1 or HMAC-SHA256 instead?  Why?
> > 
> > Please provide advice on this matter in the next
two weeks. 
> > We have 
> > on working group that needs this advice very soon.
> > 
> There are no risks from HMAC-MD5 from collision
attacks.  Hash
> function
> design has suddenly become a very hot topic, though. 
> Collision-
> finding attacks on MD5 have gotten a lot faster, and
people are
> starting to look very hard at the basic design.  I
personally
> will not
> be surprised if a preimage attack is found in the next
two or
> three
> years, in which case all bets are off.  (I've made
this
> statement
> before; others have disagreed with me on the likelihood
of
> collision
> attacks.) I'd rather avoid HMAC-MD5, just as a matter
of
> future-proofing.
> 
> 
> --Steven M. Bellovin, http://www.cs.columbi
a.edu/~smb
> 
> _______________________________________________
> Cfrg mailing list
> Cfrgietf.org
> https://w
ww1.ietf.org/mailman/listinfo/cfrg
> 


------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe
cryptography" to majordomometzdowd.com

On Wed, Mar 29, 2006 at 10:51:08AM +0200,
vlastimil.klimavolny.cz wrote:

> In am nearly sure that a preimage attack (MD5) will be
found in the
> next two or three years.

Is there already evidence of progress in that direction?

-- 
	Viktor.

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe
cryptography" to majordomometzdowd.com

I think that we have the "evidence". The
security MD5 depends
heavily on a lot of nonlinearities in functions F,G,I and on
carries in arithmetic additions. Nonlinearities in F,G,I are
bitwise and very weak. Carries are much stronger, but the
collision
attacks showed that it is possible to controll them also.
New
differential schemes (paths) could be proposed, new ways of
controlling the interior variables of MD5 could be
discovered. It
could lead to the second preimage attacks and maybe further.

Vlastimil Klima
 

----- PŮVODNÍ ZPRÁVA -----
Od: "Victor Duchovni" <Victor.DuchovniMorganStanley.com>
Komu: cryptographymetzdowd.com
Předmět: Re: [Cfrg] HMAC-MD5
Datum: 29.3.2006 - 21:14:06

> On Wed, Mar 29, 2006 at 10:51:08AM +0200,
> vlastimil.klimavolny.cz wrote:
> 
> > In am nearly sure that a preimage attack (MD5)
will be found
> > in the
> > next two or three years.
> 
> Is there already evidence of progress in that
direction?
> 
> -- 
> Viktor.
> 
>
------------------------------------------------------------
---------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe
cryptography" to
> majordomometzdowd.com
> 


-- 
! NOVINKA ! Vybruslete z jarni unavy!
Inline  brusle Nike za fantasticke ceny od 1999 Kc!
http://
www.sportobchod.cz/Prehled.php?kat1=10


------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe
cryptography" to majordomometzdowd.com