Re: Crypto Mini-FAQ
From: David Wagner (daw_at_taverner.cs.berkeley.edu)
Date: Mon, 19 Jan 2004 04:41:48 +0000 (UTC)
Roger Schlafly wrote:
>1. There are lots of low-security apps for which MD5 is fine.
Yup, but SHA1 is also fine for those. The general rule of thumb
that says "use SHA1" is fine for these settings.
>2. Even if it becomes easy to find MD5 collisions, then it might still
>be fine for some apps in which people write their own messages.
>As far as we know, no one has any idea how to attack the problem
>of finding Y, given X, such that MD5(Y)=MD5(X).
Maybe, but in practice, you usually can't rely on users to write their
own messages. In most cases, it's probably easy to trick the typical
user into using a message written by someone else. Consequently, this
is not much of a saving grace. For future systems, it seems safer to
avoid relying on user behavior at all, and simply use SHA1.
>3. A hash function is not "broken" just because the author of a
>competing hash function thinks that it is "at the edge". (Dobbertin
>is a coauthor of RIPEMD.)
I'm not sure that's quite fair, though I do agree that such comments
have to be evaluated with care and with examination of context. In
this case, I'm inclined to agree with Dobbertin, but you can draw your
own conclusions. Certainly Dobbertin and others were right in their
predictions, after early results about MD4 came to light, that MD4 would
fall; it eventually did.
It's also worth noting that RSA Labs themselves caution against
using MD5 for future applications, and recommend gradually swapping
it out of existing applications. This recommendation dates back to
`Given the surprising speed with which techniques on MD4 were extended to
MD5, we feel that it is only prudent to draw a cautious conclusion and to
expect that collisions for the entire hash function might soon be found.''
-- RSA Laboratories Security Bulletin #4
Given that RSA Labs is in some sense the owner of MD5, and were
originally one of the primary proponents of MD5, this statement is
>Consider this analogy. There are reputable cryptographers who have
>published attacks on reduced-round versions of AES, and there
>are those who think that AES is at the edge because it doesn't
>have enough rounds. I don't know whether they are right or not,
>but it certainly doesn't justify a conclusion that AES is "broken".
First, I'm not saying MD5 is "broken" (though some others are,
I agree with you that this is a little misleading).
Second, it seems to me the situation with MD5 is not analogous.
If Vincent Rijmen or Joan Daemen said that AES is "at the edge"
or recommended against using AES in future systems, I'd tend to
take that advice pretty seriously. When RSA Labs recommends against
using MD5 in future systems, I treat that as significant, too.
This is not just some lone cryptographer out to advance his own
design by finding academic attacks on his competitors.