>>>>> "Steven" == Steven M Bellovin <smb@xxxxxxxxxxxxxxx> writes:
I'm currently writing a discuss on the md5 issue.
At a minimum you will need to specify the complexity in order to deal with changing hash algorithms.
Steven> More generally... The currently-known attacks on MD5 are
Steven> collision attacks: it's possible to generate two inputs
Steven> that produce the same hash value. This scenario requires
Steven> a preimage attack; none are known. It would not surprise
Steven> me if someone were to develop one, but until that happens
Steven> we can't speculate on its properties. There are, however,
Actually, no, it's worse than that. A preimage attack is sufficient
to break this. However you cannot reduce a break of this system to a
preimage attack.
We actually know very little about how much information hash functions
leak. We can prove an uppor bound on this given the assumption that
they are one-way. If they leak too much information then they are not
one-way and we can find preimages.
However I don't think we can say much more than that.
we can treat a hash function as a random oracle and under that
assumption it does not leak information. The random oracle assumption
is much stronger than collision resistance. Collision resistance can
certainly be reduced to random oracle. So, saying that you can find
collisions actually is a very strong strike against the use of a
particular hash function as a random oracle.
I am not happy with a protocol whose security depends on treating md5
as a random oracle.
--Sam
_______________________________________________
Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf