I agree with Steven´s "I'd rather avoid HMAC-MD5, just as a matter of future-proofing". And more. In am nearly sure that a preimage attack (MD5) will be found in the next two or three years.
Vlastimil Klima http:/cryptography.hyperlink.cz ----- PŮVODNÍ ZPRÁVA ----- Od: "Steven M. Bellovin" <[EMAIL PROTECTED]> Komu: "Russ Housley" <[EMAIL PROTECTED]> Předmět: Re: [Cfrg] HMAC-MD5 Datum: 29.3.2006 - 1:11:25 > On Tue, 28 Mar 2006 16:20:59 -0500, Russ Housley > <[EMAIL PROTECTED]> > wrote: > > > At the SAAG session last week, Sam and I were asked about > > HMAC-MD5. Is it safe to keep using it? Should we encourage > > people > > to use HMAC-SHA1 or HMAC-SHA256 instead? Why? > > > > Please provide advice on this matter in the next two weeks. > > We have > > on working group that needs this advice very soon. > > > There are no risks from HMAC-MD5 from collision attacks. Hash > function > design has suddenly become a very hot topic, though. > Collision- > finding attacks on MD5 have gotten a lot faster, and people are > starting to look very hard at the basic design. I personally > will not > be surprised if a preimage attack is found in the next two or > three > years, in which case all bets are off. (I've made this > statement > before; others have disagreed with me on the likelihood of > collision > attacks.) I'd rather avoid HMAC-MD5, just as a matter of > future-proofing. > > > --Steven M. Bellovin, http://www.cs.columbia.edu/~smb > > _______________________________________________ > Cfrg mailing list > [EMAIL PROTECTED] > https://www1.ietf.org/mailman/listinfo/cfrg > --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]