From: [EMAIL PROTECTED] >Sent: Mar 30, 2006 3:38 PM >To: cryptography@metzdowd.com >Subject: Re: [Cfrg] HMAC-MD5
>I think that we have the "evidence". The security MD5 depends >heavily on a lot of nonlinearities in functions F,G,I and on >carries in arithmetic additions. Nonlinearities in F,G,I are >bitwise and very weak. Carries are much stronger, but the collision >attacks showed that it is possible to controll them also. The question is, can these still be controlled when the attacker doesn't know the internal state of the chaining variables? If not, we may end up with second preimage attacks (which would finish off MD5 for most hashing applications!), but still not know how to attack HMAC. The attack model is really different! For what it's worth, though, I agree that we need to get rid of MD5 anywhere it's still in place, since the only thing we know about its security is that it's a lot less than anyone expected it to be even a year ago. In fact, we should have started this when Dobbertin had his free-start collision result. If we had, we'd be able to regard the devastating MD5 collisions we're seeing now in the same way we regard devastating attacks on FEAL. (If someone extends the best attack on FEAL to 64 rounds, that will be cool, but nobody will be scrambling to replace FEAL in their products and protocols.) >Vlastimil Klima --John Kelsey, NIST --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]