On 27 Mar 2017, at 21:41, Evan Hunt wrote:
On Mon, Mar 27, 2017 at 12:45:04PM -0700, Paul Vixie wrote:
also, a validator that outputs "secure" based on MD5 inputs is making
a
promise it can't keep.
MD5 is known to be breakable
Please: let's be careful with our wording here.
There are widely-understood and widely-implemented attacks on MD5's
collision resistance, reducing it from the design-level of 2^64 to
somewhere around 2^30. In other words, it is trivial to create messages
that have MD5 collisions.
To date, there have been no public papers showing any preimage attacks
on MD5 reducing its design-level of 2^128. There may be privately-known
attacks, of course, just as there might be for any cryptographic
algorithm. A researcher who shows a preimage attack on MD5 would get
huge recognition within the cryptographic community, so there is a
strong motivation to try. So far, none has been forthcoming.
To date, no one has publicly described how a collision attack would help
an attacker in DNSSEC. Such an attack would be *very* interesting to
this community. If you know of such an attack, please say so here or in
a cryptographic forum.
It has been over a decade since the collision-based attack on PKIX
certificates was described, but since then none has been described for
DNSSEC. In specific, because we now know that collision attacks on SHA1
are feasible and will probably get better over time, this community
should understand how such an attack could affect us.
For more information on cryptographic attacks on hashes, please see RFC
4270.
--Paul Hoffman
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop