From owner-freebsd-security Sun Jun 9 09:03:55 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id JAA05842 for security-outgoing; Sun, 9 Jun 1996 09:03:55 -0700 (PDT) Received: from cs.pdx.edu (root@cs.pdx.edu [204.203.64.22]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id JAA05827 for ; Sun, 9 Jun 1996 09:03:51 -0700 (PDT) Received: from sirius.cs.pdx.edu (root@sirius.cs.pdx.edu [204.203.64.13]) by cs.pdx.edu (8.7.3/CATastrophe-2/10/96-P) with ESMTP id JAA14924; Sun, 9 Jun 1996 09:01:06 -0700 (PDT) for Received: from localhost (jrb@localhost [127.0.0.1]) by sirius.cs.pdx.edu (8.7.3/CATastrophe-9/18/94-C) with ESMTP id JAA29242; Sun, 9 Jun 1996 09:03:48 -0700 (PDT) Message-Id: <199606091603.JAA29242@sirius.cs.pdx.edu> To: Steve Reid cc: freebsd-security@FreeBSD.org Subject: Re: MD5 broken In-reply-to: Your message of "Fri, 07 Jun 1996 17:05:25 PDT." Date: Sun, 09 Jun 1996 09:03:47 -0700 From: Jim Binkley Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk I'm afraid I'm going to muddy the waters a bit... I have been following the IETF IPSEC (Ip layer security) group for a long time (seems like a long time...). E.g., see RFCS 1825-1829. IPSEC has designed two headers for security, AH (authentication) and ESP (encryption/privacy), with the assumption that these headers would be used in ipv4 and ipv6. "Transforms" (i.e., specific algorithms for specific crypto algorithms more or less) for the headers have been defined too; e.g., for ESP the transform is *changing* from DES-CBC to an authenticated version of DES-CBC. With AH, the transform *was* keyed MD5 (see RFC1828.txt). IPSEC has decided that keyed MD5 needs to be retired, primarily because of paranoia over the attacks described. There are going to be two required replacements, hmac-md5, and hmac-sha. hmac-md5 and hmac-sha could loosely be described as tougher versions of keyed-md5. If you want to look at the drafts for said transforms, visit an Internet ftp site (e.g., ftp://ftp.isi.edu/internet-drafts) and look at: draft-ietf-ipsec-ah-hmac-sha-00.txt draft-ietf-ipsec-ah-hmac-md5-00.txt The above is just fyi on the situation. Now for an opinion. I agree with Poul-Henning Kemp. The situation isn't that serious at the moment. IPSEC has several kinds of people in it at least, cryptographers (not me), security types, and network engineers (i'll accept that). Crypto people are paranoid by definition and IPSEC has to worry about both ipv4 and v6 long-term. On the other hand, it may be itime to start thinking about a replacement. Over time, all crypto algorithms will have to get stronger as computers get more powerful. regards, Jim Binkley jrb@cs.pdx.edu psu cs dept.