From owner-freebsd-security Thu Sep 19 21:48:13 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id VAA07109 for security-outgoing; Thu, 19 Sep 1996 21:48:13 -0700 (PDT) Received: from bunyip.cc.uq.oz.au (bunyip.cc.uq.oz.au [130.102.2.1]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id VAA07040 for ; Thu, 19 Sep 1996 21:48:02 -0700 (PDT) Received: (from daemon@localhost) by bunyip.cc.uq.oz.au (8.7.6/8.7.3) id OAA26057 for security@freebsd.org; Fri, 20 Sep 1996 14:47:18 +1000 Received: from pandora.devetir.qld.gov.au by ogre.devetir.qld.gov.au (8.7.5/DEVETIR-E0.3a) with ESMTP id OAA01154 for ; Fri, 20 Sep 1996 14:49:01 +1000 (EST) Received: from netfl15a.devetir.qld.gov.au (netfl15a.devetir.qld.gov.au [167.123.24.12]) by pandora.devetir.qld.gov.au (8.6.10/8.6.12) with ESMTP id OAA01713 for ; Fri, 20 Sep 1996 14:49:03 +1000 Received: from localhost by netfl15a.devetir.qld.gov.au (8.6.8.1/DEVETIR-0.1) id EAA26487 for ; Fri, 20 Sep 1996 04:50:23 GMT Message-Id: <199609200450.EAA26487@netfl15a.devetir.qld.gov.au> X-Mailer: exmh version 1.6.5 12/11/95 To: security@freebsd.org Subject: Possible MD5 weakness (fwd from PEM) Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 20 Sep 1996 14:50:21 +1000 From: Stephen Hocking Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >Date: Fri, 13 Sep 1996 16:09:30 -0700 (PDT) >From: Ned Freed >Subject: Re: TFM needed ro R >To: David Rudder >Cc: pem-dev@TIS.COM >Message-Id: <01I9FPRGR3US8Y5I6P@INNOSOFT.COM> >Mime-Version: 1.0 >Content-Type: TEXT/PLAIN; charset=US-ASCII >Content-Transfer-Encoding: 7BIT >Sender: pem-dev-approval@neptune.hq.tis.com >Precedence: bulk > RIPEM and SSLeay seem to like MD5. RIPEM uses MD2 for it's X.509 > certificates but MD5 for it's MIC-Info. There are a bunch of MD5 > programs out there and a number written in Java. Bruce Schneier says "I am > wary of MD5" on pge 441 of Applied Cryptography. He states before that > that MD5 hasn't been provven insecure, but weaknesses have been found in > the compression function. If he is wary of this algorithm, then why is > it so popular? It's by far more prevelant than any other message digest > I've seen. It is worse than Schneier says -- there are newer results now. See the current issue of RSA's CryptoBytes publication, Volume 2 Number 2, Summer 1996, for details. Online copies are available in http://www.rsa.com/rsalabs/cryptobytes/. The bottom line is that new application should no longer specify MD5 as a MIC. And MD2 has been obsolete for some time. Use either SHA-1 or RIPEMD-160. (I prefer the former.) Ned Stephen -- The views expressed above are not those of the Worker's Compensation Board of Queensland, Australia.