"baldwin" writes:
I also understand your being upset about not hearing about this attack the moment it was published. Actually, as soon as RSA Labs confirmed the weakness we did call some of the editors of the IPsec specifications to let them know about it. The consensus was that this was not a show stopper.
There were two names on the MD5 document -- mine and Bill Simpson's. Bill didn't tell me that he was called (I suspect he would have), and I wasn't called, either. We were the only two editors of that portion of the specification. Given that my name was on that document and that I made a large effort to try to make sure that people examined the algorithms and thought they were good, and that I have some of my reputation tied to that document, I am rather unhappy at the fact that I only find out third hand about what people in the field have determined about our selected algorithm.
The IPsec protocols could be rolled out as is. Later, once a better authenticator had been developed and tested, it could be substituted for the existing one. One of the excellent features of the IPsec specification is that new algorithms can be substituted easily (modulo a "small matter of programming").
I know. I was one of the designers. We all understood extremely well that crypto algorithms become rapidly obsolete. However, we needed to specify a reasonably strong baseline transform that would be widely deployed. I was shocked at the level of trouble we had in getting the cryptoweenies to successfully agree on a keyed hash based transform no matter how long was spent on the topic. I've got to say that my opinion of the academic crypto community dropped substantially after the experience. I would have thought that people could at least have agreed on what they knew and didn't know. This was strikingly different from my experience with other mathematical fields, in which the experts seem to agree pretty readily about what is and isn't known.
Perhaps your main complaint is that it took time for the attack to be confirmed by other researchers before the issue was brought to the IPsec authors. That is another effect of the current state of the art in Cryptography, and an effect of the normal academic process.
People might have noted their suspicions to us. As engineers, we are capable of avoiding something based on on suspected weakness without solid confirmation -- we aren't trying to publish papers, we are trying to get things to work. Perry