-----BEGIN PRIVACY-ENHANCED MESSAGE----- Proc-Type: 4,MIC-CLEAR Content-Domain: RFC822 Originator-Certificate: MIIBvzCCAWkCEFmOln6ip0w49CuyWr9vDVUwDQYJKoZIhvcNAQECBQAwWTELMAkG A1UEBhMCVVMxGDAWBgNVBAoTD1NlY3VyZVdhcmUgSW5jLjEXMBUGA1UECxMOU2Vj dXJlV2FyZSBQQ0ExFzAVBgNVBAsTDkVuZ2luZWVyaW5nIENBMB4XDTk1MDUwODIw MjMzNVoXDTk3MDUwNzIwMjMzNVowcDELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1Nl Y3VyZVdhcmUgSW5jLjEXMBUGA1UECxMOU2VjdXJlV2FyZSBQQ0ExFzAVBgNVBAsT DkVuZ2luZWVyaW5nIENBMRUwEwYDVQQDEwxDaGFybGVzIFdhdHQwWTAKBgRVCAEB AgICBANLADBIAkEM2ZSp7b6eqDqK5RbPFpd6DGSLjbpHOZU07pUcdgJXiduj9Ytf 1rsmf/adaplQr+X5FeoIdT/bVSv2MUi3gY0eFwIDAQABMA0GCSqGSIb3DQEBAgUA A0EApEjzeBjiSnGImJXgeY1K8HWSufpJ2DpLBF7DYqqIVAX9H7gmfOJhfeGEYVjK aTxjgASxqHhzkx7PkOnL4JrN+Q== MIC-Info: RSA-MD5,RSA, BmSwniu8gUasZa1TjPkW32wDQoVcczj8fKdr0iBciiZtHKyz1xXgeHgBI9V0oV8h dwcOLMC8bbAL39VVNkGHlxw=
Perry, as you are so fond of quoting Dobbertin, let me forward once again to the list Hans' analysis of the "crack" that he discovered. He explicitly agrees with Mr. Ogren's analysis.
No, he doesn't. Dobbertin's privately circulated document is entitled "Cryptanalysis of MD5", not "Possible weaknesses in MD5". The MD4 results were even more damning. It is true that the attacks aren't general, but they are bad enough that the key property of cryptographic hashes -- that it is computationally infeasable to produce two documents with the same hash (note that the property is NOT that you cannot produce a document with the same hash as a document selected by the opponent), has been broken. Chosen plaintext, in particular, is completely broken.
Dobbertin explicitly says that although there is no reason to panic, that MD5 is not to be trusted.
I quote from your quote of Dobbertin:
5. My conclusions are: no reason for panic, but in future implementations better move away from MD5.
Yes it is prudent to move away from MD5. But there are still plenty of uses where it is more than sufficient.
Yeah, like if you are looking for a wacky checksum and not a cryptographic hash.
Look the point is that Ogren seems to think this is some sort of a minor technicality and that we can safely ignore it most of the time. Thats simply not prudent. Once you find that the key properties of your cryptographic hash have fallen and you have to be exceptionally careful about what you put through the hash lest an attacker somehow influence it, you've lost the game. MD5 is no longer trustworthy. I agree that one needn't run screaming in the streets, but Ogren made it sound as though this wasn't a matter of concern. Thats simply wrong. Saying that leads people to a completely incorrect conclusion.
I admit I am at a disadvantage having deleted the first few messages on this thread without actually reading them -- but when I am out one day and come back to 200+ cypherpunk messages of which perhaps 10 are relevant to cryptography, I get a little quick with the delete. However, I am assuming from the stated speed requirement that the original query was intended for just such a hashing scheme. I interpretted Ogren's comments along the lines of "choose an algorithm based upon a best fit for the requirements, where security is just one of the requirements (although the most important)" (quotes used to indicate paraphrasing rather than actual quote). If these assumptions are valid, then he is quite correct, for a blanket condemnation of MD5 is unwarranted. If the intended application is for use with signatures, then I too would be quite leary of MD5 -- but only if I am signing a document that I did not originate OR I need to ensure the validity of the signature for longer than 12 months. Condemning an application of MD5 without understanding the specific requirements placed upon the hashing algorithm is unjustified. Complacently accepting the strength of the algorithm for all applications based upon recent findings is foolish. Charles Watt SecureWare -----END PRIVACY-ENHANCED MESSAGE-----