I have unsubscribed from this mailing list. Please remove my name from your personal address lists. Thanks. ahg3 ---------- From: hallam[SMTP:hallam@w3.org] Sent: Tuesday, October 24, 1995 1:14 PM To: Dr. Frederick B. Cohen; cypherpunks Cc: hallam Subject: Re: MD5 weakness ? [was Re: Netscape Logic Bomb detailed by IETF] Precedence: bulk

As to weaknesses, I seem to remember that someone managed to forge a modification to a program used to observe networks on a Sun so that it had the same MD5 checksum as the official trusted version. But whether this is real is not strictly the issue.

Ron has not mentioned such an event to me and if that were the case I would seriously doubt that he would not have been told about it. The only comment he generally makes is that he wrote MD5 because "MD4 was making me nervous".

In the case of the trust being placed in MD5 by Netscape, the assumption being made (without adequate support as far as I can tell) is that an MD5 checksum cannot be forced, through a chosen plaintext attack, to

Netscape do not simply use the MD5 of the message, they are using (as I understand it) the PKCS#1 standard for makoing the signature. If not they probably have severe problems.

There has been no limit given by anyone on this list to the level of trust they place in MD5. Several people have posted (without contention) that MD5 is sufficiently trustworthy to trust billions of dollars in commerce to it's being able to prevent a selected plaintext attack as eluded to above.

NIST and the NSA trusted MD4 sufficiently to base SHA upon it. SHA is preferable in many ways to MD5, it has a different approach to extending the scheduling and resist differential cryptanalysis. There is a problem with the compressor function of MD5 which I dislike. This is fairly irrelevant though since SSL allows other digests to be used. Phill