[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Working Group Last Call: draft-melnikov-digest-to-historic-00.txt

To: Paul Leach <paulle@xxxxxxxxxxxxxxxxxxxxx>
Subject: Re: Working Group Last Call: draft-melnikov-digest-to-historic-00.txt
From: Simon Josefsson <simon@xxxxxxxxxxxxx>
Date: Mon, 10 Dec 2007 15:14:01 +0100
Cc: Alexey Melnikov <alexey.melnikov@xxxxxxxxx>, "ietf-sasl\@imc.org" <ietf-sasl@xxxxxxx>
In-reply-to: <920B8B05FB49A04699188E04302FE87D48D30EE1D8@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> (Paul Leach's message of "Sun, 9 Dec 2007 19:00:55 -0800")
List-archive: <http://www.imc.org/ietf-sasl/mail-archive/>
List-id: <ietf-sasl.imc.org>
List-unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe>
Openpgp: id=B565716F; url=http://josefsson.org/key.txt
References: <ldvir3cu1nw.fsf@xxxxxxxxxxxxxxxxxxxxxxxxxx> <87ir3cp6w2.fsf@xxxxxxxxxxxxxxxxxxx> <475AF372.90905@xxxxxxxxx> <920B8B05FB49A04699188E04302FE87D48D30EE1D8@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Sender: owner-ietf-sasl@xxxxxxxxxxxx
User-agent: Gnus/5.110007 (No Gnus v0.7) Emacs/22.1 (gnu/linux)

Paul Leach <paulle@xxxxxxxxxxxxxxxxxxxxx> writes:

>>1) One of the main disadvantages with DIGEST-MD5 for me is that its
>>   cryptographic primitives are sub-standard by today's standard.  The
>>   text in 7.B touches on this, but seems misplaced as 7 is about
>>   missing features.  I suggest adding to section 1:
>>
>>   8. The cryptographic primitives in DIGEST-MD5 are not up to today's
>>   standards, in particular:
>>
>>      A. The MD5 hash is sufficiently weak to make a brute force attack
>>      on DIGEST-MD5 easy with common hardware.
>>
>>      B. Using the RC4 algorithm for the security layer without
>>      discarding the initial key stream output is prone to attack.
>>
>>
>
> [Paul Leach] While I certainly agree that MD5 is suspect, I'm not
> aware that there are any known attacks on the usage in DIGEST. The bad
> usage is: given a hash and a known input, it is possible to find other
> inputs that yield the same hash. However, given an input part of which
> is unknown (secret) and a hash, I wasn't aware that it is
> computationally feasible to do better than to try to test all possible
> secrets. Have I missed the relevant paper?

That text is already in the document, so they aren't my words.

However, I recall that there were a presentation at an appsarea meeting
a few IETF meetings ago, where CRAM-MD5 (dictionary?) attacks were
discussed and the practical consequences weren't pretty.  I wasn't there
and don't recall more details though, maybe someone else know of a
better reference.

/Simon

References:
- Working Group Last Call: draft-melnikov-digest-to-historic-00.txt
  - From: Tom Yu
- Re: Working Group Last Call: draft-melnikov-digest-to-historic-00.txt
  - From: Simon Josefsson
- Re: Working Group Last Call: draft-melnikov-digest-to-historic-00.txt
  - From: Alexey Melnikov
- RE: Working Group Last Call: draft-melnikov-digest-to-historic-00.txt
  - From: Paul Leach

Prev by Date: Re: Working Group Last Call: draft-melnikov-digest-to-historic-00.txt
Previous by thread: Re: Working Group Last Call: draft-melnikov-digest-to-historic-00.txt
Next by thread: Re: IETF70 SASL summary
Index(es):
- Date
- Thread