IETF Logo Mail Archive

Re: [Cfrg] RFC 5742 conflict review for draft-dolmatov-kuznyechik

"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Thu, 04 February 2016 23:56 UTC

Return-Path: <prvs=184281304f=uri@ll.mit.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A44B1A92DD for <cfrg@ietfa.amsl.com>; Thu, 4 Feb 2016 15:56:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RP_MATCHES_RCVD=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EgUiy0pvechT for <cfrg@ietfa.amsl.com>; Thu, 4 Feb 2016 15:56:44 -0800 (PST)
Received: from llmx2.ll.mit.edu (LLMX2.LL.MIT.EDU [129.55.12.48]) by ietfa.amsl.com (Postfix) with ESMTP id C1EAD1A92BA for <cfrg@irtf.org>; Thu, 4 Feb 2016 15:56:43 -0800 (PST)
Received: from LLE2K10-HUB02.mitll.ad.local (LLE2K10-HUB02.mitll.ad.local) by llmx2.ll.mit.edu (unknown) with ESMTP id u14NuJnY028582 for <cfrg@irtf.org>; Thu, 4 Feb 2016 18:56:26 -0500
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [Cfrg] RFC 5742 conflict review for draft-dolmatov-kuznyechik
Thread-Index: AQHRXmzb30kDskQEAUONwvQsGzEE458afcWAgAH5YoCAABxhgIAAAeUAgAA3XYD//7vvAA==
Date: Thu, 04 Feb 2016 23:21:40 +0000
Message-ID: <D2D942D8.26A82%uri@ll.mit.edu>
References: <4A631584-C0F1-4AFC-A51D-155C34415413@isode.com> <D2D64C5B.61B8F%kenny.paterson@rhul.ac.uk> <CADqLbz+b-YQ10d6d5_GHN+r7ETWobQgq+skPyXQSdUGG1dBDqQ@mail.gmail.com> <CACsn0c=ErkJLja7QUbA06V7vH-KPR_MpTcPhPyrKfyV02bxq-w@mail.gmail.com> <D2D65F65.266E2%uri@ll.mit.edu> <87a8nix2od.fsf@latte.josefsson.org> <D2D68F83.26762%uri@ll.mit.edu> <871t8uw0sb.fsf@latte.josefsson.org> <D2D78DD6.2680E%uri@ll.mit.edu> <b0a5edfea0df3670d5526d488dc731d1.squirrel@www.trepanning.net> <CACsn0c=OcJP6jzne9hHp67U6ZVpBssK1y=4zu1UW8+V=brUF0w@mail.gmail.com> <ff3c1ab0eaa94bc497001720b8dd5351@usma1ex-dag1mb1.msg.corp.akamai.com> <CACsn0cmH5_uWwxS2Bi87nPT=aK4vHnXvrcG7iTM=zcyP8UrZ-A@mail.gmail.com>
In-Reply-To: <CACsn0cmH5_uWwxS2Bi87nPT=aK4vHnXvrcG7iTM=zcyP8UrZ-A@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.5.9.151119
x-originating-ip: [172.25.177.51]
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha256"; boundary="B_3537454894_6934006"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2016-02-04_06:, , signatures=0
X-Proofpoint-Spam-Details: rule=inbound_notspam policy=inbound score=0 spamscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1601100000 definitions=main-1602040410
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/P82PDq6Q5mJJHjQtyQdxeAbrAGQ>
Subject: Re: [Cfrg] RFC 5742 conflict review for draft-dolmatov-kuznyechik
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Feb 2016 23:56:46 -0000

>> > We got good use out of those two [RC4 and MD5] mechanisms.
> 
> Both were broken in the same year as their introduction: the initial byte bias
> of RC4 was immediate, and collisions in the MD5 collision function not long
> after.

Pure and unadulterated BS. Accompanied by the usual charming manners, and
total disregard for practical realities of the industry.

First collision in MD5 was published in 2004: Collisions for Hash Functions
MD4, MD5, HAVAL-128 and RIPEMD <https://eprint.iacr.org/2004/199>  and Hot
to Break MD5 and Other Hash Functions
<http://merlot.usc.edu/csac-f06/papers/Wang05a.pdf> .

Hans Dobbertin (OBM) published his work that suggested a possibility of
successful attack The Status of MD5 After a Recent Attack
<http://www.ietf.org/mail-archive/web/pkix/current/pdffqfUJq_6HW.pdf>  and
Cryptanalysis of MD5 Compress
<https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uac
t=8&ved=0ahUKEwj34aLMnd_KAhUEfxoKHaREAMMQFggdMAA&url=http%3A%2F%2Fcseweb.ucs
d.edu%2F~bsy%2Fdobbertin.ps&usg=AFQjCNGnh9K0NTObOM61gXTdUI1lUvrxWg&sig2=27v7
NhRilr22zza9SWhfvg>  in 1996. He wrote in 1996 in RSA Laboratories
CryptoBytes (if you remember what it is):
> "The presented attack does not yet threaten practical applications of MD5, but
> it comes rather close… in the future MD5 should no longer be implemented …
> where a collision-resistant hash-function is required."

Of course everybody remembers that one of the HMAC claims-to-fame was that
it remains strong even if collisions are found in the underlying hash
function, which is how most protocols that employ hash for authentication
used it.

Not that I hope to convince anybody of anything, or to be heard by those who
probably would've benefited the most from it :), but it felt nice to go back
to those times for a moment.

v2.23.0 | Report a Bug | By Email