Re: [DNSOP] on staleness of code points and code (mentions MD5 commentary from IETF98)

["Paul Hoffman" <paul.hoffman@vpnc.org>]

On 27 Mar 2017, at 21:41, Evan Hunt wrote:

> On Mon, Mar 27, 2017 at 12:45:04PM -0700, Paul Vixie wrote:
>> also, a validator that outputs "secure" based on MD5 inputs is making 
>> a
>> promise it can't keep.
>
> MD5 is known to be breakable

Please: let's be careful with our wording here.

There are widely-understood and widely-implemented attacks on MD5's 
collision resistance, reducing it from the design-level of 2^64 to 
somewhere around 2^30. In other words, it is trivial to create messages 
that have MD5 collisions.

To date, there have been no public papers showing any preimage attacks 
on MD5 reducing its design-level of 2^128. There may be privately-known 
attacks, of course, just as there might be for any cryptographic 
algorithm. A researcher who shows a preimage attack on MD5 would get 
huge recognition within the cryptographic community, so there is a 
strong motivation to try. So far, none has been forthcoming.

To date, no one has publicly described how a collision attack would help 
an attacker in DNSSEC. Such an attack would be *very* interesting to 
this community. If you know of such an attack, please say so here or in 
a cryptographic forum.

It has been over a decade since the collision-based attack on PKIX 
certificates was described, but since then none has been described for 
DNSSEC. In specific, because we now know that collision attacks on SHA1 
are feasible and will probably get better over time, this community 
should understand how such an attack could affect us.

For more information on cryptographic attacks on hashes, please see RFC 
4270.

--Paul Hoffman