comments on draft-ietf-idpr-specv1-02.txt

"Kevin S. McCurley" <mccurley@cs.sandia.gov> Sat, 13 March 1993 19:46 UTC

Received: from ietf.nri.reston.va.us by IETF.CNRI.Reston.VA.US id aa01831; 13 Mar 93 14:46 EST
Received: from CNRI.RESTON.VA.US by IETF.CNRI.Reston.VA.US id aa01827; 13 Mar 93 14:46 EST
Received: from ietf.cnri.reston.va.us by CNRI.Reston.VA.US id ac02577; 13 Mar 93 14:46 EST
Received: from PIZZA.BBN.COM by IETF.CNRI.Reston.VA.US id aa01276; 13 Mar 93 13:03 EST
Received: from pizza by PIZZA.BBN.COM id aa07056; 13 Mar 93 12:58 EST
Received: from BBN.COM by PIZZA.BBN.COM id aa07052; 13 Mar 93 12:55 EST
Received: from cs.sandia.gov by BBN.COM id aa24898; 13 Mar 93 12:57 EST
Received: from work.cs.sandia.gov.noname by cs.sandia.gov (4.1/SMI-4.1) id AA01334; Sat, 13 Mar 93 10:57:36 MST
Received: by work.cs.sandia.gov.noname (4.1/SMI-4.1) id AA04365; Sat, 13 Mar 93 11:01:57 MST
Date: Sat, 13 Mar 93 11:01:57 MST
Sender: ietf-archive-request@IETF.CNRI.Reston.VA.US
From: "Kevin S. McCurley" <mccurley@cs.sandia.gov>
Message-Id: <9303131801.AA04365@work.cs.sandia.gov.noname>
To: idpr-wg@bbn.com
Subject: comments on draft-ietf-idpr-specv1-02.txt

I realize it's probably too late to make comments on the above draft,
but I would like to point out that the following paragraph is essentially
nonsense:

>   IDPR control messages must carry a non-null integrity/authentication
> value.  We recommend that the integrity/authentication algorithm be a
> digital signature, in particular an algorithm such as MD4 [15] or MD5 [16],
> which simultaneously verifies message integrity and source authenticity.
> The digital signature may be based on either public-key or private-key
> cryptography.  Our approach to digital signature use in IDPR is based on the
> privacy-enhanced Internet electronic mail service [12]-[14], already
> available in the Internet.

I have seen frequent confusion over this issue, but MD4 and MD5 ARE
NOT digital signature algorithms, but merely one-way hash functions.
They provide NO guarantee of source authenticity, and the only
integrity that they show is that the data has not been changed since
the time that the MD4/5 hash has was created.  Unfortunately, since
MD4/5 ARE NOT digital signature algorithms, whoever changes the data
can also change the MD4/5 hash value to make the data look authentic
to people who do not understand the role of MD4/5.

If you are looking for a full digital signature algorithm, then you
need something like RSA or DSA.  These require fairly intensive
calculations, but MD4/5 were never intended for the purpose you
describe, and provide essentially no authentication.

If you wish to confirm this fact independently, then I suggest you
contact the designer of MD4/5 (Ron Rivest, rivest@theory.lcs.mit.edu),
or Burt Kaliski of RSA Data Security (burt@rsa.com).

Kevin McCurley
Sandia National Laboratories