[saag] draft-turner-md4-to-historic and Microsoft use of Md4

[Sam Hartman <hartmans-ietf@mit.edu>]

Sean, I've mentioned this in private mail, but I believe your draft
should discuss the Microsoft uses of md4 particularly for converting
passwords to key and discuss the impact of attacks on this use before it
is published. I am not intending to imply you're ignoring my comment: it
was made recently. I just wanted to get it into the public discussion so
others could think about it.

It's not entirely clear what properties are desired of a cryptographic
function in these uses.

In the Kerberos string-to-key operation, I think there are at least two
 goals:

1) Take a password of sufficient quality and produce a good key

2) Make it difficult to recover the password given the key.

There may be other goals. This is an area where the Kerberos community
has struggled to come up with security requirements.

It's clear that md4 fails at the second goal. However, it's not clear
that the Microsoft protocol uses of md4 actually try to achieve this
goal.  In the case of Kerberos, one of the main reasons you want to
prevent recovery of the password is so you can use the same password in
different realms without exposing it. For this reason, an identifier of
the principal and realm is included in the key computation. However,
rc4-hmac-md5 (the Kerberos enctype that uses md4 for string2key)
explicitly does not produce different keys for different realms.

So, I'm not actually sure whether one-way is a security goal or not for
this use of md4.

I have not been able to determine the impact of attacks on md4 on its
use as a funtion to produce high-quality keys from high-quality
passwords.

In conclusion, I think we need to be able to tell people what the impact
of the attacks on md4 is on widely deployed uses before publishing.