Re: [secdir] Secdir review of draft-turner-md4-to-historic-08

Sean Turner <> Mon, 06 December 2010 14:04 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8DE973A67FA for <>; Mon, 6 Dec 2010 06:04:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -102.523
X-Spam-Status: No, score=-102.523 tagged_above=-999 required=5 tests=[AWL=0.075, BAYES_00=-2.599, UNPARSEABLE_RELAY=0.001, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id MfHndluETFkK for <>; Mon, 6 Dec 2010 06:04:13 -0800 (PST)
Received: from ( []) by (Postfix) with SMTP id 464B33A67AF for <>; Mon, 6 Dec 2010 06:04:13 -0800 (PST)
Received: from [] by with NNFMP; 06 Dec 2010 14:05:34 -0000
Received: from [] by with NNFMP; 06 Dec 2010 14:05:34 -0000
Received: from [] by with NNFMP; 06 Dec 2010 14:05:34 -0000
Received: (qmail 25711 invoked from network); 6 Dec 2010 14:05:34 -0000
Received: from thunderfish.local (turners@ with plain) by with SMTP; 06 Dec 2010 06:05:32 -0800 PST
X-Yahoo-SMTP: ZrP3VLSswBDL75pF8ymZHDSu9B.vcMfDPgLJ
X-YMail-OSG: dFfiCwQVM1luQuLhJzg3pIJJ6ojD5E78_IiHIQVsDcW2VlO DfFzb4lPMc8nnpxP4GxxvMtmWuX4iDWtMdhLBGbsRljqA9GbD9C7.F7cfnDc iOuAkZeFUEIDgB_O7gSqEZwjMmyTCRvRqGLH4w3EschTXwxy3aXTWBG1OCK9 zuNONPCfWxyMuGzD_c38l7CWSKy3lALJeVyccUxnYN5oqlgA1aovmqQ3hsqX 73WGgMX1XLM1IHmiDoF8-
X-Yahoo-Newman-Property: ymail-3
Message-ID: <>
Date: Mon, 06 Dec 2010 09:05:31 -0500
From: Sean Turner <>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv: Gecko/20101027 Lightning/1.0b2 Thunderbird/3.1.6
MIME-Version: 1.0
To: Catherine Meadows <>
References: <>
In-Reply-To: <>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [secdir] Secdir review of draft-turner-md4-to-historic-08
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 06 Dec 2010 14:04:17 -0000


Thanks for the review.  Responses inline.


On 12/3/10 5:37 PM, Catherine Meadows wrote:
> I have reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the
> IESG.  These comments were written primarily for the benefit of the
> security area directors.  Document editors and WG chairs should treat
> these comments just like any other last call comments.
> This document recommends that the MD4 hash algorithm be retired and moved to historic status and gives
> the rationale for doing this, namely its known vulnerability to collision and pre-image attacks. The impact is mostly minimal, except
> for three Microsoft RFCs that are still supported in various versions of  Windows and the RADIUS and EAP RFCs .  It would be helpful to learn what other algorithms
> these OSs and RFCs support.  This would give a better idea of the effect of dropping MD4; if there are other alternatives supported by the OS's
> the impact should be minimal here as well.

I it might be hard to explain what alternatives are in each of the OS's 
because it depends a lot on what version/release/path combo is being 
used.  I think RFC 4757 hints pretty strongly that 
aes256-cts-hmac-sha1-96 is supported because it says to use that alg 
instread of RC4-HMAC.

> Other than that, I have no problems with the decision or rationale.  I agree, as I am sure that everyone else does, that MD4
> should be retired.
> Some nits:
> 1.  "Section 6 also discussed" should be "Section 6 also discusses"   This occurs in several places.


> 2. " The RC4-HMAC is supported in Microsoft's Windows 2000 and
>             later for backwards compatibility with Windows 2000. "
> later supported by what?  I assume later versions of Windows, but it is probably a good idea to make this clear.

r/later/later versions of Windows

> 3. When you say that with one exception the impact of retiring MD4 would be minimal, it would be a good idea to mention that exception upfront.
> It is fairly clear after you read the whole impact section  that the exception is the Microsoft RFCs, but nowhere where is that  said explicitly.

How about:

The impact of moving MD4 to Historic is minimal with the one exception 
of Microsoft's use of MD4 as part of RC4-HMAC in Windows, the as 
described below.

> 4.  I'm not sure wether or not   the discussion of MD4's resistance against key recovery attack really belongs in the impacts section (in the discussion
> of RC4-HMAC).  It might give the impression that RC4-HMAC is secure against key recovery, and, given the other attacks found against MD4, it is reasonable
> to believe that this security is only temporary.  I would suggest putting this discussion in the security considerations section, and also, wherever it does end up, adding the appropriate
> caveats.

I'm hesitant to move the text because it's in there specifically to 
address a comment by Sam Hartman.

My understanding of MD4's use in RC4-HMAC is that MD4 is used to 
generate a key from a password and then that key is used as input to 
HMAC-MD5.  So I am actually saying that RC4-HMAC is secure against key 
recovery attacks but this is entirely because HMAC-MD5 is used.  In 
other words, when HMAC-MD5 is broken then RC4-HMAC is broken.