IETF Logo Mail Archive

Re: [sipcore] I-D Action: draft-ietf-sipcore-digest-scheme-14.txt

"Olle E. Johansson" <oej@edvina.net> Fri, 01 November 2019 07:26 UTC

Return-Path: <oej@edvina.net>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 97B401200FA for <sipcore@ietfa.amsl.com>; Fri, 1 Nov 2019 00:26:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oiN_NFhfqXyL for <sipcore@ietfa.amsl.com>; Fri, 1 Nov 2019 00:26:32 -0700 (PDT)
Received: from smtp7.webway.se (smtp7.webway.se [212.3.14.205]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 38A8F12009E for <sipcore@ietf.org>; Fri, 1 Nov 2019 00:26:31 -0700 (PDT)
Received: from [192.168.1.170] (194-161-217-66.ip.assaabloy.com [194.161.217.66]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp7.webway.se (Postfix) with ESMTPSA id C8DB218F0; Fri, 1 Nov 2019 08:26:27 +0100 (CET)
From: "Olle E. Johansson" <oej@edvina.net>
Message-Id: <787C4342-330A-435F-A350-2237B442CA2B@edvina.net>
Content-Type: multipart/alternative; boundary="Apple-Mail=_840A1D35-7148-4C24-A29A-C02F85B16103"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Fri, 01 Nov 2019 08:26:26 +0100
In-Reply-To: <413a75e5-7aa9-9940-70d2-2aa4596f78f8@alum.mit.edu>
Cc: Olle E Johansson <oej@edvina.net>, sipcore@ietf.org
To: Paul Kyzivat <pkyzivat@alum.mit.edu>
References: <157252797201.30364.11393682991189471576@ietfa.amsl.com> <CAH7qZftz8dE0Jm8Mg8gYseqPxtn40jywUuf_6AaFTPJV_g=aqw@mail.gmail.com> <413a75e5-7aa9-9940-70d2-2aa4596f78f8@alum.mit.edu>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/1CHkmvARh0kcdknhaiPUq9rIwGI>
Subject: Re: [sipcore] I-D Action: draft-ietf-sipcore-digest-scheme-14.txt
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Nov 2019 07:26:35 -0000


> On 31 Oct 2019, at 22:55, Paul Kyzivat <pkyzivat@alum.mit.edu> wrote:
> 
> On 10/31/19 1:37 PM, Maxim Sobolev wrote:
>> Hi, I am new here, so not sure what the proper process is, but there are few comments I have with regards to the proposed RFC:
>> 1. In the Abstract section there is a phrase "the broken MD5 algorithm". I think "broken" might be a bit strong and emotionally charged. There is nothing broken about MD5 as far as hashing algorithm is concerned. It is proven to be not very secure in this day and age, but given the right amount of time any today's algorithm would probably be in that category.
> 
> This is a good point. MD5 is simply obsolete, not broken.
> 
You may add a reference to https://tools.ietf.org/html/rfc6151

"The published attacks against MD5
   show that it is not prudent to use MD5 when collision resistance is
   required."

"The attacks presented in [KLIM2006 <https://tools.ietf.org/html/rfc6151#ref-KLIM2006>] can find MD5 collision in
   about one minute on a standard notebook PC (Intel Pentium, 1.6GHz).
   [STEV2007 <https://tools.ietf.org/html/rfc6151#ref-STEV2007>] claims that it takes 10 seconds or less on a 2.6Ghz
   Pentium4 to find collisions.
"

In essence, it’s not broken, but quite open for succesful attacks.

/O

v2.23.0 | Report a Bug | By Email