RFC 1828 (rfc1828) - Page 3 of 5

IP Authentication using Keyed MD5

RFC 1828                         AH MD5                      August 1995


   variants with a common MD5 hash value.  However, it is unclear
   whether this attack is applicable to a keyed MD5 transform.

   This attack requires approximately 24 days.  The same form of attack
   is useful on any iterated n-bit hash function, and the time is
   entirely due to the 128-bit length of the MD5 hash.

   Although there is no substantial weakness for most IP security
   applications, it should be recognized that current technology is
   catching up to the 128-bit hash length used by MD5.  Applications
   requiring extremely high levels of security may wish to move in the
   near future to algorithms with longer hash lengths.



Acknowledgements

   This document was reviewed by the IP Security Working Group of the
   Internet Engineering Task Force (IETF).  Comments should be submitted
   to the  mailing list.

   Some of the text of this specification was derived from work by
   Randall Atkinson for the SIP, SIPP, and IPv6 Working Groups.

   The basic concept and use of MD5 is derived in large part from the
   work done for SNMPv2 [RFC-1446].

   Steve Bellovin, Phil Karn, Charles Lynn, Dave Mihelcic, Hilarie
   Orman, Jeffrey Schiller, Joe Touch, and David Wagner provided useful
   critiques of earlier versions of this draft.



References

   [CN94]   Carroll, J.M., and Nudiati, S., "On Weak Keys and Weak Data:
            Foiling the Two Nemeses", Cryptologia, Vol. 18 No. 23 pp.
            253-280, July 1994.

   [dBB93]  den Boer, B., and Bosselaers, A., "Collisions for the
            Compression function of MD5", Advances in Cryptology --
            Eurocrypt '93 Proceedings, Berlin: Springer-Verlag 1994

   [KR95]   Kaliski, B., and Robshaw, M., "Message authentication with
            MD5", CryptoBytes (RSA Labs Technical Newsletter), vol.1
            no.1, Spring 1995.




Metzger & Simpson             Standards Track