RFC 1828 (rfc1828) - Page 3 of 5
IP Authentication using Keyed MD5
Alternative Format: Original Text Document
RFC 1828 AH MD5 August 1995
variants with a common MD5 hash value. However, it is unclear
whether this attack is applicable to a keyed MD5 transform.
This attack requires approximately 24 days. The same form of attack
is useful on any iterated n-bit hash function, and the time is
entirely due to the 128-bit length of the MD5 hash.
Although there is no substantial weakness for most IP security
applications, it should be recognized that current technology is
catching up to the 128-bit hash length used by MD5. Applications
requiring extremely high levels of security may wish to move in the
near future to algorithms with longer hash lengths.
Acknowledgements
This document was reviewed by the IP Security Working Group of the
Internet Engineering Task Force (IETF). Comments should be submitted
to the mailing list.
Some of the text of this specification was derived from work by
Randall Atkinson for the SIP, SIPP, and IPv6 Working Groups.
The basic concept and use of MD5 is derived in large part from the
work done for SNMPv2 [RFC-1446].
Steve Bellovin, Phil Karn, Charles Lynn, Dave Mihelcic, Hilarie
Orman, Jeffrey Schiller, Joe Touch, and David Wagner provided useful
critiques of earlier versions of this draft.
References
[CN94] Carroll, J.M., and Nudiati, S., "On Weak Keys and Weak Data:
Foiling the Two Nemeses", Cryptologia, Vol. 18 No. 23 pp.
253-280, July 1994.
[dBB93] den Boer, B., and Bosselaers, A., "Collisions for the
Compression function of MD5", Advances in Cryptology --
Eurocrypt '93 Proceedings, Berlin: Springer-Verlag 1994
[KR95] Kaliski, B., and Robshaw, M., "Message authentication with
MD5", CryptoBytes (RSA Labs Technical Newsletter), vol.1
no.1, Spring 1995.
Metzger & Simpson Standards Track