[3852] in cryptography@c2.net mail archive
Re: MD5
daemon@ATHENA.MIT.EDU (Eric Murray)
Fri Dec 25 13:48:26 1998
Date: Fri, 25 Dec 1998 10:27:56 -0800
From: Eric Murray <ericm@lne.com>
To: Andrew Maslar <amaslar@home.com>
Cc: Cryptography List <cryptography@c2.net>
In-Reply-To: <3683BF2F.C3F32B35@home.com>; from Andrew Maslar on Fri, Dec 25, 1998 at 11:37:03AM -0500
On Fri, Dec 25, 1998 at 11:37:03AM -0500, Andrew Maslar wrote:
> Hello all.
>
> I'm new to the list; hope I can be helpful some day.
> But first a question:
>
> I'm toying around with various protocols for key exchange, and I wonder,
> if an attacker intercepted the result of the following operation:
>
> md5(x) + md5(x + y + z)
>
> (the +'s mean concatenation)
>
> and the attacker already knew:
>
> 1. the nature of the operation
> 2. x
> 3. z
>
> Could s/he compute y?
You really want to ask "how hard would be for an attacker
to compute y?". It's always possible, it's just a question
of being practical (or more properly, cost-effective for
the attacker).
There's a paper by Hugo Krawczyk in (I think, it's not here) Crypto
'96 in which he estimates the difficulty to obtain the inputs to various
MAC schemes. BTW, this is the same researcher who's developed HMAC,
which is generally considered to be a strong keyed-MAC method.
You haven't said what you're doing with this protocol, but if it were me
I'd think about doing one HMAC instead of two MD5s. In software, the
cost of an HMAC is mostly the cost of doing the two hash operations,
which it looks like you're planning on doing already.
HMAC, from RFC 2104:
B = length of result of hash function H
We define two fixed and different strings ipad and opad as follows
(the 'i' and 'o' are mnemonics for inner and outer):
ipad = the byte 0x36 repeated B times
opad = the byte 0x5C repeated B times.
To compute HMAC over the data `text' we perform
H(K XOR opad, H(K XOR ipad, text))
Namely,
(1) append zeros to the end of K to create a B byte string
(e.g., if K is of length 20 bytes and B=64, then K will be
appended with 44 zero bytes 0x00)
(2) XOR (bitwise exclusive-OR) the B byte string computed in step
(1) with ipad
(3) append the stream of data 'text' to the B byte string resulting
from step (2)
(4) apply H to the stream generated in step (3)
(5) XOR (bitwise exclusive-OR) the B byte string computed in
step (1) with opad
(6) append the H result from step (4) to the B byte string
resulting from step (5)
(7) apply H to the stream generated in step (6) and output
the result
also see http://www.research.ibm.com/security/keyed-md5.html
--
Eric Murray N*Able Technologies www.nabletech.com
(email: ericm at the sites lne.com or nabletech.com) PGP keyid:E03F65E5
