[16514] in cryptography@c2.net mail archive
Re: MD5 To Be Considered Harmful Someday
daemon@ATHENA.MIT.EDU (John Kelsey)
Wed Dec 8 10:14:34 2004
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Wed, 8 Dec 2004 09:24:41 -0500 (GMT-05:00)
From: John Kelsey <kelsey.j@ix.netcom.com>
Reply-To: John Kelsey <kelsey.j@ix.netcom.com>
To: "James A. Donald" <jamesd@echeque.com>, cryptography@metzdowd.com
>From: "James A. Donald" <jamesd@echeque.com>
>Sent: Dec 7, 2004 6:57 PM
>To: cryptography@metzdowd.com
>Subject: MD5 To Be Considered Harmful Someday
>But even back when I implemented Crypto Kong, the orthodoxy was
>that one should use SHA1, even though it is slower than MD5, so
>it seems to me that MD5 was considered harmful back in 1997,
>though I did not know why at the time, and perhaps no one knew
>why.
The pseudocollision on MD5 paper was published in 1994, and Doebbertin's full collisions for MD5's compression function were published in 1996, so there was plenty of reason by 1997 to want to move to a different hash function. People who stuck with MD5 for collision resistance after that were demonstrating seriously bad judgement, since the only argument left for MD5's security was "well, but nobody's published a way to exploit the attack on full messages yet."
> James A. Donald
--John Kelsey
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
