Browse Prior Art Database

Attacks on Cryptographic Hashes in Internet Protocols (RFC4270)

IP.com Disclosure Number: IPCOM000132083D
Original Publication Date: 2005-Nov-01
Included in the Prior Art Database: 2019-Feb-14
Document File: 12 page(s) / 19K

Publishing Venue

Internet Society Requests For Comment (RFCs)

Related People

P. Hoffman: AUTHOR [+1]

Related Documents

10.17487/RFC4270: DOI

Abstract

Recent announcements of better-than-expected collision attacks in popular hash algorithms have caused some people to question whether common Internet protocols need to be changed, and if so, how. This document summarizes the use of hashes in many protocols, discusses how the collision attacks affect and do not affect the protocols, shows how to thwart known attacks on digital certificates, and discusses future directions for protocol designers. This memo provides information for the Internet community.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 13% of the total text.

Network Working Group P. Hoffman Request for Comments: 4270 VPN Consortium Category: Informational B. Schneier Counterpane Internet Security November 2005

Attacks on Cryptographic Hashes in Internet Protocols

Status of This Memo

This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.

Copyright Notice

Copyright (C) The Internet Society (2005).

Abstract

Recent announcements of better-than-expected collision attacks in popular hash algorithms have caused some people to question whether common Internet protocols need to be changed, and if so, how. This document summarizes the use of hashes in many protocols, discusses how the collision attacks affect and do not affect the protocols, shows how to thwart known attacks on digital certificates, and discusses future directions for protocol designers.

1. Introduction

In summer 2004, a team of researchers showed concrete evidence that the MD5 hash algorithm was susceptible to collision attacks [MD5-attack]. In early 2005, the same team demonstrated a similar attack on a variant of the SHA-1 [RFC3174] hash algorithm, with a prediction that the normally used SHA-1 would also be susceptible with a large amount of work (but at a level below what should be required if SHA-1 worked properly) [SHA-1-attack]. Also in early 2005, researchers showed a specific construction of PKIX certificates [RFC3280] that use MD5 for signing [PKIX-MD5-construction], and another researcher showed a faster method for finding MD5 collisions (eight hours on a 1.6-GHz computer) [MD5-faster].

Because of these announcements, there has been a great deal of discussion by cryptography experts, protocol designers, and other concerned people about what, if anything, should be done based on the

Hoffman & Schneier Informational [Page 1]

RFC 4270 Attacks on Hashes November 2005

news. Unfortunately, some of these discussions have been based on erroneous interpretations of both the news and on how hash algorithms are used in common Internet protocols.

Hash algorithms are used by cryptographers in a variety of security protocols, for a variety of purposes, at all levels of the Internet protocol stack. They are used because they have two security properties: to be one way and collision free. (There is more about these properties in the next section; they’re easier to explain in terms of breaking them.) The recent attacks have demonstrated that one of those security properties is not true. While it is certainly possible, and at a first glance even probable, that the broken security property will not affect the overall security of many specific Internet protocols, the conservative security approach is to change hash algorithms. The Internet protocol community needs to migrate in an orderly manner away from SHA-1 and MD5 -- especially MD5 -- and toward more secure hash algorithms.

This document summarizes what is currently known about hash algorithms an...

Processing...
Loading...