[nSLUG] US Homeland Security

M Taylor mctylr at privacy.nb.ca
Wed Aug 18 17:59:24 ADT 2004

On Wed, Aug 18, 2004 at 04:12:00PM -0300, George White wrote:

> Now we have http://eprint.iacr.org/2004/
>     Collisions for Hash Functions MD4, MD5, HAVAL-128 and RIPEMD 
>     Xiaoyun Wang and Dengguo Feng and Xuejia Lai and Hongbo Yu 
> This seems to prove what has been suspected, MD5 is not a collision resistant
> as Rivest had hoped.  It would be interesting to know how many NSA types
> needed oxygen after that paper was presented.

Cryptographers have recommended since 1998 not to use MD5 for new 
crypto-systems. The problem is that like all conservative sectors
that drive crypto (banking, military) have been slow to migrate to
newer (and longer) cryptographic hash functions like SHA-1.

The NSA have never to my knowledge made a public comment on MD5, although
the US NIST who is guided by the NSA to secure US government computers
(and guide suppliers) felt the need to create their own hash function
standard (SHS) of SHA-0, SHA-1, and family (-256,368,512). SHA-0 has
been trashed by Biham and grad student (Biham was one of the ones that
rediscovered Differential Cryptanalysis that we know the NSA did know
about). SHA-1 (and AFAIK -256,368,512) are still considered secure,
for the time being. It appears that Biham's attack cannot be extended
to the non-reduced (i.e. full) SHA-1 hash. SHA-1 was created with no
public explaination, it is suspected that the NSA recommended the
single change (from SHA-0) in SHA-1 to make it resist attacks not
know to the public ("open") crypto community.

M Taylor


More information about the nSLUG mailing list