Robert J. Hansen
rjh at sixdemonbag.org
Mon Jun 25 03:05:08 CEST 2012
On 06/24/2012 06:11 PM, Werner Koch wrote:
> I am telling for more than a decade that PGP 2 should not be used
The list may find my own timeline of MD5 to be worth reading -- it might
give some insight into why PGP 2 (in particular the MD5 vulnerabilities)
tend to engender such passionate responses.
1993: Bosselaers and Den Boer present a theoretical break on MD5.
1996: Hans Dobbertin breaks MD5. His results are immediately dismissed
as "theoretical" when they are nothing but. The security of a
Merkle-Damgard hash (such as MD5) cannot be greater than the
collision resistance of its compression function. Dobbertin is
able to break MD5's compression function in *seconds* on desktop
hardware. The MD5 death clock begins ticking down: we know
(thanks to Dobbertin) that collisions can be generated against
the full MD5 in seconds, but we don't yet know how.
1997: As an undergraduate, I read Dobbertin's paper and get shocked.
I start advocating migration to SHA-1 and/or RIPEMD160. Nobody
listens to me, and maybe rightfully so: after all, I'm just an
undergrad. That said, I'm in good company: lots of other very
serious cryppies are advocating the same.
1998: Internal debates begin at PGP Security over whether MD5 should
be considered "deprecated" (technically valid, but advised
against) or "obsolete" (no longer valid). (This is according
to Len Sassaman.)
2001: People are still using MD5 in applications that need a
collision-resistant hash function. I begin to get irritated:
we've had five years to do migrations. Some important people
within the community at that time (e.g., Imad Faiad) proclaim
that MD5 is still secure and the vulnerabilities against it
are still only theoretical and may never come to pass. I begin
to tell people that if we don't see real MD5 collisions within
five years to never again believe anything I say.
2002: I enter graduate school for computer science and begin working
in electronic voting. I see systems being developed at that time
which rely on the collision-resistance of MD5. I begin to get
unhinged. In order to prove the ineffectiveness of MD5, I begin
to work on MD5 collisions for my Master's thesis.
2004: Shengdong University publishes the first MD5 collisions. I have a
very long and dejected talk with my advisor about my degree
plans. I take a Master's without thesis, but I tell my advisor
I'm looking on the bright side: no one can claim MD5 is still
2004: People continue to say MD5 is still safe, claiming that the
Shengdong University attacks are impractical -- they can only
produce collisions in random data, which means you can't forge a
particular signature on particular data.
2005: At Black Hat, Dan Kaminsky starts off with the EFF's website and
the NSA's website. Dan is able to, in realtime, tweak the EFF's
website with nondisplaying characters in order to make it look
unchanged from the original but have the same MD5 hash as the
NSA's website. I was there in the audience and my jaw was on the
2005: People continue to say MD5 is still safe, claiming that... oh,
God, I lose track at this point, honestly. At this point my
brain shuts down and I begin to believe anyone advocating MD5
where collision resistance is necessary is living in resolute
denial of the facts.
2008: The first public disclosure of a forged MD5-based SSL certificate.
2008: US-CERT issues a Vulnerability Notice which says in plain
language, "Software developers, Certification Authorities,
website owners and users should avoid using the MD5 algorithm in
any capacity." (Ref: http://www.kb.cert.org/vuls/id/836068 )
2012: News reports circulate that the Flame virus propagated by forging
an MD5-based Microsoft signature.
2012: On this mailing list, 16 years after experts recommended migrating
away from MD5 and four years after US-CERT categorically declared
MD5 to be a "do not use" algorithm, we're having a discussion
about PGP 2.6, which is deeply married to MD5.
After reviewing the past 19 years of results on MD5 and the community's
reaction to them, all I can say is ... nothing, really. I used to be
able to get a lot of outrage summoned up over this subject, but now I've
been reduced to making faint whimpering noises.
More information about the Gnupg-users