Robert J. Hansen rjh at
Mon Jun 25 03:05:08 CEST 2012

On 06/24/2012 06:11 PM, Werner Koch wrote:
> I am telling for more than a decade that PGP 2 should not be used 
> anymore.

The list may find my own timeline of MD5 to be worth reading -- it might
give some insight into why PGP 2 (in particular the MD5 vulnerabilities)
tend to engender such passionate responses.


1993: Bosselaers and Den Boer present a theoretical break on MD5.

1996: Hans Dobbertin breaks MD5.  His results are immediately dismissed
      as "theoretical" when they are nothing but.  The security of a
      Merkle-Damgard hash (such as MD5) cannot be greater than the
      collision resistance of its compression function.  Dobbertin is
      able to break MD5's compression function in *seconds* on desktop
      hardware.  The MD5 death clock begins ticking down: we know
      (thanks to Dobbertin) that collisions can be generated against
      the full MD5 in seconds, but we don't yet know how.

1997: As an undergraduate, I read Dobbertin's paper and get shocked.
      I start advocating migration to SHA-1 and/or RIPEMD160.  Nobody
      listens to me, and maybe rightfully so: after all, I'm just an
      undergrad.  That said, I'm in good company: lots of other very
      serious cryppies are advocating the same.

1998: Internal debates begin at PGP Security over whether MD5 should
      be considered "deprecated" (technically valid, but advised
      against) or "obsolete" (no longer valid).  (This is according
      to Len Sassaman.)

2001: People are still using MD5 in applications that need a
      collision-resistant hash function.  I begin to get irritated:
      we've had five years to do migrations.  Some important people
      within the community at that time (e.g., Imad Faiad) proclaim
      that MD5 is still secure and the vulnerabilities against it
      are still only theoretical and may never come to pass.  I begin
      to tell people that if we don't see real MD5 collisions within
      five years to never again believe anything I say.

2002: I enter graduate school for computer science and begin working
      in electronic voting.  I see systems being developed at that time
      which rely on the collision-resistance of MD5.  I begin to get
      unhinged.  In order to prove the ineffectiveness of MD5, I begin
      to work on MD5 collisions for my Master's thesis.

2004: Shengdong University publishes the first MD5 collisions.  I have a
      very long and dejected talk with my advisor about my degree
      plans.  I take a Master's without thesis, but I tell my advisor
      I'm looking on the bright side: no one can claim MD5 is still
      safe, right?

2004: People continue to say MD5 is still safe, claiming that the
      Shengdong University attacks are impractical -- they can only
      produce collisions in random data, which means you can't forge a
      particular signature on particular data.

2005: At Black Hat, Dan Kaminsky starts off with the EFF's website and
      the NSA's website.  Dan is able to, in realtime, tweak the EFF's
      website with nondisplaying characters in order to make it look
      unchanged from the original but have the same MD5 hash as the
      NSA's website.  I was there in the audience and my jaw was on the

2005: People continue to say MD5 is still safe, claiming that... oh,
      God, I lose track at this point, honestly.  At this point my
      brain shuts down and I begin to believe anyone advocating MD5
      where collision resistance is necessary is living in resolute
      denial of the facts.

2008: The first public disclosure of a forged MD5-based SSL certificate.

2008: US-CERT issues a Vulnerability Notice which says in plain
      language, "Software developers, Certification Authorities,
      website owners and users should avoid using the MD5 algorithm in
      any capacity." (Ref: )

2012: News reports circulate that the Flame virus propagated by forging
      an MD5-based Microsoft signature.

2012: On this mailing list, 16 years after experts recommended migrating
      away from MD5 and four years after US-CERT categorically declared
      MD5 to be a "do not use" algorithm, we're having a discussion
      about PGP 2.6, which is deeply married to MD5.

After reviewing the past 19 years of results on MD5 and the community's
reaction to them, all I can say is ... nothing, really.  I used to be
able to get a lot of outrage summoned up over this subject, but now I've
been reduced to making faint whimpering noises.

More information about the Gnupg-users mailing list