Jean-David Beyer jeandavid8 at
Mon Jun 25 20:13:59 CEST 2012

Robert J. Hansen wrote:
> On 06/24/2012 06:11 PM, Werner Koch wrote:
>> I am telling for more than a decade that PGP 2 should not be used 
>> anymore.
> The list may find my own timeline of MD5 to be worth reading -- it might
> give some insight into why PGP 2 (in particular the MD5 vulnerabilities)
> tend to engender such passionate responses.
> =====
> 1993: Bosselaers and Den Boer present a theoretical break on MD5.
> 1996: Hans Dobbertin breaks MD5.  His results are immediately dismissed
>       as "theoretical" when they are nothing but.  The security of a
>       Merkle-Damgard hash (such as MD5) cannot be greater than the
>       collision resistance of its compression function.  Dobbertin is
>       able to break MD5's compression function in *seconds* on desktop
>       hardware.  The MD5 death clock begins ticking down: we know
>       (thanks to Dobbertin) that collisions can be generated against
>       the full MD5 in seconds, but we don't yet know how.
> 1997: As an undergraduate, I read Dobbertin's paper and get shocked.
>       I start advocating migration to SHA-1 and/or RIPEMD160.  Nobody
>       listens to me, and maybe rightfully so: after all, I'm just an
>       undergrad.  That said, I'm in good company: lots of other very
>       serious cryppies are advocating the same.
> 1998: Internal debates begin at PGP Security over whether MD5 should
>       be considered "deprecated" (technically valid, but advised
>       against) or "obsolete" (no longer valid).  (This is according
>       to Len Sassaman.)
> 2001: People are still using MD5 in applications that need a
>       collision-resistant hash function.  I begin to get irritated:
>       we've had five years to do migrations.  Some important people
>       within the community at that time (e.g., Imad Faiad) proclaim
>       that MD5 is still secure and the vulnerabilities against it
>       are still only theoretical and may never come to pass.  I begin
>       to tell people that if we don't see real MD5 collisions within
>       five years to never again believe anything I say.
> 2002: I enter graduate school for computer science and begin working
>       in electronic voting.  I see systems being developed at that time
>       which rely on the collision-resistance of MD5.  I begin to get
>       unhinged.  In order to prove the ineffectiveness of MD5, I begin
>       to work on MD5 collisions for my Master's thesis.
> 2004: Shengdong University publishes the first MD5 collisions.  I have a
>       very long and dejected talk with my advisor about my degree
>       plans.  I take a Master's without thesis, but I tell my advisor
>       I'm looking on the bright side: no one can claim MD5 is still
>       safe, right?
> 2004: People continue to say MD5 is still safe, claiming that the
>       Shengdong University attacks are impractical -- they can only
>       produce collisions in random data, which means you can't forge a
>       particular signature on particular data.
> 2005: At Black Hat, Dan Kaminsky starts off with the EFF's website and
>       the NSA's website.  Dan is able to, in realtime, tweak the EFF's
>       website with nondisplaying characters in order to make it look
>       unchanged from the original but have the same MD5 hash as the
>       NSA's website.  I was there in the audience and my jaw was on the
>       floor.
> 2005: People continue to say MD5 is still safe, claiming that... oh,
>       God, I lose track at this point, honestly.  At this point my
>       brain shuts down and I begin to believe anyone advocating MD5
>       where collision resistance is necessary is living in resolute
>       denial of the facts.
> 2008: The first public disclosure of a forged MD5-based SSL certificate.
> 2008: US-CERT issues a Vulnerability Notice which says in plain
>       language, "Software developers, Certification Authorities,
>       website owners and users should avoid using the MD5 algorithm in
>       any capacity." (Ref: )
> 2012: News reports circulate that the Flame virus propagated by forging
>       an MD5-based Microsoft signature.
> 2012: On this mailing list, 16 years after experts recommended migrating
>       away from MD5 and four years after US-CERT categorically declared
>       MD5 to be a "do not use" algorithm, we're having a discussion
>       about PGP 2.6, which is deeply married to MD5.
> After reviewing the past 19 years of results on MD5 and the community's
> reaction to them, all I can say is ... nothing, really.  I used to be
> able to get a lot of outrage summoned up over this subject, but now I've
> been reduced to making faint whimpering noises.

“A new scientific truth does not triumph by convincing opponents and
making them see the light, but rather because its opponents eventually
die, and a new generation grows up that is familiar with it. ”
-- Max Planck

  .~.  Jean-David Beyer          Registered Linux User 85642.
  /V\  PGP-Key:3EDBB65E 9A2FC99A Registered Machine   241939.
 /( )\ Shrewsbury, New Jersey
 ^^-^^ 14:10:01 up 13 days, 24 min, 3 users, load average: 4.28, 4.34, 4.24

More information about the Gnupg-users mailing list