From owner-ietf-openpgp@mail.imc.org Thu Aug 5 14:14:13 2004 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA03809 for ; Thu, 5 Aug 2004 14:14:13 -0400 (EDT) Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i75HrjML019620; Thu, 5 Aug 2004 10:53:45 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i75HrjvB019619; Thu, 5 Aug 2004 10:53:45 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from slc-exch-1.forumsys.com (67.107.202.130.ptr.us.xo.net [67.107.202.130]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i75Hriae019609 for ; Thu, 5 Aug 2004 10:53:44 -0700 (PDT) (envelope-from hmujtaba@forumsys.com) Received: from bstn-exch1.forumsys.com ([10.5.2.12]) by slc-exch-1.forumsys.com with Microsoft SMTPSVC(5.0.2195.6713); Thu, 5 Aug 2004 11:53:42 -0600 X-MimeOLE: Produced By Microsoft Exchange V6.0.6487.1 content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Subject: Partial chunking question Date: Thu, 5 Aug 2004 13:53:40 -0400 Message-ID: <4DCE15B9C4E66F4CA967EBF64C53D64D67B38D@bstn-exch1.forumsys.com> Thread-Topic: Partial chunking question Thread-Index: AcR7FVCbRtaDUw5vQyObyEz9tSgl4Q== From: "Hasnain Mujtaba" To: X-OriginalArrivalTime: 05 Aug 2004 17:53:42.0773 (UTC) FILETIME=[258CCA50:01C47B15] Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id i75Hriae019614 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Content-Transfer-Encoding: 8bit Hi all, I had a question on breaking data into partial chunks. If someone can clarify this, I'd appreciate it: Suppose the chunk size you are using is 8192 bytes and the final data chunk is less than 8192, say it is 6480. My chunking implementation puts these final 6480 bytes into one non-partial length chunk so that the chunk sequence looks like this: 8192, 8192, ... , 8192, 6480. GPG and PGP, however, break this final data into power of two lengths, i.e 8192, 8192, ... , 8192, 4096, 2048, 336. My approach interoperates with both GPG and PGP. But I am curious as to why GPG and PGP break the final data this way, rather than putting it all in one final non-partial chunk. I hope I have not overlooked some RFC requirements. Regards, Hasnain ---- The information contained in this electronic mail and any attached document is the confidential and proprietary business information of Forum Systems, Inc. It is intended solely for the addressed recipient listed above. It may not be distributed in any manner without the express written consent of Forum Systems, Inc. From owner-ietf-openpgp@mail.imc.org Thu Aug 5 14:35:27 2004 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA05295 for ; Thu, 5 Aug 2004 14:35:26 -0400 (EDT) Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i75IKZxA022046; Thu, 5 Aug 2004 11:20:35 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i75IKZ2n022045; Thu, 5 Aug 2004 11:20:35 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from foobar.cs.jhu.edu (foobar.cs.jhu.edu [128.220.13.173]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i75IKZNQ022035 for ; Thu, 5 Aug 2004 11:20:35 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: from walrus.ne.client2.attbi.com (walrus.ne.client2.attbi.com [24.60.132.70]) by foobar.cs.jhu.edu (8.11.6/8.11.6) with ESMTP id i75IKWu29009 for ; Thu, 5 Aug 2004 14:20:37 -0400 Received: from claude.jabberwocky.com ([172.24.84.27]) by walrus.ne.client2.attbi.com (8.12.8/8.12.8) with ESMTP id i75IKR6q014177 for ; Thu, 5 Aug 2004 14:20:27 -0400 Received: (from dshaw@localhost) by claude.jabberwocky.com (8.11.6/8.11.6) id i75IKRd27427 for ietf-openpgp@imc.org; Thu, 5 Aug 2004 14:20:27 -0400 Date: Thu, 5 Aug 2004 14:20:27 -0400 From: David Shaw To: ietf-openpgp@imc.org Subject: Re: Partial chunking question Message-ID: <20040805182027.GA27372@jabberwocky.com> Mail-Followup-To: ietf-openpgp@imc.org References: <4DCE15B9C4E66F4CA967EBF64C53D64D67B38D@bstn-exch1.forumsys.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4DCE15B9C4E66F4CA967EBF64C53D64D67B38D@bstn-exch1.forumsys.com> X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-Request-PGP: http://www.jabberwocky.com/david/keys.asc X-Phase-Of-Moon: The Moon is Waning Gibbous (71% of Full) User-Agent: Mutt/1.5.6i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: On Thu, Aug 05, 2004 at 01:53:40PM -0400, Hasnain Mujtaba wrote: > I had a question on breaking data into partial chunks. If someone can > clarify this, I'd appreciate it: > > Suppose the chunk size you are using is 8192 bytes and the final data > chunk is less than 8192, say it is 6480. My chunking implementation puts > these final 6480 bytes into one non-partial length chunk so that the > chunk sequence looks like this: 8192, 8192, ... , 8192, 6480. > > GPG and PGP, however, break this final data into power of two lengths, > i.e 8192, 8192, ... , 8192, 4096, 2048, 336. > > My approach interoperates with both GPG and PGP. But I am curious as to > why GPG and PGP break the final data this way, rather than putting it > all in one final non-partial chunk. I hope I have not overlooked some > RFC requirements. It's not an RFC requirement. When writing a stream, GnuPG picks the largest possible power of 2 for the amount of data it is ready to write at that point. I suspect PGP does something similar for similar reasons. What you are doing is also perfectly legal. David From owner-ietf-openpgp@mail.imc.org Wed Aug 18 10:17:34 2004 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA08427 for ; Wed, 18 Aug 2004 10:17:33 -0400 (EDT) Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i7IDsjP4063199; Wed, 18 Aug 2004 06:54:45 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i7IDsjBL063198; Wed, 18 Aug 2004 06:54:45 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from smtp3.hushmail.com (smtp3.hushmail.com [65.39.178.135]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i7IDsiVM063190 for ; Wed, 18 Aug 2004 06:54:44 -0700 (PDT) (envelope-from vedaal@hush.com) Received: from localhost (localhost.hushmail.com [127.0.0.1]) by smtp3.hushmail.com (Postfix) with ESMTP id D467EA3377 for ; Wed, 18 Aug 2004 06:54:43 -0700 (PDT) Received: from smtp3.hushmail.com (localhost.hushmail.com [127.0.0.1]) by smtp3.hushmail.com (Postfix) with SMTP id 6D346A3342 for ; Wed, 18 Aug 2004 06:54:43 -0700 (PDT) Received: from mailserver3.hushmail.com (mailserver3.hushmail.com [65.39.178.20]) by smtp3.hushmail.com (Postfix) with ESMTP for ; Wed, 18 Aug 2004 06:54:43 -0700 (PDT) Received: (from nobody@localhost) by mailserver3.hushmail.com (8.12.11/8.12.9/Submit) id i7IDshdn015159 for ietf-openpgp@imc.org; Wed, 18 Aug 2004 06:54:43 -0700 (PDT) (envelope-from vedaal@hush.com) Message-Id: <200408181354.i7IDshdn015159@mailserver3.hushmail.com> Date: Wed, 18 Aug 2004 06:54:42 -0700 To: ietf-openpgp@imc.org Subject: re-consideration of TIGER From: Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: now that sha-0 has been broken, and sha-1 is actively being looked at for a possible extension of the attack, and MD5, HAVAL, and RIPEMD are also being attacked http://eprint.iacr.org/2004/199.pdf) would it be reasonable to re-accept the non-sha based hashes, (e.g. TIGER) as a potential backup hash for implementations/users that may wish to begin doing so? vedaal Concerned about your privacy? Follow this link to get secure FREE email: http://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger http://www.hushmail.com/services-messenger?l=434 Promote security and make money with the Hushmail Affiliate Program: http://www.hushmail.com/about-affiliate?l=427 From owner-ietf-openpgp@mail.imc.org Wed Aug 18 11:02:47 2004 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA11646 for ; Wed, 18 Aug 2004 11:02:46 -0400 (EDT) Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i7IEg0Gg071396; Wed, 18 Aug 2004 07:42:00 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i7IEg0Fc071395; Wed, 18 Aug 2004 07:42:00 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from branwen.iks-jena.de (root@branwen.iks-jena.de [217.17.192.90]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i7IEfxgo071374 for ; Wed, 18 Aug 2004 07:42:00 -0700 (PDT) (envelope-from news@branwen.iks-jena.de) Received: from branwen.iks-jena.de (localhost [127.0.0.1]) by branwen.iks-jena.de (8.12.11/8.12.9) with ESMTP id i7IEfusk011251 for ; Wed, 18 Aug 2004 16:41:56 +0200 Received: (from news@localhost) by branwen.iks-jena.de (8.12.11/8.12.1/Submit) id i7IEfuqn011250 for ietf-openpgp@imc.org; Wed, 18 Aug 2004 16:41:56 +0200 To: ietf-openpgp@imc.org Path: not-for-mail From: Lutz Donnerhacke Newsgroups: iks.lists.ietf-open-pgp Subject: Re: re-consideration of TIGER Date: Wed, 18 Aug 2004 14:41:56 +0000 (UTC) Organization: IKS GmbH Jena Lines: 9 Message-ID: References: <200408181354.i7IDshdn015159@mailserver3.hushmail.com> NNTP-Posting-Host: taranis.iks-jena.de X-Trace: branwen.iks-jena.de 1092840116 8623 217.17.192.37 (18 Aug 2004 14:41:56 GMT) X-Complaints-To: usenet@iks-jena.de NNTP-Posting-Date: Wed, 18 Aug 2004 14:41:56 +0000 (UTC) User-Agent: slrn/0.9.8.0 (Linux) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: * wrote: > would it be reasonable to re-accept the non-sha based hashes, (e.g. TIGER) > as a potential backup hash for implementations/users that may wish to > begin doing so? Unless the attack is not substantiated, wild actionism should be avoided. Currently the attack looks like exploiting insufficient highest bit handling of the internal state variables. This is a matter if the protocol applies a random(!) padding directly before hashing. From owner-ietf-openpgp@mail.imc.org Wed Aug 18 12:46:04 2004 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA20640 for ; Wed, 18 Aug 2004 12:46:03 -0400 (EDT) Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i7IGLHAq086664; Wed, 18 Aug 2004 09:21:17 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i7IGLHmr086663; Wed, 18 Aug 2004 09:21:17 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from lake.cyberia.net.lb (lake.cyberia.net.lb [195.112.195.73]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i7IGLDPN086637 for ; Wed, 18 Aug 2004 09:21:15 -0700 (PDT) (envelope-from matic@cyberia.net.lb) Received: from lake ([127.0.0.1]) by lake.cyberia.net.lb with ESMTP id <20040818162106.FDRD3436.lake@lake>; Wed, 18 Aug 2004 19:21:06 +0300 Received: from localhost (localhost [127.0.0.1]) by lake (Postfix) with ESMTP id C89521B545D; Wed, 18 Aug 2004 19:21:06 +0300 (EEST) Received: from lake ([127.0.0.1]) by localhost (lake [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 23925-06; Wed, 18 Aug 2004 19:21:06 +0300 (EEST) Received: from lake (lake [195.112.195.73]) by lake (Postfix) with SMTP id D01A81B544B; Wed, 18 Aug 2004 19:21:05 +0300 (EEST) X-Mailer: Openwave WebEngine, version 2.8.14 (webedge20-101-1101-20040406) X-Originating-IP: [62.84.86.106] From: To: , Subject: Re: re-consideration of TIGER Date: Wed, 18 Aug 2004 19:21:05 +0300 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=____1092846065832_Zmv+Fc?)QY" Message-Id: <20040818162105.D01A81B544B@lake> Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: This is a multi-part message in MIME format. ------=____1092846065832_Zmv+Fc?)QY Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Greetings, the recent breakthrough appears to apply to all the MDx based hash algorithms. while TIGER is not, i am told, it does not mean that it is more secure, as it has not been subject to same scrutiny as the MDx based hashes. i believe that less is better, however, diversity is a good thing, especially when the algorithms are un-related. After all, this is the reason why there are numerous algorithms in a crypto suite. i am no expert of course, but it would be a cautious thing to trim down the algorithms of similar ones for the sake to complexity, and augment them with dissimilar ones for the sake of hedging one's bet. given the above a case for re-instating TIGER in openpgp could be made. hth best regards Imad R. Faiad > > From: > Date: 2004/08/18 Wed PM 04:54:42 EAT > To: ietf-openpgp@imc.org > Subject: re-consideration of TIGER > > >now that sha-0 has been broken, >and sha-1 is actively being looked at for a possible >extension of the >attack, > >and MD5, HAVAL, and RIPEMD are also being attacked >http://eprint.iacr.org/2004/199.pdf) > > >would it be reasonable to re-accept the non-sha based >hashes, (e.g. TIGER) >as a potential backup hash for implementations/users >that may wish to >begin doing so? > > >vedaal -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFBI4HfyaCxfwAfoa0RArsFAKDluxCYvOajIuzKysqQ077RoRZ6vwCaA3TY 1IUieQzgGKZIca5hjkKrXFU= =fjCn -----END PGP SIGNATURE----- ------=____1092846065832_Zmv+Fc?)QY Content-Type: null; name="replyAll" Content-Disposition: inline; filename="replyAll" Content-Transfer-Encoding: base64 DQpub3cgdGhhdCBzaGEtMCBoYXMgYmVlbiBicm9rZW4sDQphbmQgc2hhLTEgaXMgYWN0aXZl bHkgYmVpbmcgbG9va2VkIGF0IGZvciBhIHBvc3NpYmxlIGV4dGVuc2lvbiBvZiB0aGUNCmF0 dGFjaywNCg0KYW5kIE1ENSwgSEFWQUwsIGFuZCBSSVBFTUQgYXJlIGFsc28gYmVpbmcgYXR0 YWNrZWQNCmh0dHA6Ly9lcHJpbnQuaWFjci5vcmcvMjAwNC8xOTkucGRmKQ0KDQoNCndvdWxk IGl0IGJlIHJlYXNvbmFibGUgdG8gcmUtYWNjZXB0IHRoZSBub24tc2hhIGJhc2VkIGhhc2hl cywgKGUuZy4gVElHRVIpDQphcyBhIHBvdGVudGlhbCBiYWNrdXAgaGFzaCBmb3IgaW1wbGVt ZW50YXRpb25zL3VzZXJzIHRoYXQgbWF5IHdpc2ggdG8NCmJlZ2luIGRvaW5nIHNvPw0KDQoN CnZlZGFhbA0KDQoNCg0KDQoNCg0KDQoNCg0KQ29uY2VybmVkIGFib3V0IHlvdXIgcHJpdmFj eT8gRm9sbG93IHRoaXMgbGluayB0byBnZXQNCnNlY3VyZSBGUkVFIGVtYWlsOiBodHRwOi8v d3d3Lmh1c2htYWlsLmNvbS8/bD0yDQoNCkZyZWUsIHVsdHJhLXByaXZhdGUgaW5zdGFudCBt ZXNzYWdpbmcgd2l0aCBIdXNoIE1lc3Nlbmdlcg0KaHR0cDovL3d3dy5odXNobWFpbC5jb20v c2VydmljZXMtbWVzc2VuZ2VyP2w9NDM0DQoNClByb21vdGUgc2VjdXJpdHkgYW5kIG1ha2Ug bW9uZXkgd2l0aCB0aGUgSHVzaG1haWwgQWZmaWxpYXRlIFByb2dyYW06IA0KaHR0cDovL3d3 dy5odXNobWFpbC5jb20vYWJvdXQtYWZmaWxpYXRlP2w9NDI3DQoNCg== ------=____1092846065832_Zmv+Fc?)QY-- From owner-ietf-openpgp@mail.imc.org Wed Aug 18 12:54:27 2004 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA21289 for ; Wed, 18 Aug 2004 12:54:27 -0400 (EDT) Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i7IGas3j089399; Wed, 18 Aug 2004 09:36:54 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i7IGasxB089398; Wed, 18 Aug 2004 09:36:54 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from merrymeet.com (merrymeet.com [63.73.97.162]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i7IGar7Q089381 for ; Wed, 18 Aug 2004 09:36:53 -0700 (PDT) (envelope-from jon@callas.org) Received: from keys.merrymeet.com (63.73.97.166) by merrymeet.com with ESMTP (Eudora Internet Mail Server X 3.2.5); Wed, 18 Aug 2004 09:36:50 -0700 Received: from [128.111.166.181] ([128.111.166.181]) by keys.merrymeet.com (PGP Universal service); Wed, 18 Aug 2004 09:36:49 -0700 X-PGP-Universal: processed In-Reply-To: <200408181354.i7IDshdn015159@mailserver3.hushmail.com> References: <200408181354.i7IDshdn015159@mailserver3.hushmail.com> Mime-Version: 1.0 (Apple Message framework v619) Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: Content-Transfer-Encoding: 7bit Cc: ietf-openpgp@imc.org From: Jon Callas Subject: Re: re-consideration of TIGER Date: Wed, 18 Aug 2004 09:36:40 -0700 To: X-Mailer: Apple Mail (2.619) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Content-Transfer-Encoding: 7bit On 18 Aug 2004, at 6:54 AM, wrote: > would it be reasonable to re-accept the non-sha based hashes, (e.g. > TIGER) > as a potential backup hash for implementations/users that may wish to > begin doing so? > Not really, no. There are already perfectly good backup algorithms. The reason we removed Tiger is that it hasn't been examined or used at all. None of these things apply to Tiger, and it is therefore still not well examined nor used. Going from a hash function that has been examined to one that hasn't isn't presently warranted. SHA-1 isn't broken yet. Even the ones that have been broken haven't been broken (yet) in ways that permit signature forging. What we know now is that the functions we've been saying for close to a decade shouldn't be used really shouldn't be used. If you're worried about SHA-1, you should move to SHA-256. Don't be scared by the fact that it's called "SHA." If you want to do something *really* practical and good, stop using your V3 keys. (That's the editorial you, not vedaal specifically.) I'm sitting in the hash sessions at Crypto now, and SHA-1 isn't broken. Again, if you still want to do something, start using SHA-256. Jon From owner-ietf-openpgp@mail.imc.org Wed Aug 18 13:09:07 2004 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA22558 for ; Wed, 18 Aug 2004 13:09:06 -0400 (EDT) Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i7IGrxha091969; Wed, 18 Aug 2004 09:53:59 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i7IGrxHN091968; Wed, 18 Aug 2004 09:53:59 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mail.enyo.de (mail.enyo.de [212.9.189.167]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i7IGrwCt091952 for ; Wed, 18 Aug 2004 09:53:58 -0700 (PDT) (envelope-from fw@deneb.enyo.de) Received: (debugging) helo=deneb.enyo.de ip=212.9.189.171 name=deneb.enyo.de Received: from deneb.enyo.de ([212.9.189.171]) by mail.enyo.de with esmtp id 1BxThG-0001sh-2t; Wed, 18 Aug 2004 18:53:58 +0200 Received: from fw by deneb.enyo.de with local (Exim 4.34) id 1BxThE-00034W-7V; Wed, 18 Aug 2004 18:53:56 +0200 To: Lutz Donnerhacke Cc: ietf-openpgp@imc.org Subject: Re: re-consideration of TIGER References: <200408181354.i7IDshdn015159@mailserver3.hushmail.com> From: Florian Weimer Date: Wed, 18 Aug 2004 18:53:56 +0200 In-Reply-To: (Lutz Donnerhacke's message of "Wed, 18 Aug 2004 14:41:56 +0000 (UTC)") Message-ID: <874qn075gb.fsf@deneb.enyo.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: * Lutz Donnerhacke: > Unless the attack is not substantiated, wild actionism should be avoided. Agreed. > Currently the attack looks like exploiting insufficient highest bit > handling of the internal state variables. This is a matter if the > protocol applies a random(!) padding directly before hashing. Source? Based on my extrapolation of the pseudo-paper, it also depends where the padding is added, if some length information is protected by the hash, and the overall purpose of the hash function. While MD5 has certainly been broken, this doesn't seem to lead to immediate attacks on real protocols. (The impact on V3 keys could be interesting, though.) From owner-ietf-openpgp@mail.imc.org Wed Aug 18 16:13:27 2004 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA08643 for ; Wed, 18 Aug 2004 16:13:16 -0400 (EDT) Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i7IJK5Pp021429; Wed, 18 Aug 2004 12:20:05 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i7IJK5L4021428; Wed, 18 Aug 2004 12:20:05 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from branwen.iks-jena.de (root@branwen.iks-jena.de [217.17.192.90]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i7IJK3NO021420 for ; Wed, 18 Aug 2004 12:20:04 -0700 (PDT) (envelope-from news@branwen.iks-jena.de) Received: from branwen.iks-jena.de (localhost [127.0.0.1]) by branwen.iks-jena.de (8.12.11/8.12.9) with ESMTP id i7IJK7MJ019576 for ; Wed, 18 Aug 2004 21:20:07 +0200 Received: (from news@localhost) by branwen.iks-jena.de (8.12.11/8.12.1/Submit) id i7IJK7k5019575 for ietf-openpgp@imc.org; Wed, 18 Aug 2004 21:20:07 +0200 To: ietf-openpgp@imc.org Path: not-for-mail From: Lutz Donnerhacke Newsgroups: iks.lists.ietf-open-pgp Subject: Re: re-consideration of TIGER Date: Wed, 18 Aug 2004 19:20:07 +0000 (UTC) Organization: IKS GmbH Jena Lines: 13 Message-ID: References: <874qn075gb.fsf@deneb.enyo.de> NNTP-Posting-Host: belenus.iks-jena.de X-Trace: branwen.iks-jena.de 1092856807 19532 217.17.192.34 (18 Aug 2004 19:20:07 GMT) X-Complaints-To: usenet@iks-jena.de NNTP-Posting-Date: Wed, 18 Aug 2004 19:20:07 +0000 (UTC) User-Agent: slrn/0.9.8.0 (Linux) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: * Florian Weimer wrote: > * Lutz Donnerhacke: >> Currently the attack looks like exploiting insufficient highest bit >> handling of the internal state variables. This is a matter if the >> protocol applies a random(!) padding directly before hashing. > > Source? Personal impression. > (The impact on V3 keys could be interesting, though.) Of course. From owner-ietf-openpgp@mail.imc.org Wed Aug 18 17:06:31 2004 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA16930 for ; Wed, 18 Aug 2004 17:06:30 -0400 (EDT) Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i7IKnoof036212; Wed, 18 Aug 2004 13:49:50 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i7IKno84036211; Wed, 18 Aug 2004 13:49:50 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from thetis.deor.org (thetis.deor.org [207.106.86.210]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i7IKnnk7036203 for ; Wed, 18 Aug 2004 13:49:50 -0700 (PDT) (envelope-from rabbi@abditum.com) Received: by thetis.deor.org (Postfix, from userid 500) id DA29D45057; Wed, 18 Aug 2004 13:49:51 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by thetis.deor.org (Postfix) with ESMTP id A2E6E4801E; Wed, 18 Aug 2004 13:49:51 -0700 (PDT) Date: Wed, 18 Aug 2004 13:49:51 -0700 (PDT) From: Len Sassaman X-X-Sender: rabbi@thetis.deor.org To: vedaal@hush.com, ietf-openpgp@imc.org Subject: Re: re-consideration of TIGER In-Reply-To: <200408181354.i7IDshdn015159@mailserver3.hushmail.com> Message-ID: References: <200408181354.i7IDshdn015159@mailserver3.hushmail.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: On Wed, 18 Aug 2004 vedaal@hush.com wrote: > now that sha-0 has been broken, SHA-0 was (theoretically) broken in 1998. The recent work is simply an improvement in the break. > and sha-1 is actively being looked at for a possible extension of the > attack, > > and MD5, HAVAL, and RIPEMD are also being attacked > http://eprint.iacr.org/2004/199.pdf) Actually, all three are broken. But MD5 was (theoretically) broken in 1996, and RIPEMD has been considered weak for years. (Note, RIPEMD is based on MD4. It is *not* the same as RIPEMD-160 (based on RIPEMD, but with considerable input from Dobbertin, who broke MD4 and MD5, or RIPEMD-128 (based on RIPEMD-160, intended as a "drop in" replacement for RIPEMD or MD4/5.) > would it be reasonable to re-accept the non-sha based hashes, (e.g. TIGER) > as a potential backup hash for implementations/users that may wish to > begin doing so? SHA-256 and SHA-512 are not based on the MDx family, and have arguably gotten more scrutiny than TIGER. Even if SHA-1 or RIPEMD-160 were threatened, we already have alternatives. The bigger problem I see is with the lack of a sound hash function firewall in OpenPGP v4 DSA keys. We can add all the strong hash functions we want, but as long as there exists a weak hash function in the spec, an attacker can theoretically cause a collision in the weak hash function to match the strong hash function's results, and break the signature scheme. We either need to fix this, drop DSA keys, require that all DSA keys actually be DSS (and then deal with the consequences if SHA-1 is broken), or standardize on a single hash (and have a backup hash ready if need be.) Thinking about this more now, I suppose dropping DSA would be the simplest, though that would cause a lot of compatibility issues. On a different note, I'm also in favor of dropping backwards compatibility with v3 in the spec, as I've mentioned before. This would also allow us to easily drop MD5 from v4. I think any backwards compatibility is adequately handled in the client implementations, and does not belong as a part of the OpenPGP message format. (I.e., there are clients that offer S/MIME compatibility, yet there's no reason for that to be part of this spec, either. We already have RFC 1991.) --Len. From owner-ietf-openpgp@mail.imc.org Wed Aug 18 19:45:44 2004 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id TAA00831 for ; Wed, 18 Aug 2004 19:45:44 -0400 (EDT) Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i7INJ8K0060705; Wed, 18 Aug 2004 16:19:08 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i7INJ8hQ060704; Wed, 18 Aug 2004 16:19:08 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from www.enhyper.com (mailgate.enhyper.com [62.49.250.18]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i7INJ6pn060686 for ; Wed, 18 Aug 2004 16:19:07 -0700 (PDT) (envelope-from iang@systemics.com) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by www.enhyper.com (8.11.6/8.11.6) with SMTP id i7INIMt20990; Thu, 19 Aug 2004 00:18:39 +0100 X-Authentication-Warning: www.enhyper.com: localhost.localdomain [127.0.0.1] didn't use HELO protocol Message-ID: <4123E438.6030403@systemics.com> Date: Thu, 19 Aug 2004 00:20:24 +0100 From: Ian Grigg User-Agent: Mozilla Thunderbird 0.7.1 (X11/20040707) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Len Sassaman CC: vedaal@hush.com, ietf-openpgp@imc.org Subject: Re: re-consideration of TIGER References: <200408181354.i7IDshdn015159@mailserver3.hushmail.com> In-Reply-To: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Content-Transfer-Encoding: 7bit Len Sassaman wrote: > On a different note, I'm also in favor of dropping backwards compatibility > with v3 in the spec, as I've mentioned before. This would also allow us to > easily drop MD5 from v4. I think any backwards compatibility is adequately > handled in the client implementations, and does not belong as a part of > the OpenPGP message format. (I.e., there are clients that offer S/MIME > compatibility, yet there's no reason for that to be part of this spec, > either. We already have RFC 1991.) I'm in total agreement there. With one caveat - the chair would have to ponder whether "this late" in the spec there are major changes allowed. Some mentioned that v3 may be compromised even more by this recent message digest news, and if so, that would be sufficient casus belli, IMHO, to seriously consider doing such a major step. iang PS: I note the comment on DSA/DSS keys ... if the above logic doesn't fly, I'd suspect there is no case to drop those keys, but I'm listening :-) From owner-ietf-openpgp@mail.imc.org Fri Aug 20 11:58:51 2004 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA23605 for ; Fri, 20 Aug 2004 11:58:50 -0400 (EDT) Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i7KFZwTa037812; Fri, 20 Aug 2004 08:35:58 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i7KFZwfm037811; Fri, 20 Aug 2004 08:35:58 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from rwcrmhc13.comcast.net (rwcrmhc13.comcast.net [204.127.198.39]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i7KFZvWX037744 for ; Fri, 20 Aug 2004 08:35:58 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: from walrus.ne.client2.attbi.com ([24.60.132.70]) by comcast.net (rwcrmhc13) with ESMTP id <20040820153555015008vb83e>; Fri, 20 Aug 2004 15:35:55 +0000 Received: from claude.jabberwocky.com ([172.24.84.27]) by walrus.ne.client2.attbi.com (8.12.8/8.12.8) with ESMTP id i7KFZoLO003486 for ; Fri, 20 Aug 2004 11:35:54 -0400 Received: (from dshaw@localhost) by claude.jabberwocky.com (8.11.6/8.11.6) id i7KFZnF10238 for ietf-openpgp@imc.org; Fri, 20 Aug 2004 11:35:49 -0400 Date: Fri, 20 Aug 2004 11:35:49 -0400 From: David Shaw To: ietf-openpgp@imc.org Subject: MD5 warning Message-ID: <20040820153549.GA10135@jabberwocky.com> Mail-Followup-To: ietf-openpgp@imc.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-Request-PGP: http://www.jabberwocky.com/david/keys.asc X-Phase-Of-Moon: The Moon is Waxing Crescent (21% of Full) User-Agent: Mutt/1.5.6i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: With regards to reinstating TIGER, I agree that there is little need to do anything in crisis mode. Let's give the various discussions about MD5 and general hash health time to reach some sort of conclusion. We already have quite a number of hashes other than MD5, and in V4, SHA-1 is the standard hash anyway. Despite various rumors to the contrary, SHA-1 was not broken. That said, the security considerations section of the draft currently has some language mildly discouraging the use of MD5 ("The MD5 hash algorithm has been found to have weaknesses (pseudo-collisions in the compress function) that make some people deprecate its use. They consider the SHA-1 algorithm better.") Can we make this stronger, and deprecate MD5 use for OpenPGP in general? David From owner-ietf-openpgp@mail.imc.org Sat Aug 21 17:42:36 2004 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA06315 for ; Sat, 21 Aug 2004 17:42:36 -0400 (EDT) Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i7LLNKeP013893; Sat, 21 Aug 2004 14:23:20 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i7LLNKQk013892; Sat, 21 Aug 2004 14:23:20 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from branwen.iks-jena.de (root@branwen.iks-jena.de [217.17.192.90]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i7LLNGY9013867 for ; Sat, 21 Aug 2004 14:23:19 -0700 (PDT) (envelope-from news@branwen.iks-jena.de) Received: from branwen.iks-jena.de (localhost [127.0.0.1]) by branwen.iks-jena.de (8.12.11/8.12.9) with ESMTP id i7LLNDHN018709 for ; Sat, 21 Aug 2004 23:23:14 +0200 Received: (from news@localhost) by branwen.iks-jena.de (8.12.11/8.12.1/Submit) id i7LLNDiZ018708 for ietf-openpgp@imc.org; Sat, 21 Aug 2004 23:23:13 +0200 To: ietf-openpgp@imc.org Path: not-for-mail From: Lutz Donnerhacke Newsgroups: iks.lists.ietf-open-pgp Subject: Re: MD5 warning Date: Sat, 21 Aug 2004 21:23:13 +0000 (UTC) Organization: IKS GmbH Jena Lines: 10 Message-ID: References: <20040820153549.GA10135@jabberwocky.com> NNTP-Posting-Host: belenus.iks-jena.de X-Trace: branwen.iks-jena.de 1093123393 18674 217.17.192.34 (21 Aug 2004 21:23:13 GMT) X-Complaints-To: usenet@iks-jena.de NNTP-Posting-Date: Sat, 21 Aug 2004 21:23:13 +0000 (UTC) User-Agent: slrn/0.9.8.0 (Linux) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: * David Shaw wrote: > That said, the security considerations section of the draft currently > has some language mildly discouraging the use of MD5 ("The MD5 hash > algorithm has been found to have weaknesses (pseudo-collisions in the > compress function) that make some people deprecate its use. They > consider the SHA-1 algorithm better.") Can we make this stronger, and > deprecate MD5 use for OpenPGP in general? Not necessary. All known attacks does not impose a direct risk to md5 based OpenPGP issues. From owner-ietf-openpgp@mail.imc.org Sat Aug 21 18:07:32 2004 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA07400 for ; Sat, 21 Aug 2004 18:07:32 -0400 (EDT) Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i7LLt2AD018662; Sat, 21 Aug 2004 14:55:02 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i7LLt2ck018661; Sat, 21 Aug 2004 14:55:02 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from rwcrmhc11.comcast.net (rwcrmhc11.comcast.net [204.127.198.35]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i7LLt290018636 for ; Sat, 21 Aug 2004 14:55:02 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: from walrus.ne.client2.attbi.com ([24.60.132.70]) by comcast.net (rwcrmhc11) with ESMTP id <2004082121545101300rb5jse>; Sat, 21 Aug 2004 21:55:02 +0000 Received: from claude.jabberwocky.com ([172.24.84.27]) by walrus.ne.client2.attbi.com (8.12.8/8.12.8) with ESMTP id i7LLsjLO031938 for ; Sat, 21 Aug 2004 17:54:51 -0400 Received: (from dshaw@localhost) by claude.jabberwocky.com (8.11.6/8.11.6) id i7LLshB14130 for ietf-openpgp@imc.org; Sat, 21 Aug 2004 17:54:43 -0400 Date: Sat, 21 Aug 2004 17:54:43 -0400 From: David Shaw To: ietf-openpgp@imc.org Subject: Re: MD5 warning Message-ID: <20040821215443.GA14015@jabberwocky.com> Mail-Followup-To: ietf-openpgp@imc.org References: <20040820153549.GA10135@jabberwocky.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-Request-PGP: http://www.jabberwocky.com/david/keys.asc X-Phase-Of-Moon: The Moon is Waxing Crescent (33% of Full) User-Agent: Mutt/1.5.6i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: On Sat, Aug 21, 2004 at 09:23:13PM +0000, Lutz Donnerhacke wrote: > > * David Shaw wrote: > > That said, the security considerations section of the draft currently > > has some language mildly discouraging the use of MD5 ("The MD5 hash > > algorithm has been found to have weaknesses (pseudo-collisions in the > > compress function) that make some people deprecate its use. They > > consider the SHA-1 algorithm better.") Can we make this stronger, and > > deprecate MD5 use for OpenPGP in general? > > Not necessary. All known attacks does not impose a direct risk to md5 based > OpenPGP issues. True, but would you recommend using MD5 these days? The time to deprecate it is before it is completely broken, and the attacks do pose a direct risk. MD5 showed some signs of weakness a few years ago. A few days ago, it showed some pretty serious problems. Let's let it go now while it is relatively easy to do so. To put my suggestion into a specific proposal for the draft: In section 9.4, add a note indicating that hash algorithm 1 is MD5, but MD5 is deprecated, and SHOULD NOT be used. In section 13, rephrase the current mild note about MD5 to be stronger and cite the paper giving the MD5 collisions. David From owner-ietf-openpgp@mail.imc.org Sat Aug 21 18:26:36 2004 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA09022 for ; Sat, 21 Aug 2004 18:26:36 -0400 (EDT) Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i7LMDUq8021658; Sat, 21 Aug 2004 15:13:30 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i7LMDUpG021657; Sat, 21 Aug 2004 15:13:30 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from branwen.iks-jena.de (root@branwen.iks-jena.de [217.17.192.90]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i7LMDS0C021634 for ; Sat, 21 Aug 2004 15:13:29 -0700 (PDT) (envelope-from news@branwen.iks-jena.de) Received: from branwen.iks-jena.de (localhost [127.0.0.1]) by branwen.iks-jena.de (8.12.11/8.12.9) with ESMTP id i7LMDX0u020538 for ; Sun, 22 Aug 2004 00:13:33 +0200 Received: (from news@localhost) by branwen.iks-jena.de (8.12.11/8.12.1/Submit) id i7LMDX4l020537 for ietf-openpgp@imc.org; Sun, 22 Aug 2004 00:13:33 +0200 To: ietf-openpgp@imc.org Path: not-for-mail From: Lutz Donnerhacke Newsgroups: iks.lists.ietf-open-pgp Subject: Re: MD5 warning Date: Sat, 21 Aug 2004 22:13:33 +0000 (UTC) Organization: IKS GmbH Jena Lines: 26 Message-ID: References: <20040821215443.GA14015@jabberwocky.com> NNTP-Posting-Host: belenus.iks-jena.de X-Trace: branwen.iks-jena.de 1093126413 18674 217.17.192.34 (21 Aug 2004 22:13:33 GMT) X-Complaints-To: usenet@iks-jena.de NNTP-Posting-Date: Sat, 21 Aug 2004 22:13:33 +0000 (UTC) User-Agent: slrn/0.9.8.0 (Linux) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: * David Shaw wrote: > On Sat, Aug 21, 2004 at 09:23:13PM +0000, Lutz Donnerhacke wrote: >> Not necessary. All known attacks does not impose a direct risk to md5 based >> OpenPGP issues. > > True, but would you recommend using MD5 these days? No. I won't recommend any hash soley based on bit-logic and modular arithmentic these days. > The time to deprecate it is before it is completely broken, and the > attacks do pose a direct risk. OpenPGP recommends SHA1. I'm feeling bad with this, but this is not the subject of discussion. > MD5 showed some signs of weakness a few years ago. A few days ago, it > showed some pretty serious problems. Let's let it go now while it is > relatively easy to do so. MD5 shares some weeknesses with other hash algoithms. Don't blame MD5 alone. > In section 9.4, add a note indicating that hash algorithm 1 is MD5, > but MD5 is deprecated, and SHOULD NOT be used. So please add "SHA1 MAY NOT be used." From owner-ietf-openpgp@mail.imc.org Sun Aug 22 01:59:28 2004 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id BAA24501 for ; Sun, 22 Aug 2004 01:59:28 -0400 (EDT) Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i7M5XA80097414; Sat, 21 Aug 2004 22:33:10 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i7M5XAxj097413; Sat, 21 Aug 2004 22:33:10 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from sccrmhc13.comcast.net (sccrmhc13.comcast.net [204.127.202.64]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i7M5X9kQ097333 for ; Sat, 21 Aug 2004 22:33:10 -0700 (PDT) (envelope-from cme@acm.org) Message-Id: <200408220533.i7M5X9kQ097333@above.proper.com> Received: from p4 (c-24-18-253-210.client.comcast.net[24.18.253.210]) by comcast.net (sccrmhc13) with SMTP id <2004082205330501600jpq1re>; Sun, 22 Aug 2004 05:33:05 +0000 From: "Carl Ellison" To: "'Lutz Donnerhacke'" , Subject: SHA-1 (was RE: MD5 warning) Date: Sat, 21 Aug 2004 22:33:39 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.6353 In-Reply-To: Thread-Index: AcSHzDEYASfmd7UNRVWKApBoqwtXugAPSniA X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Content-Transfer-Encoding: 7bit Rumors aside, there is no published break of SHA-1. Even SHA-0 isn't fully broken. People will continue to work on SHA-1 so it might break one of these years, but I will still recommend using it. - Carl > -----Original Message----- > From: owner-ietf-openpgp@mail.imc.org > [mailto:owner-ietf-openpgp@mail.imc.org] On Behalf Of Lutz Donnerhacke > Sent: Saturday, August 21, 2004 3:14 PM > To: ietf-openpgp@imc.org > Subject: Re: MD5 warning > > > * David Shaw wrote: > > On Sat, Aug 21, 2004 at 09:23:13PM +0000, Lutz Donnerhacke wrote: > >> Not necessary. All known attacks does not impose a direct > risk to md5 based > >> OpenPGP issues. > > > > True, but would you recommend using MD5 these days? > > No. I won't recommend any hash solely based on bit-logic and modular > arithmetic these days. > > > The time to deprecate it is before it is completely broken, and the > > attacks do pose a direct risk. > > OpenPGP recommends SHA1. I'm feeling bad with this, but this > is not the > subject of discussion. > > > MD5 showed some signs of weakness a few years ago. A few > days ago, it > > showed some pretty serious problems. Let's let it go now > while it is > > relatively easy to do so. > > MD5 shares some weaknesses with other hash algorithms. Don't > blame MD5 alone. > > > In section 9.4, add a note indicating that hash algorithm 1 is MD5, > > but MD5 is deprecated, and SHOULD NOT be used. > > So please add "SHA1 MAY NOT be used." > From owner-ietf-openpgp@mail.imc.org Thu Aug 26 20:27:05 2004 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id UAA27119 for ; Thu, 26 Aug 2004 20:27:04 -0400 (EDT) Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i7R08Mi4052495; Thu, 26 Aug 2004 17:08:22 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i7R08MbN052494; Thu, 26 Aug 2004 17:08:22 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from slc-exch-1.forumsys.com (67.107.202.130.ptr.us.xo.net [67.107.202.130]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i7R08LZO052484 for ; Thu, 26 Aug 2004 17:08:22 -0700 (PDT) (envelope-from hmujtaba@forumsys.com) Received: from bstn-exch1.forumsys.com ([10.5.2.12]) by slc-exch-1.forumsys.com with Microsoft SMTPSVC(5.0.2195.6713); Thu, 26 Aug 2004 18:08:21 -0600 X-MimeOLE: Produced By Microsoft Exchange V6.0.6487.1 content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Subject: Signed + Encrypted messages Date: Thu, 26 Aug 2004 20:08:18 -0400 Message-ID: <4DCE15B9C4E66F4CA967EBF64C53D64D67B399@bstn-exch1.forumsys.com> Thread-Topic: Signed + Encrypted messages Thread-Index: AcSLyhZ4sKIfRwp0Rae2/WQvm9zCsg== From: "Hasnain Mujtaba" To: "ietf-openpgp@imc.org" <'ietf-openpgp@imc.org'.cnri.reston.va.us> X-OriginalArrivalTime: 27 Aug 2004 00:08:21.0737 (UTC) FILETIME=[F6BB3D90:01C48BC9] Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id i7R08MZO052489 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Content-Transfer-Encoding: 8bit Hi all, Would it be a safe assumption that the signed component of signed + encrypted messages will always be one-pass signatures rather than regular signatures? Incidently, this seems to be the default case with GPG and PGP. Thanks Hasnain. From owner-ietf-openpgp@mail.imc.org Fri Aug 27 04:02:39 2004 Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id EAA08080 for ; Fri, 27 Aug 2004 04:02:39 -0400 (EDT) Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i7R7ba6a094275; Fri, 27 Aug 2004 00:37:36 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i7R7ba3i094274; Fri, 27 Aug 2004 00:37:36 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from branwen.iks-jena.de (root@branwen.iks-jena.de [217.17.192.90]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i7R7bY5N094261 for ; Fri, 27 Aug 2004 00:37:35 -0700 (PDT) (envelope-from news@branwen.iks-jena.de) Received: from branwen.iks-jena.de (localhost [127.0.0.1]) by branwen.iks-jena.de (8.12.11/8.12.9) with ESMTP id i7R7bP2J026938 for ; Fri, 27 Aug 2004 09:37:25 +0200 Received: (from news@localhost) by branwen.iks-jena.de (8.12.11/8.12.1/Submit) id i7R7bPvN026937 for ietf-openpgp@imc.org; Fri, 27 Aug 2004 09:37:25 +0200 To: ietf-openpgp@imc.org Path: not-for-mail From: Lutz Donnerhacke Newsgroups: iks.lists.ietf-open-pgp Subject: Re: Signed + Encrypted messages Date: Fri, 27 Aug 2004 07:37:25 +0000 (UTC) Organization: IKS GmbH Jena Lines: 10 Message-ID: References: <4DCE15B9C4E66F4CA967EBF64C53D64D67B399@bstn-exch1.forumsys.com> NNTP-Posting-Host: taranis.iks-jena.de X-Trace: branwen.iks-jena.de 1093592245 26564 217.17.192.37 (27 Aug 2004 07:37:25 GMT) X-Complaints-To: usenet@iks-jena.de NNTP-Posting-Date: Fri, 27 Aug 2004 07:37:25 +0000 (UTC) User-Agent: slrn/0.9.8.0 (Linux) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: * Hasnain Mujtaba wrote: > Would it be a safe assumption that the signed component of signed + > encrypted messages will always be one-pass signatures rather than > regular signatures? No. > Incidently, this seems to be the default case with GPG and PGP. Yes. Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i7R7ba6a094275; Fri, 27 Aug 2004 00:37:36 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i7R7ba3i094274; Fri, 27 Aug 2004 00:37:36 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from branwen.iks-jena.de (root@branwen.iks-jena.de [217.17.192.90]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i7R7bY5N094261 for ; Fri, 27 Aug 2004 00:37:35 -0700 (PDT) (envelope-from news@branwen.iks-jena.de) Received: from branwen.iks-jena.de (localhost [127.0.0.1]) by branwen.iks-jena.de (8.12.11/8.12.9) with ESMTP id i7R7bP2J026938 for ; Fri, 27 Aug 2004 09:37:25 +0200 Received: (from news@localhost) by branwen.iks-jena.de (8.12.11/8.12.1/Submit) id i7R7bPvN026937 for ietf-openpgp@imc.org; Fri, 27 Aug 2004 09:37:25 +0200 To: ietf-openpgp@imc.org Path: not-for-mail From: Lutz Donnerhacke Newsgroups: iks.lists.ietf-open-pgp Subject: Re: Signed + Encrypted messages Date: Fri, 27 Aug 2004 07:37:25 +0000 (UTC) Organization: IKS GmbH Jena Lines: 10 Message-ID: References: <4DCE15B9C4E66F4CA967EBF64C53D64D67B399@bstn-exch1.forumsys.com> NNTP-Posting-Host: taranis.iks-jena.de X-Trace: branwen.iks-jena.de 1093592245 26564 217.17.192.37 (27 Aug 2004 07:37:25 GMT) X-Complaints-To: usenet@iks-jena.de NNTP-Posting-Date: Fri, 27 Aug 2004 07:37:25 +0000 (UTC) User-Agent: slrn/0.9.8.0 (Linux) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: * Hasnain Mujtaba wrote: > Would it be a safe assumption that the signed component of signed + > encrypted messages will always be one-pass signatures rather than > regular signatures? No. > Incidently, this seems to be the default case with GPG and PGP. Yes. Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i7R08Mi4052495; Thu, 26 Aug 2004 17:08:22 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i7R08MbN052494; Thu, 26 Aug 2004 17:08:22 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from slc-exch-1.forumsys.com (67.107.202.130.ptr.us.xo.net [67.107.202.130]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i7R08LZO052484 for ; Thu, 26 Aug 2004 17:08:22 -0700 (PDT) (envelope-from hmujtaba@forumsys.com) Received: from bstn-exch1.forumsys.com ([10.5.2.12]) by slc-exch-1.forumsys.com with Microsoft SMTPSVC(5.0.2195.6713); Thu, 26 Aug 2004 18:08:21 -0600 X-MimeOLE: Produced By Microsoft Exchange V6.0.6487.1 content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Subject: Signed + Encrypted messages Date: Thu, 26 Aug 2004 20:08:18 -0400 Message-ID: <4DCE15B9C4E66F4CA967EBF64C53D64D67B399@bstn-exch1.forumsys.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Signed + Encrypted messages Thread-Index: AcSLyhZ4sKIfRwp0Rae2/WQvm9zCsg== From: "Hasnain Mujtaba" To: "ietf-openpgp@imc.org" <'ietf-openpgp@imc.org'> X-OriginalArrivalTime: 27 Aug 2004 00:08:21.0737 (UTC) FILETIME=[F6BB3D90:01C48BC9] Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id i7R08MZO052489 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hi all, Would it be a safe assumption that the signed component of signed + encrypted messages will always be one-pass signatures rather than regular signatures? Incidently, this seems to be the default case with GPG and PGP. Thanks Hasnain. Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i7M5XA80097414; Sat, 21 Aug 2004 22:33:10 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i7M5XAxj097413; Sat, 21 Aug 2004 22:33:10 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from sccrmhc13.comcast.net (sccrmhc13.comcast.net [204.127.202.64]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i7M5X9kQ097333 for ; Sat, 21 Aug 2004 22:33:10 -0700 (PDT) (envelope-from cme@acm.org) Message-Id: <200408220533.i7M5X9kQ097333@above.proper.com> Received: from p4 (c-24-18-253-210.client.comcast.net[24.18.253.210]) by comcast.net (sccrmhc13) with SMTP id <2004082205330501600jpq1re>; Sun, 22 Aug 2004 05:33:05 +0000 From: "Carl Ellison" To: "'Lutz Donnerhacke'" , Subject: SHA-1 (was RE: MD5 warning) Date: Sat, 21 Aug 2004 22:33:39 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.6353 In-Reply-To: Thread-Index: AcSHzDEYASfmd7UNRVWKApBoqwtXugAPSniA X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Rumors aside, there is no published break of SHA-1. Even SHA-0 isn't fully broken. People will continue to work on SHA-1 so it might break one of these years, but I will still recommend using it. - Carl > -----Original Message----- > From: owner-ietf-openpgp@mail.imc.org > [mailto:owner-ietf-openpgp@mail.imc.org] On Behalf Of Lutz Donnerhacke > Sent: Saturday, August 21, 2004 3:14 PM > To: ietf-openpgp@imc.org > Subject: Re: MD5 warning > > > * David Shaw wrote: > > On Sat, Aug 21, 2004 at 09:23:13PM +0000, Lutz Donnerhacke wrote: > >> Not necessary. All known attacks does not impose a direct > risk to md5 based > >> OpenPGP issues. > > > > True, but would you recommend using MD5 these days? > > No. I won't recommend any hash solely based on bit-logic and modular > arithmetic these days. > > > The time to deprecate it is before it is completely broken, and the > > attacks do pose a direct risk. > > OpenPGP recommends SHA1. I'm feeling bad with this, but this > is not the > subject of discussion. > > > MD5 showed some signs of weakness a few years ago. A few > days ago, it > > showed some pretty serious problems. Let's let it go now > while it is > > relatively easy to do so. > > MD5 shares some weaknesses with other hash algorithms. Don't > blame MD5 alone. > > > In section 9.4, add a note indicating that hash algorithm 1 is MD5, > > but MD5 is deprecated, and SHOULD NOT be used. > > So please add "SHA1 MAY NOT be used." > Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i7LMDUq8021658; Sat, 21 Aug 2004 15:13:30 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i7LMDUpG021657; Sat, 21 Aug 2004 15:13:30 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from branwen.iks-jena.de (root@branwen.iks-jena.de [217.17.192.90]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i7LMDS0C021634 for ; Sat, 21 Aug 2004 15:13:29 -0700 (PDT) (envelope-from news@branwen.iks-jena.de) Received: from branwen.iks-jena.de (localhost [127.0.0.1]) by branwen.iks-jena.de (8.12.11/8.12.9) with ESMTP id i7LMDX0u020538 for ; Sun, 22 Aug 2004 00:13:33 +0200 Received: (from news@localhost) by branwen.iks-jena.de (8.12.11/8.12.1/Submit) id i7LMDX4l020537 for ietf-openpgp@imc.org; Sun, 22 Aug 2004 00:13:33 +0200 To: ietf-openpgp@imc.org Path: not-for-mail From: Lutz Donnerhacke Newsgroups: iks.lists.ietf-open-pgp Subject: Re: MD5 warning Date: Sat, 21 Aug 2004 22:13:33 +0000 (UTC) Organization: IKS GmbH Jena Lines: 26 Message-ID: References: <20040821215443.GA14015@jabberwocky.com> NNTP-Posting-Host: belenus.iks-jena.de X-Trace: branwen.iks-jena.de 1093126413 18674 217.17.192.34 (21 Aug 2004 22:13:33 GMT) X-Complaints-To: usenet@iks-jena.de NNTP-Posting-Date: Sat, 21 Aug 2004 22:13:33 +0000 (UTC) User-Agent: slrn/0.9.8.0 (Linux) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: * David Shaw wrote: > On Sat, Aug 21, 2004 at 09:23:13PM +0000, Lutz Donnerhacke wrote: >> Not necessary. All known attacks does not impose a direct risk to md5 based >> OpenPGP issues. > > True, but would you recommend using MD5 these days? No. I won't recommend any hash soley based on bit-logic and modular arithmentic these days. > The time to deprecate it is before it is completely broken, and the > attacks do pose a direct risk. OpenPGP recommends SHA1. I'm feeling bad with this, but this is not the subject of discussion. > MD5 showed some signs of weakness a few years ago. A few days ago, it > showed some pretty serious problems. Let's let it go now while it is > relatively easy to do so. MD5 shares some weeknesses with other hash algoithms. Don't blame MD5 alone. > In section 9.4, add a note indicating that hash algorithm 1 is MD5, > but MD5 is deprecated, and SHOULD NOT be used. So please add "SHA1 MAY NOT be used." Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i7LLt2AD018662; Sat, 21 Aug 2004 14:55:02 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i7LLt2ck018661; Sat, 21 Aug 2004 14:55:02 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from rwcrmhc11.comcast.net (rwcrmhc11.comcast.net [204.127.198.35]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i7LLt290018636 for ; Sat, 21 Aug 2004 14:55:02 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: from walrus.ne.client2.attbi.com ([24.60.132.70]) by comcast.net (rwcrmhc11) with ESMTP id <2004082121545101300rb5jse>; Sat, 21 Aug 2004 21:55:02 +0000 Received: from claude.jabberwocky.com ([172.24.84.27]) by walrus.ne.client2.attbi.com (8.12.8/8.12.8) with ESMTP id i7LLsjLO031938 for ; Sat, 21 Aug 2004 17:54:51 -0400 Received: (from dshaw@localhost) by claude.jabberwocky.com (8.11.6/8.11.6) id i7LLshB14130 for ietf-openpgp@imc.org; Sat, 21 Aug 2004 17:54:43 -0400 Date: Sat, 21 Aug 2004 17:54:43 -0400 From: David Shaw To: ietf-openpgp@imc.org Subject: Re: MD5 warning Message-ID: <20040821215443.GA14015@jabberwocky.com> Mail-Followup-To: ietf-openpgp@imc.org References: <20040820153549.GA10135@jabberwocky.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-Request-PGP: http://www.jabberwocky.com/david/keys.asc X-Phase-Of-Moon: The Moon is Waxing Crescent (33% of Full) User-Agent: Mutt/1.5.6i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: On Sat, Aug 21, 2004 at 09:23:13PM +0000, Lutz Donnerhacke wrote: > > * David Shaw wrote: > > That said, the security considerations section of the draft currently > > has some language mildly discouraging the use of MD5 ("The MD5 hash > > algorithm has been found to have weaknesses (pseudo-collisions in the > > compress function) that make some people deprecate its use. They > > consider the SHA-1 algorithm better.") Can we make this stronger, and > > deprecate MD5 use for OpenPGP in general? > > Not necessary. All known attacks does not impose a direct risk to md5 based > OpenPGP issues. True, but would you recommend using MD5 these days? The time to deprecate it is before it is completely broken, and the attacks do pose a direct risk. MD5 showed some signs of weakness a few years ago. A few days ago, it showed some pretty serious problems. Let's let it go now while it is relatively easy to do so. To put my suggestion into a specific proposal for the draft: In section 9.4, add a note indicating that hash algorithm 1 is MD5, but MD5 is deprecated, and SHOULD NOT be used. In section 13, rephrase the current mild note about MD5 to be stronger and cite the paper giving the MD5 collisions. David Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i7LLNKeP013893; Sat, 21 Aug 2004 14:23:20 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i7LLNKQk013892; Sat, 21 Aug 2004 14:23:20 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from branwen.iks-jena.de (root@branwen.iks-jena.de [217.17.192.90]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i7LLNGY9013867 for ; Sat, 21 Aug 2004 14:23:19 -0700 (PDT) (envelope-from news@branwen.iks-jena.de) Received: from branwen.iks-jena.de (localhost [127.0.0.1]) by branwen.iks-jena.de (8.12.11/8.12.9) with ESMTP id i7LLNDHN018709 for ; Sat, 21 Aug 2004 23:23:14 +0200 Received: (from news@localhost) by branwen.iks-jena.de (8.12.11/8.12.1/Submit) id i7LLNDiZ018708 for ietf-openpgp@imc.org; Sat, 21 Aug 2004 23:23:13 +0200 To: ietf-openpgp@imc.org Path: not-for-mail From: Lutz Donnerhacke Newsgroups: iks.lists.ietf-open-pgp Subject: Re: MD5 warning Date: Sat, 21 Aug 2004 21:23:13 +0000 (UTC) Organization: IKS GmbH Jena Lines: 10 Message-ID: References: <20040820153549.GA10135@jabberwocky.com> NNTP-Posting-Host: belenus.iks-jena.de X-Trace: branwen.iks-jena.de 1093123393 18674 217.17.192.34 (21 Aug 2004 21:23:13 GMT) X-Complaints-To: usenet@iks-jena.de NNTP-Posting-Date: Sat, 21 Aug 2004 21:23:13 +0000 (UTC) User-Agent: slrn/0.9.8.0 (Linux) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: * David Shaw wrote: > That said, the security considerations section of the draft currently > has some language mildly discouraging the use of MD5 ("The MD5 hash > algorithm has been found to have weaknesses (pseudo-collisions in the > compress function) that make some people deprecate its use. They > consider the SHA-1 algorithm better.") Can we make this stronger, and > deprecate MD5 use for OpenPGP in general? Not necessary. All known attacks does not impose a direct risk to md5 based OpenPGP issues. Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i7KFZwTa037812; Fri, 20 Aug 2004 08:35:58 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i7KFZwfm037811; Fri, 20 Aug 2004 08:35:58 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from rwcrmhc13.comcast.net (rwcrmhc13.comcast.net [204.127.198.39]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i7KFZvWX037744 for ; Fri, 20 Aug 2004 08:35:58 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: from walrus.ne.client2.attbi.com ([24.60.132.70]) by comcast.net (rwcrmhc13) with ESMTP id <20040820153555015008vb83e>; Fri, 20 Aug 2004 15:35:55 +0000 Received: from claude.jabberwocky.com ([172.24.84.27]) by walrus.ne.client2.attbi.com (8.12.8/8.12.8) with ESMTP id i7KFZoLO003486 for ; Fri, 20 Aug 2004 11:35:54 -0400 Received: (from dshaw@localhost) by claude.jabberwocky.com (8.11.6/8.11.6) id i7KFZnF10238 for ietf-openpgp@imc.org; Fri, 20 Aug 2004 11:35:49 -0400 Date: Fri, 20 Aug 2004 11:35:49 -0400 From: David Shaw To: ietf-openpgp@imc.org Subject: MD5 warning Message-ID: <20040820153549.GA10135@jabberwocky.com> Mail-Followup-To: ietf-openpgp@imc.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-Request-PGP: http://www.jabberwocky.com/david/keys.asc X-Phase-Of-Moon: The Moon is Waxing Crescent (21% of Full) User-Agent: Mutt/1.5.6i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: With regards to reinstating TIGER, I agree that there is little need to do anything in crisis mode. Let's give the various discussions about MD5 and general hash health time to reach some sort of conclusion. We already have quite a number of hashes other than MD5, and in V4, SHA-1 is the standard hash anyway. Despite various rumors to the contrary, SHA-1 was not broken. That said, the security considerations section of the draft currently has some language mildly discouraging the use of MD5 ("The MD5 hash algorithm has been found to have weaknesses (pseudo-collisions in the compress function) that make some people deprecate its use. They consider the SHA-1 algorithm better.") Can we make this stronger, and deprecate MD5 use for OpenPGP in general? David Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i7INJ8K0060705; Wed, 18 Aug 2004 16:19:08 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i7INJ8hQ060704; Wed, 18 Aug 2004 16:19:08 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from www.enhyper.com (mailgate.enhyper.com [62.49.250.18]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i7INJ6pn060686 for ; Wed, 18 Aug 2004 16:19:07 -0700 (PDT) (envelope-from iang@systemics.com) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by www.enhyper.com (8.11.6/8.11.6) with SMTP id i7INIMt20990; Thu, 19 Aug 2004 00:18:39 +0100 X-Authentication-Warning: www.enhyper.com: localhost.localdomain [127.0.0.1] didn't use HELO protocol Message-ID: <4123E438.6030403@systemics.com> Date: Thu, 19 Aug 2004 00:20:24 +0100 From: Ian Grigg User-Agent: Mozilla Thunderbird 0.7.1 (X11/20040707) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Len Sassaman CC: vedaal@hush.com, ietf-openpgp@imc.org Subject: Re: re-consideration of TIGER References: <200408181354.i7IDshdn015159@mailserver3.hushmail.com> In-Reply-To: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Len Sassaman wrote: > On a different note, I'm also in favor of dropping backwards compatibility > with v3 in the spec, as I've mentioned before. This would also allow us to > easily drop MD5 from v4. I think any backwards compatibility is adequately > handled in the client implementations, and does not belong as a part of > the OpenPGP message format. (I.e., there are clients that offer S/MIME > compatibility, yet there's no reason for that to be part of this spec, > either. We already have RFC 1991.) I'm in total agreement there. With one caveat - the chair would have to ponder whether "this late" in the spec there are major changes allowed. Some mentioned that v3 may be compromised even more by this recent message digest news, and if so, that would be sufficient casus belli, IMHO, to seriously consider doing such a major step. iang PS: I note the comment on DSA/DSS keys ... if the above logic doesn't fly, I'd suspect there is no case to drop those keys, but I'm listening :-) Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i7IKnoof036212; Wed, 18 Aug 2004 13:49:50 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i7IKno84036211; Wed, 18 Aug 2004 13:49:50 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from thetis.deor.org (thetis.deor.org [207.106.86.210]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i7IKnnk7036203 for ; Wed, 18 Aug 2004 13:49:50 -0700 (PDT) (envelope-from rabbi@abditum.com) Received: by thetis.deor.org (Postfix, from userid 500) id DA29D45057; Wed, 18 Aug 2004 13:49:51 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by thetis.deor.org (Postfix) with ESMTP id A2E6E4801E; Wed, 18 Aug 2004 13:49:51 -0700 (PDT) Date: Wed, 18 Aug 2004 13:49:51 -0700 (PDT) From: Len Sassaman X-X-Sender: rabbi@thetis.deor.org To: vedaal@hush.com, ietf-openpgp@imc.org Subject: Re: re-consideration of TIGER In-Reply-To: <200408181354.i7IDshdn015159@mailserver3.hushmail.com> Message-ID: References: <200408181354.i7IDshdn015159@mailserver3.hushmail.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: On Wed, 18 Aug 2004 vedaal@hush.com wrote: > now that sha-0 has been broken, SHA-0 was (theoretically) broken in 1998. The recent work is simply an improvement in the break. > and sha-1 is actively being looked at for a possible extension of the > attack, > > and MD5, HAVAL, and RIPEMD are also being attacked > http://eprint.iacr.org/2004/199.pdf) Actually, all three are broken. But MD5 was (theoretically) broken in 1996, and RIPEMD has been considered weak for years. (Note, RIPEMD is based on MD4. It is *not* the same as RIPEMD-160 (based on RIPEMD, but with considerable input from Dobbertin, who broke MD4 and MD5, or RIPEMD-128 (based on RIPEMD-160, intended as a "drop in" replacement for RIPEMD or MD4/5.) > would it be reasonable to re-accept the non-sha based hashes, (e.g. TIGER) > as a potential backup hash for implementations/users that may wish to > begin doing so? SHA-256 and SHA-512 are not based on the MDx family, and have arguably gotten more scrutiny than TIGER. Even if SHA-1 or RIPEMD-160 were threatened, we already have alternatives. The bigger problem I see is with the lack of a sound hash function firewall in OpenPGP v4 DSA keys. We can add all the strong hash functions we want, but as long as there exists a weak hash function in the spec, an attacker can theoretically cause a collision in the weak hash function to match the strong hash function's results, and break the signature scheme. We either need to fix this, drop DSA keys, require that all DSA keys actually be DSS (and then deal with the consequences if SHA-1 is broken), or standardize on a single hash (and have a backup hash ready if need be.) Thinking about this more now, I suppose dropping DSA would be the simplest, though that would cause a lot of compatibility issues. On a different note, I'm also in favor of dropping backwards compatibility with v3 in the spec, as I've mentioned before. This would also allow us to easily drop MD5 from v4. I think any backwards compatibility is adequately handled in the client implementations, and does not belong as a part of the OpenPGP message format. (I.e., there are clients that offer S/MIME compatibility, yet there's no reason for that to be part of this spec, either. We already have RFC 1991.) --Len. Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i7IJK5Pp021429; Wed, 18 Aug 2004 12:20:05 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i7IJK5L4021428; Wed, 18 Aug 2004 12:20:05 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from branwen.iks-jena.de (root@branwen.iks-jena.de [217.17.192.90]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i7IJK3NO021420 for ; Wed, 18 Aug 2004 12:20:04 -0700 (PDT) (envelope-from news@branwen.iks-jena.de) Received: from branwen.iks-jena.de (localhost [127.0.0.1]) by branwen.iks-jena.de (8.12.11/8.12.9) with ESMTP id i7IJK7MJ019576 for ; Wed, 18 Aug 2004 21:20:07 +0200 Received: (from news@localhost) by branwen.iks-jena.de (8.12.11/8.12.1/Submit) id i7IJK7k5019575 for ietf-openpgp@imc.org; Wed, 18 Aug 2004 21:20:07 +0200 To: ietf-openpgp@imc.org Path: not-for-mail From: Lutz Donnerhacke Newsgroups: iks.lists.ietf-open-pgp Subject: Re: re-consideration of TIGER Date: Wed, 18 Aug 2004 19:20:07 +0000 (UTC) Organization: IKS GmbH Jena Lines: 13 Message-ID: References: <874qn075gb.fsf@deneb.enyo.de> NNTP-Posting-Host: belenus.iks-jena.de X-Trace: branwen.iks-jena.de 1092856807 19532 217.17.192.34 (18 Aug 2004 19:20:07 GMT) X-Complaints-To: usenet@iks-jena.de NNTP-Posting-Date: Wed, 18 Aug 2004 19:20:07 +0000 (UTC) User-Agent: slrn/0.9.8.0 (Linux) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: * Florian Weimer wrote: > * Lutz Donnerhacke: >> Currently the attack looks like exploiting insufficient highest bit >> handling of the internal state variables. This is a matter if the >> protocol applies a random(!) padding directly before hashing. > > Source? Personal impression. > (The impact on V3 keys could be interesting, though.) Of course. Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i7IGrxha091969; Wed, 18 Aug 2004 09:53:59 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i7IGrxHN091968; Wed, 18 Aug 2004 09:53:59 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from mail.enyo.de (mail.enyo.de [212.9.189.167]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i7IGrwCt091952 for ; Wed, 18 Aug 2004 09:53:58 -0700 (PDT) (envelope-from fw@deneb.enyo.de) Received: (debugging) helo=deneb.enyo.de ip=212.9.189.171 name=deneb.enyo.de Received: from deneb.enyo.de ([212.9.189.171]) by mail.enyo.de with esmtp id 1BxThG-0001sh-2t; Wed, 18 Aug 2004 18:53:58 +0200 Received: from fw by deneb.enyo.de with local (Exim 4.34) id 1BxThE-00034W-7V; Wed, 18 Aug 2004 18:53:56 +0200 To: Lutz Donnerhacke Cc: ietf-openpgp@imc.org Subject: Re: re-consideration of TIGER References: <200408181354.i7IDshdn015159@mailserver3.hushmail.com> From: Florian Weimer Date: Wed, 18 Aug 2004 18:53:56 +0200 In-Reply-To: (Lutz Donnerhacke's message of "Wed, 18 Aug 2004 14:41:56 +0000 (UTC)") Message-ID: <874qn075gb.fsf@deneb.enyo.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: * Lutz Donnerhacke: > Unless the attack is not substantiated, wild actionism should be avoided. Agreed. > Currently the attack looks like exploiting insufficient highest bit > handling of the internal state variables. This is a matter if the > protocol applies a random(!) padding directly before hashing. Source? Based on my extrapolation of the pseudo-paper, it also depends where the padding is added, if some length information is protected by the hash, and the overall purpose of the hash function. While MD5 has certainly been broken, this doesn't seem to lead to immediate attacks on real protocols. (The impact on V3 keys could be interesting, though.) Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i7IGas3j089399; Wed, 18 Aug 2004 09:36:54 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i7IGasxB089398; Wed, 18 Aug 2004 09:36:54 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from merrymeet.com (merrymeet.com [63.73.97.162]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i7IGar7Q089381 for ; Wed, 18 Aug 2004 09:36:53 -0700 (PDT) (envelope-from jon@callas.org) Received: from keys.merrymeet.com (63.73.97.166) by merrymeet.com with ESMTP (Eudora Internet Mail Server X 3.2.5); Wed, 18 Aug 2004 09:36:50 -0700 Received: from [128.111.166.181] ([128.111.166.181]) by keys.merrymeet.com (PGP Universal service); Wed, 18 Aug 2004 09:36:49 -0700 X-PGP-Universal: processed In-Reply-To: <200408181354.i7IDshdn015159@mailserver3.hushmail.com> References: <200408181354.i7IDshdn015159@mailserver3.hushmail.com> Mime-Version: 1.0 (Apple Message framework v619) Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: Content-Transfer-Encoding: 7bit Cc: ietf-openpgp@imc.org From: Jon Callas Subject: Re: re-consideration of TIGER Date: Wed, 18 Aug 2004 09:36:40 -0700 To: X-Mailer: Apple Mail (2.619) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: On 18 Aug 2004, at 6:54 AM, wrote: > would it be reasonable to re-accept the non-sha based hashes, (e.g. > TIGER) > as a potential backup hash for implementations/users that may wish to > begin doing so? > Not really, no. There are already perfectly good backup algorithms. The reason we removed Tiger is that it hasn't been examined or used at all. None of these things apply to Tiger, and it is therefore still not well examined nor used. Going from a hash function that has been examined to one that hasn't isn't presently warranted. SHA-1 isn't broken yet. Even the ones that have been broken haven't been broken (yet) in ways that permit signature forging. What we know now is that the functions we've been saying for close to a decade shouldn't be used really shouldn't be used. If you're worried about SHA-1, you should move to SHA-256. Don't be scared by the fact that it's called "SHA." If you want to do something *really* practical and good, stop using your V3 keys. (That's the editorial you, not vedaal specifically.) I'm sitting in the hash sessions at Crypto now, and SHA-1 isn't broken. Again, if you still want to do something, start using SHA-256. Jon Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i7IGLHAq086664; Wed, 18 Aug 2004 09:21:17 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i7IGLHmr086663; Wed, 18 Aug 2004 09:21:17 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from lake.cyberia.net.lb (lake.cyberia.net.lb [195.112.195.73]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i7IGLDPN086637 for ; Wed, 18 Aug 2004 09:21:15 -0700 (PDT) (envelope-from matic@cyberia.net.lb) Received: from lake ([127.0.0.1]) by lake.cyberia.net.lb with ESMTP id <20040818162106.FDRD3436.lake@lake>; Wed, 18 Aug 2004 19:21:06 +0300 Received: from localhost (localhost [127.0.0.1]) by lake (Postfix) with ESMTP id C89521B545D; Wed, 18 Aug 2004 19:21:06 +0300 (EEST) Received: from lake ([127.0.0.1]) by localhost (lake [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 23925-06; Wed, 18 Aug 2004 19:21:06 +0300 (EEST) Received: from lake (lake [195.112.195.73]) by lake (Postfix) with SMTP id D01A81B544B; Wed, 18 Aug 2004 19:21:05 +0300 (EEST) X-Mailer: Openwave WebEngine, version 2.8.14 (webedge20-101-1101-20040406) X-Originating-IP: [62.84.86.106] From: To: , Subject: Re: re-consideration of TIGER Date: Wed, 18 Aug 2004 19:21:05 +0300 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=____1092846065832_Zmv+Fc?)QY" Message-Id: <20040818162105.D01A81B544B@lake> Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: This is a multi-part message in MIME format. ------=____1092846065832_Zmv+Fc?)QY Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Greetings, the recent breakthrough appears to apply to all the MDx based hash algorithms. while TIGER is not, i am told, it does not mean that it is more secure, as it has not been subject to same scrutiny as the MDx based hashes. i believe that less is better, however, diversity is a good thing, especially when the algorithms are un-related. After all, this is the reason why there are numerous algorithms in a crypto suite. i am no expert of course, but it would be a cautious thing to trim down the algorithms of similar ones for the sake to complexity, and augment them with dissimilar ones for the sake of hedging one's bet. given the above a case for re-instating TIGER in openpgp could be made. hth best regards Imad R. Faiad > > From: > Date: 2004/08/18 Wed PM 04:54:42 EAT > To: ietf-openpgp@imc.org > Subject: re-consideration of TIGER > > >now that sha-0 has been broken, >and sha-1 is actively being looked at for a possible >extension of the >attack, > >and MD5, HAVAL, and RIPEMD are also being attacked >http://eprint.iacr.org/2004/199.pdf) > > >would it be reasonable to re-accept the non-sha based >hashes, (e.g. TIGER) >as a potential backup hash for implementations/users >that may wish to >begin doing so? > > >vedaal -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFBI4HfyaCxfwAfoa0RArsFAKDluxCYvOajIuzKysqQ077RoRZ6vwCaA3TY 1IUieQzgGKZIca5hjkKrXFU= =fjCn -----END PGP SIGNATURE----- ------=____1092846065832_Zmv+Fc?)QY Content-Transfer-Encoding: base64 Content-Type: null; name="replyAll" Content-Disposition: inline; filename="replyAll" DQpub3cgdGhhdCBzaGEtMCBoYXMgYmVlbiBicm9rZW4sDQphbmQgc2hhLTEgaXMgYWN0aXZl bHkgYmVpbmcgbG9va2VkIGF0IGZvciBhIHBvc3NpYmxlIGV4dGVuc2lvbiBvZiB0aGUNCmF0 dGFjaywNCg0KYW5kIE1ENSwgSEFWQUwsIGFuZCBSSVBFTUQgYXJlIGFsc28gYmVpbmcgYXR0 YWNrZWQNCmh0dHA6Ly9lcHJpbnQuaWFjci5vcmcvMjAwNC8xOTkucGRmKQ0KDQoNCndvdWxk IGl0IGJlIHJlYXNvbmFibGUgdG8gcmUtYWNjZXB0IHRoZSBub24tc2hhIGJhc2VkIGhhc2hl cywgKGUuZy4gVElHRVIpDQphcyBhIHBvdGVudGlhbCBiYWNrdXAgaGFzaCBmb3IgaW1wbGVt ZW50YXRpb25zL3VzZXJzIHRoYXQgbWF5IHdpc2ggdG8NCmJlZ2luIGRvaW5nIHNvPw0KDQoN CnZlZGFhbA0KDQoNCg0KDQoNCg0KDQoNCg0KQ29uY2VybmVkIGFib3V0IHlvdXIgcHJpdmFj eT8gRm9sbG93IHRoaXMgbGluayB0byBnZXQNCnNlY3VyZSBGUkVFIGVtYWlsOiBodHRwOi8v d3d3Lmh1c2htYWlsLmNvbS8/bD0yDQoNCkZyZWUsIHVsdHJhLXByaXZhdGUgaW5zdGFudCBt ZXNzYWdpbmcgd2l0aCBIdXNoIE1lc3Nlbmdlcg0KaHR0cDovL3d3dy5odXNobWFpbC5jb20v c2VydmljZXMtbWVzc2VuZ2VyP2w9NDM0DQoNClByb21vdGUgc2VjdXJpdHkgYW5kIG1ha2Ug bW9uZXkgd2l0aCB0aGUgSHVzaG1haWwgQWZmaWxpYXRlIFByb2dyYW06IA0KaHR0cDovL3d3 dy5odXNobWFpbC5jb20vYWJvdXQtYWZmaWxpYXRlP2w9NDI3DQoNCg== ------=____1092846065832_Zmv+Fc?)QY-- Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i7IEg0Gg071396; Wed, 18 Aug 2004 07:42:00 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i7IEg0Fc071395; Wed, 18 Aug 2004 07:42:00 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from branwen.iks-jena.de (root@branwen.iks-jena.de [217.17.192.90]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i7IEfxgo071374 for ; Wed, 18 Aug 2004 07:42:00 -0700 (PDT) (envelope-from news@branwen.iks-jena.de) Received: from branwen.iks-jena.de (localhost [127.0.0.1]) by branwen.iks-jena.de (8.12.11/8.12.9) with ESMTP id i7IEfusk011251 for ; Wed, 18 Aug 2004 16:41:56 +0200 Received: (from news@localhost) by branwen.iks-jena.de (8.12.11/8.12.1/Submit) id i7IEfuqn011250 for ietf-openpgp@imc.org; Wed, 18 Aug 2004 16:41:56 +0200 To: ietf-openpgp@imc.org Path: not-for-mail From: Lutz Donnerhacke Newsgroups: iks.lists.ietf-open-pgp Subject: Re: re-consideration of TIGER Date: Wed, 18 Aug 2004 14:41:56 +0000 (UTC) Organization: IKS GmbH Jena Lines: 9 Message-ID: References: <200408181354.i7IDshdn015159@mailserver3.hushmail.com> NNTP-Posting-Host: taranis.iks-jena.de X-Trace: branwen.iks-jena.de 1092840116 8623 217.17.192.37 (18 Aug 2004 14:41:56 GMT) X-Complaints-To: usenet@iks-jena.de NNTP-Posting-Date: Wed, 18 Aug 2004 14:41:56 +0000 (UTC) User-Agent: slrn/0.9.8.0 (Linux) Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: * wrote: > would it be reasonable to re-accept the non-sha based hashes, (e.g. TIGER) > as a potential backup hash for implementations/users that may wish to > begin doing so? Unless the attack is not substantiated, wild actionism should be avoided. Currently the attack looks like exploiting insufficient highest bit handling of the internal state variables. This is a matter if the protocol applies a random(!) padding directly before hashing. Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i7IDsjP4063199; Wed, 18 Aug 2004 06:54:45 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i7IDsjBL063198; Wed, 18 Aug 2004 06:54:45 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from smtp3.hushmail.com (smtp3.hushmail.com [65.39.178.135]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i7IDsiVM063190 for ; Wed, 18 Aug 2004 06:54:44 -0700 (PDT) (envelope-from vedaal@hush.com) Received: from localhost (localhost.hushmail.com [127.0.0.1]) by smtp3.hushmail.com (Postfix) with ESMTP id D467EA3377 for ; Wed, 18 Aug 2004 06:54:43 -0700 (PDT) Received: from smtp3.hushmail.com (localhost.hushmail.com [127.0.0.1]) by smtp3.hushmail.com (Postfix) with SMTP id 6D346A3342 for ; Wed, 18 Aug 2004 06:54:43 -0700 (PDT) Received: from mailserver3.hushmail.com (mailserver3.hushmail.com [65.39.178.20]) by smtp3.hushmail.com (Postfix) with ESMTP for ; Wed, 18 Aug 2004 06:54:43 -0700 (PDT) Received: (from nobody@localhost) by mailserver3.hushmail.com (8.12.11/8.12.9/Submit) id i7IDshdn015159 for ietf-openpgp@imc.org; Wed, 18 Aug 2004 06:54:43 -0700 (PDT) (envelope-from vedaal@hush.com) Message-Id: <200408181354.i7IDshdn015159@mailserver3.hushmail.com> Date: Wed, 18 Aug 2004 06:54:42 -0700 To: ietf-openpgp@imc.org Cc: Subject: re-consideration of TIGER From: Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: now that sha-0 has been broken, and sha-1 is actively being looked at for a possible extension of the attack, and MD5, HAVAL, and RIPEMD are also being attacked http://eprint.iacr.org/2004/199.pdf) would it be reasonable to re-accept the non-sha based hashes, (e.g. TIGER) as a potential backup hash for implementations/users that may wish to begin doing so? vedaal Concerned about your privacy? Follow this link to get secure FREE email: http://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger http://www.hushmail.com/services-messenger?l=434 Promote security and make money with the Hushmail Affiliate Program: http://www.hushmail.com/about-affiliate?l=427 Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i75IKZxA022046; Thu, 5 Aug 2004 11:20:35 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i75IKZ2n022045; Thu, 5 Aug 2004 11:20:35 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from foobar.cs.jhu.edu (foobar.cs.jhu.edu [128.220.13.173]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i75IKZNQ022035 for ; Thu, 5 Aug 2004 11:20:35 -0700 (PDT) (envelope-from dshaw@jabberwocky.com) Received: from walrus.ne.client2.attbi.com (walrus.ne.client2.attbi.com [24.60.132.70]) by foobar.cs.jhu.edu (8.11.6/8.11.6) with ESMTP id i75IKWu29009 for ; Thu, 5 Aug 2004 14:20:37 -0400 Received: from claude.jabberwocky.com ([172.24.84.27]) by walrus.ne.client2.attbi.com (8.12.8/8.12.8) with ESMTP id i75IKR6q014177 for ; Thu, 5 Aug 2004 14:20:27 -0400 Received: (from dshaw@localhost) by claude.jabberwocky.com (8.11.6/8.11.6) id i75IKRd27427 for ietf-openpgp@imc.org; Thu, 5 Aug 2004 14:20:27 -0400 Date: Thu, 5 Aug 2004 14:20:27 -0400 From: David Shaw To: ietf-openpgp@imc.org Subject: Re: Partial chunking question Message-ID: <20040805182027.GA27372@jabberwocky.com> Mail-Followup-To: ietf-openpgp@imc.org References: <4DCE15B9C4E66F4CA967EBF64C53D64D67B38D@bstn-exch1.forumsys.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4DCE15B9C4E66F4CA967EBF64C53D64D67B38D@bstn-exch1.forumsys.com> X-PGP-Key: 99242560 / 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560 X-Request-PGP: http://www.jabberwocky.com/david/keys.asc X-Phase-Of-Moon: The Moon is Waning Gibbous (71% of Full) User-Agent: Mutt/1.5.6i Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: On Thu, Aug 05, 2004 at 01:53:40PM -0400, Hasnain Mujtaba wrote: > I had a question on breaking data into partial chunks. If someone can > clarify this, I'd appreciate it: > > Suppose the chunk size you are using is 8192 bytes and the final data > chunk is less than 8192, say it is 6480. My chunking implementation puts > these final 6480 bytes into one non-partial length chunk so that the > chunk sequence looks like this: 8192, 8192, ... , 8192, 6480. > > GPG and PGP, however, break this final data into power of two lengths, > i.e 8192, 8192, ... , 8192, 4096, 2048, 336. > > My approach interoperates with both GPG and PGP. But I am curious as to > why GPG and PGP break the final data this way, rather than putting it > all in one final non-partial chunk. I hope I have not overlooked some > RFC requirements. It's not an RFC requirement. When writing a stream, GnuPG picks the largest possible power of 2 for the amount of data it is ready to write at that point. I suspect PGP does something similar for similar reasons. What you are doing is also perfectly legal. David Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i75HrjML019620; Thu, 5 Aug 2004 10:53:45 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i75HrjvB019619; Thu, 5 Aug 2004 10:53:45 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f Received: from slc-exch-1.forumsys.com (67.107.202.130.ptr.us.xo.net [67.107.202.130]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i75Hriae019609 for ; Thu, 5 Aug 2004 10:53:44 -0700 (PDT) (envelope-from hmujtaba@forumsys.com) Received: from bstn-exch1.forumsys.com ([10.5.2.12]) by slc-exch-1.forumsys.com with Microsoft SMTPSVC(5.0.2195.6713); Thu, 5 Aug 2004 11:53:42 -0600 X-MimeOLE: Produced By Microsoft Exchange V6.0.6487.1 content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Subject: Partial chunking question Date: Thu, 5 Aug 2004 13:53:40 -0400 Message-ID: <4DCE15B9C4E66F4CA967EBF64C53D64D67B38D@bstn-exch1.forumsys.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Partial chunking question Thread-Index: AcR7FVCbRtaDUw5vQyObyEz9tSgl4Q== From: "Hasnain Mujtaba" To: X-OriginalArrivalTime: 05 Aug 2004 17:53:42.0773 (UTC) FILETIME=[258CCA50:01C47B15] Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by above.proper.com id i75Hriae019614 Sender: owner-ietf-openpgp@mail.imc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hi all, I had a question on breaking data into partial chunks. If someone can clarify this, I'd appreciate it: Suppose the chunk size you are using is 8192 bytes and the final data chunk is less than 8192, say it is 6480. My chunking implementation puts these final 6480 bytes into one non-partial length chunk so that the chunk sequence looks like this: 8192, 8192, ... , 8192, 6480. GPG and PGP, however, break this final data into power of two lengths, i.e 8192, 8192, ... , 8192, 4096, 2048, 336. My approach interoperates with both GPG and PGP. But I am curious as to why GPG and PGP break the final data this way, rather than putting it all in one final non-partial chunk. I hope I have not overlooked some RFC requirements. Regards, Hasnain ---- The information contained in this electronic mail and any attached document is the confidential and proprietary business information of Forum Systems, Inc. It is intended solely for the addressed recipient listed above. It may not be distributed in any manner without the express written consent of Forum Systems, Inc.