RE: SHA-1 or MD5

[Ben Nagy <ben.nagy () marconi com au>]

NB: I am not a cryptographer - I just like embarassing myself.

> -----Original Message-----
> From: Walker Andrew [mailto:andrew.walker () capco com] 
> Sent: Monday, September 03, 2001 9:18 PM
> To: 'firewall-wizards () nfr com'
> Subject: [fw-wiz] SHA-1 or MD5
>
>
> Hello,
>
> The VPN I have inherited uses a mixture of message digests 
> for the encryption.  On 1 firewall the client encryption is 
> set up with DES and SHA-1, and at another location the FW 
> client encryption is set up with DES
> and MD5.    My understanding is the MD5 is quicker than 
> SHA-1, but less
> strong.

That's true, but assuming you're talking about IPSec / IKE VPNs it's
actually a bit more complicated. The most recent work against MD5 I am aware
of is Dobbertin's '96 stuff which demonstrated collisions in the compression
function of MD5. This is not immediately extendable into a full collision
attack on MD5. You can find a nice layman's writeup in an old RSA Bulletin.
[1]

More importantly, though, you should note that IPSec doesn't just use plain
MD5 or SHA. In the initial key negotiation phase (IKE) the important hashes
are all part of an encrypted payload, and are just used to authenticate
Diffie-Hellman endpoints. In other words, the hash can't be attacked
directly since it is passed encrypted.

In ESP, the hashes are used in a thing called a HMAC, or Hashed Message
Authentication Code. You can't easily extend Dobbertin's work to an HMAC,
since the key property of MD5 that we need for a HMAC is that it is one-way
and mostly random - collision resistance is less important. You can find all
this in Dobbertin's own (more technical) analysis in RSA's Cryptobytes
Volume 2 No. 2 [2] The birthday attack on hashes for an HMAC is also briefly
discussed in RFC 2104. [3]

> My question to the list subscribers, on NT based FW1, can the 
> message digests be changed to either SHA-1 or MD5 without 
> breaking the VPN.  I just wondered if it was a one time 
> choice at setup time - non reversable.

Should be changeable at any time. Assuming a non-broken IPSec implementation
you should also be able to define several proposals in order of preference,
some using MD5 and some using SHA-1, which will enable you to gradually
change things over with no chance of breakage.

> Has anyone any comments on the best choice, MD5 or SHA-1 ?

If you're using DES, go MD5 - it's quicker. If you're using 3DES you might
think about using SHA-1, but I (personally) wouldn't bother.

> Does it matter that there is a mix at all ?

Consistency is good, but not essential. I'd make a call based on how much of
a pain in the butt it is to change everything.

> Thanks in advance for any thoughts, experience or advice.
>
> Best regards,
>
> Andrew

Cheers,

[1]
http://cnscenter.future.co.kr/resource/crypto/algorithm/Symmetric/RSAbulletn
4.pdf
[2] http://www.rsa.com/rsalabs/cryptobytes/
[3] http://www.ietf.org/rfc/rfc2104.txt
--
Ben Nagy
Network Security Specialist
Marconi Services Australia Pty Ltd
Mb: +61 414 411 520  PGP Key ID: 0x1A86E304 
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards