Firewall Wizards mailing list archives
RE: SHA-1 or MD5
From: Ben Nagy <ben.nagy () marconi com au>
Date: Thu, 6 Sep 2001 09:33:02 +1000
NB: I am not a cryptographer - I just like embarassing myself.
-----Original Message----- From: Walker Andrew [mailto:andrew.walker () capco com] Sent: Monday, September 03, 2001 9:18 PM To: 'firewall-wizards () nfr com' Subject: [fw-wiz] SHA-1 or MD5 Hello, The VPN I have inherited uses a mixture of message digests for the encryption. On 1 firewall the client encryption is set up with DES and SHA-1, and at another location the FW client encryption is set up with DES and MD5. My understanding is the MD5 is quicker than SHA-1, but less strong.
That's true, but assuming you're talking about IPSec / IKE VPNs it's actually a bit more complicated. The most recent work against MD5 I am aware of is Dobbertin's '96 stuff which demonstrated collisions in the compression function of MD5. This is not immediately extendable into a full collision attack on MD5. You can find a nice layman's writeup in an old RSA Bulletin. [1] More importantly, though, you should note that IPSec doesn't just use plain MD5 or SHA. In the initial key negotiation phase (IKE) the important hashes are all part of an encrypted payload, and are just used to authenticate Diffie-Hellman endpoints. In other words, the hash can't be attacked directly since it is passed encrypted. In ESP, the hashes are used in a thing called a HMAC, or Hashed Message Authentication Code. You can't easily extend Dobbertin's work to an HMAC, since the key property of MD5 that we need for a HMAC is that it is one-way and mostly random - collision resistance is less important. You can find all this in Dobbertin's own (more technical) analysis in RSA's Cryptobytes Volume 2 No. 2 [2] The birthday attack on hashes for an HMAC is also briefly discussed in RFC 2104. [3]
My question to the list subscribers, on NT based FW1, can the message digests be changed to either SHA-1 or MD5 without breaking the VPN. I just wondered if it was a one time choice at setup time - non reversable.
Should be changeable at any time. Assuming a non-broken IPSec implementation you should also be able to define several proposals in order of preference, some using MD5 and some using SHA-1, which will enable you to gradually change things over with no chance of breakage.
Has anyone any comments on the best choice, MD5 or SHA-1 ?
If you're using DES, go MD5 - it's quicker. If you're using 3DES you might think about using SHA-1, but I (personally) wouldn't bother.
Does it matter that there is a mix at all ?
Consistency is good, but not essential. I'd make a call based on how much of a pain in the butt it is to change everything.
Thanks in advance for any thoughts, experience or advice. Best regards, Andrew
Cheers, [1] http://cnscenter.future.co.kr/resource/crypto/algorithm/Symmetric/RSAbulletn 4.pdf [2] http://www.rsa.com/rsalabs/cryptobytes/ [3] http://www.ietf.org/rfc/rfc2104.txt -- Ben Nagy Network Security Specialist Marconi Services Australia Pty Ltd Mb: +61 414 411 520 PGP Key ID: 0x1A86E304 _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- SHA-1 or MD5 Walker Andrew (Sep 03)
- <Possible follow-ups>
- RE: SHA-1 or MD5 Ben Nagy (Sep 07)