[Standards] XEP-0115 redux

[Peter Saint-Andre]

Dave Cridland wrote:

>> ISSUE #3: Which hashing algorithms?
>>
>> Description: The Council discussion seemed to assume that version 1.5 
>> [4] says SHA-1 is mandatory-to-implement ("MTI"). In fact, version 1.5 
>> does not mandate implementation of any specific algorithm. Be that as 
>> it may, some Council members suggested that we recommend MD5 instead 
>> of SHA-1 (the only concrete reason I heard in the meeting is that MD5 
>> output is smaller).
>>
>>
> (Kind of. One issue is that MD5 might actually be more secure.)

Far be it from me to weigh in on such issues, because I am not a 
cryptographer by any means. However, I have read some of the papers 
referred to from RFC 4270 and some of the URLs you posted. It seems to 
me that both MD5 and the SHA family use the Damgard-Merkle construction 
(the "standard" way of making iterated hash functions). So are both MD5 
and SHA-1 subject to some of the same vulnerabilities? Are there (again, 
potential) vulnerabilities that SHA-1 is subject to but MD5 is not? For 
example, Kelsey and Schneier 2004 suggests a line of reasoning whereby 
SHA-1 could more easily subject to a preimage attack than previously 
thought when large messages are used (for us that would equate to a 
large value of "S" in XEP-0115), but the input messages are on the order 
of 2^55 blocks long *and* they don't need to match any kind of defined 
structure (as message would to be used in a preimage attack against 
entity capabilities).

I will try to expand upon the text describing the (potential) preimage 
attack so that we define it more clearly.

Peter

-- 
Peter Saint-Andre
https://stpeter.im/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7338 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mail.jabber.org/pipermail/standards/attachments/20080114/de43be18/attachment-0001.bin