Robert J. Hansen wrote: > On 06/24/2012 06:11 PM, Werner Koch wrote: >> I am telling for more than a decade that PGP 2 should not be used >> anymore. > > The list may find my own timeline of MD5 to be worth reading -- it might > give some insight into why PGP 2 (in particular the MD5 vulnerabilities) > tend to engender such passionate responses. > > ===== > > 1993: Bosselaers and Den Boer present a theoretical break on MD5. > > 1996: Hans Dobbertin breaks MD5. His results are immediately dismissed > as "theoretical" when they are nothing but. The security of a > Merkle-Damgard hash (such as MD5) cannot be greater than the > collision resistance of its compression function. Dobbertin is > able to break MD5's compression function in *seconds* on desktop > hardware. The MD5 death clock begins ticking down: we know > (thanks to Dobbertin) that collisions can be generated against > the full MD5 in seconds, but we don't yet know how. > > 1997: As an undergraduate, I read Dobbertin's paper and get shocked. > I start advocating migration to SHA-1 and/or RIPEMD160. Nobody > listens to me, and maybe rightfully so: after all, I'm just an > undergrad. That said, I'm in good company: lots of other very > serious cryppies are advocating the same. > > 1998: Internal debates begin at PGP Security over whether MD5 should > be considered "deprecated" (technically valid, but advised > against) or "obsolete" (no longer valid). (This is according > to Len Sassaman.) > > 2001: People are still using MD5 in applications that need a > collision-resistant hash function. I begin to get irritated: > we've had five years to do migrations. Some important people > within the community at that time (e.g., Imad Faiad) proclaim > that MD5 is still secure and the vulnerabilities against it > are still only theoretical and may never come to pass. I begin > to tell people that if we don't see real MD5 collisions within > five years to never again believe anything I say. > > 2002: I enter graduate school for computer science and begin working > in electronic voting. I see systems being developed at that time > which rely on the collision-resistance of MD5. I begin to get > unhinged. In order to prove the ineffectiveness of MD5, I begin > to work on MD5 collisions for my Master's thesis. > > 2004: Shengdong University publishes the first MD5 collisions. I have a > very long and dejected talk with my advisor about my degree > plans. I take a Master's without thesis, but I tell my advisor > I'm looking on the bright side: no one can claim MD5 is still > safe, right? > > 2004: People continue to say MD5 is still safe, claiming that the > Shengdong University attacks are impractical -- they can only > produce collisions in random data, which means you can't forge a > particular signature on particular data. > > 2005: At Black Hat, Dan Kaminsky starts off with the EFF's website and > the NSA's website. Dan is able to, in realtime, tweak the EFF's > website with nondisplaying characters in order to make it look > unchanged from the original but have the same MD5 hash as the > NSA's website. I was there in the audience and my jaw was on the > floor. > > 2005: People continue to say MD5 is still safe, claiming that... oh, > God, I lose track at this point, honestly. At this point my > brain shuts down and I begin to believe anyone advocating MD5 > where collision resistance is necessary is living in resolute > denial of the facts. > > 2008: The first public disclosure of a forged MD5-based SSL certificate. > > 2008: US-CERT issues a Vulnerability Notice which says in plain > language, "Software developers, Certification Authorities, > website owners and users should avoid using the MD5 algorithm in > any capacity." (Ref: http://www.kb.cert.org/vuls/id/836068 ) > > 2012: News reports circulate that the Flame virus propagated by forging > an MD5-based Microsoft signature. > > 2012: On this mailing list, 16 years after experts recommended migrating > away from MD5 and four years after US-CERT categorically declared > MD5 to be a "do not use" algorithm, we're having a discussion > about PGP 2.6, which is deeply married to MD5. > > > > After reviewing the past 19 years of results on MD5 and the community's > reaction to them, all I can say is ... nothing, really. I used to be > able to get a lot of outrage summoned up over this subject, but now I've > been reduced to making faint whimpering noises.
A new scientific truth does not triumph by convincing opponents and making them see the light, but rather because its opponents eventually die, and a new generation grows up that is familiar with it. -- Max Planck -- .~. Jean-David Beyer Registered Linux User 85642. /V\ PGP-Key:3EDBB65E 9A2FC99A Registered Machine 241939. /( )\ Shrewsbury, New Jersey http://counter.li.org ^^-^^ 14:10:01 up 13 days, 24 min, 3 users, load average: 4.28, 4.34, 4.24 _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
