Skip to main content

Updated Security Considerations for the MD5 Message-Digest and the HMAC-MD5 Algorithms
draft-turner-md5-seccon-update-08

Revision differences

Document history

Date Rev. By Action
2015-10-14
08 (System) Notify list changed from turners@ieca.com, lily.chen@nist.gov, draft-turner-md5-seccon-update@ietf.org to (None)
2011-03-07
08 Amy Vezza [Note]: changed to 'RFC 6151'
2011-03-07
08 Amy Vezza State changed to RFC Published from RFC Ed Queue.
2011-03-06
08 (System) RFC published
2011-01-11
08 Amy Vezza State changed to RFC Ed Queue from Approved-announcement sent.
2011-01-10
08 (System) IANA Action state changed to No IC from In Progress
2011-01-10
08 (System) IANA Action state changed to In Progress
2011-01-10
08 Amy Vezza IESG state changed to Approved-announcement sent
2011-01-10
08 Amy Vezza IESG has approved the document
2011-01-10
08 Amy Vezza Closed "Approve" ballot
2011-01-10
08 Amy Vezza Approval announcement text regenerated
2011-01-07
08 (System) Removed from agenda for telechat - 2011-01-06
2011-01-06
08 Cindy Morgan State changed to Approved-announcement to be sent from IESG Evaluation.
2011-01-06
08 Alexey Melnikov Ballot writeup text changed
2011-01-06
08 Robert Sparks [Ballot Position Update] New position, No Objection, has been recorded
2011-01-06
08 Ron Bonica [Ballot Position Update] New position, No Objection, has been recorded
2011-01-05
08 Russ Housley
[Ballot comment]
I think this documnet would be more useful to people trying to choose
  an algorithm if Section 2 were structured to present …
[Ballot comment]
I think this documnet would be more useful to people trying to choose
  an algorithm if Section 2 were structured to present the conclusions
  at the beginning, and then provide the details in the susbsections.  I
  suggest:

  MD5 was published in 1992 as an Informational RFC.  Since that time,
  MD5 has been extensively studied and new cryptographic attacks have
  been discovered.  Message digest algorithms are designed to provide
  collision, pre-image, and second pre-image resistance.  In addition,
  message digest algorithms are used with a shared secret value for
  message authentication in HMAC, and in this context, some people may
  find the guidance for key lengths and algorithm strengths in
  [SP800-57] and [SP800-131] useful.

  MD5 is no longer acceptable where collision resistance is required
  such as digital signatures.  It is not urgent to stop using MD5 in
  other ways, such as HMAC-MD5; however, since MD5 must not be used for
  digital signatures, new protocol designs should not employ HMAC-MD5.
  Alternatives to HMAC-MD5 include HMAC-SHA256 [HMAC][HMAC-SHA256] and
  [AES-CMAC] when AES is more readily available than a hash function.
2011-01-05
08 Russ Housley
[Ballot comment]
I think this documnet would be more useful to people trying to choose
  an algorithm if Section 2 were structured to present …
[Ballot comment]
I think this documnet would be more useful to people trying to choose
  an algorithm if Section 2 were structured to present the conclusions
  at the befinning, and then provide the details in the susbsections.  I
  suggest:

  MD5 was published in 1992 as an Informational RFC.  Since that time,
  MD5 has been extensively studied and new cryptographic attacks have
  been discovered.  Message digest algorithms are designed to provide
  collision, pre-image, and second pre-image resistance.  In addition,
  message digest algorithms are used with a shared secret value for
  message authentication in HMAC, ans in this context, some people may
  find the guidance for key lengths and algorithm strengths in
  [SP800-57] and [SP800-131] useful.

  MD5 is no longer acceptable where collision resistance is required
  such as digital signatures.  It is not urgent to stop using MD5 in
  other ways, such as HMAC-MD5; however, since MD5 must not be used for
  digital signatures, new protocol designs should not employ HMAC-MD5.
  Alternatives to HMAC-MD5 include HMAC-SHA256 [HMAC][HMAC-SHA256] and
  [AES-CMAC] when AES is more readily available than a hash function.
2011-01-05
08 Russ Housley [Ballot Position Update] New position, Yes, has been recorded
2011-01-05
08 Tim Polk [Ballot Position Update] New position, No Objection, has been recorded
2011-01-05
08 Stewart Bryant [Ballot Position Update] New position, No Objection, has been recorded
2011-01-05
08 Adrian Farrel [Ballot Position Update] New position, No Objection, has been recorded
2011-01-03
08 Peter Saint-Andre [Ballot Position Update] New position, Yes, has been recorded
2010-12-29
08 Alexey Melnikov Ballot writeup text changed
2010-12-29
08 Alexey Melnikov Ballot writeup text changed
2010-12-29
08 Alexey Melnikov State changed to IESG Evaluation from Waiting for AD Go-Ahead::AD Followup.
2010-12-29
08 (System) Sub state has been changed to AD Follow up from New Id Needed
2010-12-29
08 (System) New version available: draft-turner-md5-seccon-update-08.txt
2010-12-23
08 Sean Turner [Ballot Position Update] New position, Recuse, has been recorded
2010-12-23
08 Alexey Melnikov State changed to Waiting for AD Go-Ahead::Revised ID Needed from Waiting for AD Go-Ahead.
2010-12-23
08 Alexey Melnikov [Ballot Position Update] New position, Yes, has been recorded for Alexey Melnikov
2010-12-23
08 Alexey Melnikov Ballot has been issued
2010-12-23
08 Alexey Melnikov Created "Approve" ballot
2010-12-22
08 (System) State changed to Waiting for AD Go-Ahead from In Last Call.
2010-11-30
08 Samuel Weiler Request for Last Call review by SECDIR is assigned to Barry Leiba
2010-11-30
08 Samuel Weiler Request for Last Call review by SECDIR is assigned to Barry Leiba
2010-11-29
08 Amanda Baber
IANA has a question about the IANA Action for this document.

IANA understands that the authors intend a single IANA Action upon
approval of this …
IANA has a question about the IANA Action for this document.

IANA understands that the authors intend a single IANA Action upon
approval of this document. IANA understands that, upon approval of this
document, the md5 usage entry in the Hash Function Textual Names
registry should replace "COMMON" with "DEPRECATED."

IANA Question --> In the Hash Function Textual Names registry located at:

http://www.iana.org/assignments/hash-function-text-names/hash-function-text-names.xhtml

there is no "usage entry" for each of the registrations. Was a different
registry intended or should a usage entry be added to this registry upon
approval of this document?
2010-11-24
08 Amy Vezza Last call sent
2010-11-24
08 Amy Vezza
State changed to In Last Call from Last Call Requested.

The following Last Call Announcement was sent out:

From: The IESG <iesg-secretary@ietf.org>
To: …
State changed to In Last Call from Last Call Requested.

The following Last Call Announcement was sent out:

From: The IESG <iesg-secretary@ietf.org>
To: IETF-Announce <ietf-announce@ietf.org>
Reply-To: ietf@ietf.org
Subject: Last Call: <draft-turner-md5-seccon-update-07.txt> (Updated Security Considerations for the MD5 Message-Digest and the HMAC-MD5 Algorithms) to Informational RFC


The IESG has received a request from an individual submitter to consider
the following document:
- 'Updated Security Considerations for the MD5 Message-Digest and the
  HMAC-MD5 Algorithms'
  <draft-turner-md5-seccon-update-07.txt> as an Informational RFC

The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action. Please send substantive comments to the
ietf@ietf.org mailing lists by 2010-12-22. Exceptionally, comments may be
sent to iesg@ietf.org instead. In either case, please retain the
beginning of the Subject line to allow automated sorting.

The file can be obtained via
http://datatracker.ietf.org/doc/draft-turner-md5-seccon-update/

IESG discussion can be tracked via
http://datatracker.ietf.org/doc/draft-turner-md5-seccon-update/
2010-11-24
08 Alexey Melnikov Placed on agenda for telechat - 2011-01-06
2010-11-24
08 Alexey Melnikov
AD review of -07:

2.1. Collision Resistance

  Notice that the collision attack on MD5 can also be applied to
  password based challenge-and-response authentication …
AD review of -07:

2.1. Collision Resistance

  Notice that the collision attack on MD5 can also be applied to
  password based challenge-and-response authentication protocols such
  as the APOP option in the Post Office Protocol (POP) used in post
  office authentication as presented in [LEUR2007].

This needs Informative references to POP3 and APOP (both specified in RFC 1939).


3. IANA Considerations

  IANA is requested to update the md5 usage entry in the Hash Function
  Textual Names registry by replacing "COMMON" with "DEPRECATED".

I've checked the IANA registry and the registry defined in Section 8 of
RFC 4572 doesn't specify the usage field for each hash function.
Maybe the registry should have this field, but currently it doesn't.
So I think IANA will be confused by the current instructions.


  [HMAC-MD5]        Cheng, P., and R. Glenn, "Test Cases for HMAC-MD5
                    and HMAC-SHA-1", RC 2201, September 1997.

Should this be "RFC 2202"?
2010-11-24
08 Alexey Melnikov Last Call was requested
2010-11-24
08 (System) Ballot writeup text was added
2010-11-24
08 (System) Last call text was added
2010-11-24
08 (System) Ballot approval text was added
2010-11-24
08 Alexey Melnikov State changed to Last Call Requested from AD Evaluation.
2010-11-23
08 Alexey Melnikov State changed to AD Evaluation from Publication Requested.
2010-11-15
08 Cindy Morgan State changed to Publication Requested from AD is watching.
2010-11-15
08 Cindy Morgan
(1.a) Who is the Document Shepherd for this document? Has the
Document Shepherd personally reviewed this version of the
document and, in particular, does he …
(1.a) Who is the Document Shepherd for this document? Has the
Document Shepherd personally reviewed this version of the
document and, in particular, does he or she believe this
version is ready for forwarding to the IESG for publication?

Sean Turner is the document Shepherd. He believes that it is ready for
publication.

(1.b) Has the document had adequate review both from key WG members
and from key non-WG members? Does the Document Shepherd have
any concerns about the depth or breadth of the reviews that
have been performed?

The authors noted this document in a message requested reviews from both
the saag and cfrg. There is no concern about the breadth of reviews.

(1.c) Does the Document Shepherd have concerns that the document
needs more review from a particular or broader perspective,
e.g., security, operational complexity, someone familiar with
AAA, internationalization, or XML?

The shepherd feels there is no need for a wider review.

(1.d) Does the Document Shepherd have any specific concerns or
issues with this document that the Responsible Area Director
and/or the IESG should be aware of? For example, perhaps he
or she is uncomfortable with certain parts of the document, or
has concerns whether there really is a need for it. In any
event, if the WG has discussed those issues and has indicated
that it still wishes to advance the document, detail those
concerns here. Has an IPR disclosure related to this document
been filed? If so, please include a reference to the
disclosure and summarize the WG discussion and conclusion on
this issue.

There are no additional concerns that the AD or IESG should be aware of.

(1.e) How solid is the WG consensus behind this document? Does it
represent the strong concurrence of a few individuals, with
others being silent, or does the WG as a whole understand and
agree with it?

This is not the product of a WG.

(1.f) Has anyone threatened an appeal or otherwise indicated extreme
discontent? If so, please summarize the areas of conflict in
separate email messages to the Responsible Area Director. (It
should be in a separate email because this questionnaire is
entered into the ID Tracker.)

There has been no threat of appeal.

(1.g) Has the Document Shepherd personally verified that the
document satisfies all ID nits? (See
http://www.ietf.org/ID-Checklist.html and
http://tools.ietf.org/tools/idnits/.) Boilerplate checks are
not enough; this check needs to be thorough. Has the document
met all formal review criteria it needs to, such as the MIB
Doctor, media type, and URI type reviews? If the document
does not already indicate its intended status at the top of
the first page, please indicate the intended status here.

The shepherd has verified that the document satisfies all ID nits.

(1.h) Has the document split its references into normative and
informative? Are there normative references to documents that
are not ready for advancement or are otherwise in an unclear
state? If such normative references exist, what is the
strategy for their completion? Are there normative references
that are downward references, as described in [RFC3967]? If
so, list these downward references to support the Area
Director in the Last Call procedure for them [RFC3967].

The document does not split its references. All references in this
informative document are normative.

(1.i) Has the Document Shepherd verified that the document's IANA
Considerations section exists and is consistent with the body
of the document? If the document specifies protocol
extensions, are reservations requested in appropriate IANA
registries? Are the IANA registries clearly identified? If
the document creates a new registry, does it define the
proposed initial contents of the registry and an allocation
procedure for future registrations? Does it suggest a
reasonable name for the new registry? See [RFC2434]. If the
document describes an Expert Review process, has the Document
Shepherd conferred with the Responsible Area Director so that
the IESG can appoint the needed Expert during IESG Evaluation?

The document shepherd has verified that the IANA considerations section
exists and is consistent with the body of the document.

(1.j) Has the Document Shepherd verified that sections of the
document that are written in a formal language, such as XML
code, BNF rules, MIB definitions, etc., validate correctly in
an automated checker?

There is no formal language in this document.

(1.k) The IESG approval announcement includes a Document
Announcement Write-Up. Please provide such a Document
Announcement Write-Up. Recent examples can be found in the
"Action" announcements for approved documents. The approval
announcement contains the following sections:

Technical Summary

This document updates the security considerations for MD5 and HMAC-MD5.

Working Group Summary

The authors asked for comments from the saag and cfrg lists. All of the
comments were received off list. The reviewers are noted in the
acknowledgments section.

Document Quality

Prominent reviewers are noted in the draft's acknowledgment section.

Personnel

Sean Turner is the Document Shepherd.
Alexey Melnikov is the Responsible Area Director.
2010-11-15
08 Cindy Morgan [Note]: 'Sean Turner (turners@ieca.com) is the document shepherd.' added
2010-11-07
07 (System) New version available: draft-turner-md5-seccon-update-07.txt
2010-10-25
06 (System) New version available: draft-turner-md5-seccon-update-06.txt
2010-10-20
05 (System) New version available: draft-turner-md5-seccon-update-05.txt
2010-10-13
04 (System) New version available: draft-turner-md5-seccon-update-04.txt
2010-09-24
03 (System) New version available: draft-turner-md5-seccon-update-03.txt
2010-07-12
02 (System) New version available: draft-turner-md5-seccon-update-02.txt
2010-07-08
01 (System) New version available: draft-turner-md5-seccon-update-01.txt
2010-07-06
08 Alexey Melnikov Draft Added by Alexey Melnikov in state AD is watching
2010-07-06
00 (System) New version available: draft-turner-md5-seccon-update-00.txt