Technical Summary
This document updates the security considerations for MD5 and HMAC-MD5.
Working Group Summary
The authors asked for comments from the saag and cfrg mailing lists.
All of the comments were received off list. The reviewers are noted in the
acknowledgments section.
Document Quality
Prominent reviewers are noted in the draft's acknowledgment section.
RFC Editor Note
Please replace Section 2 to read:
MD5 was published in 1992 as an Informational RFC. Since that time,
MD5 has been extensively studied and new cryptographic attacks have
been discovered. Message digest algorithms are designed to provide
collision, pre-image, and second pre-image resistance. In addition,
message digest algorithms are used with a shared secret value for
message authentication in HMAC, and in this context, some people may
find the guidance for key lengths and algorithm strengths in
[SP800-57] and [SP800-131] useful.
MD5 is no longer acceptable where collision resistance is required
such as digital signatures. It is not urgent to stop using MD5 in
other ways, such as HMAC-MD5; however, since MD5 must not be used for
digital signatures, new protocol designs should not employ HMAC-MD5.
Alternatives to HMAC-MD5 include HMAC-SHA256 [HMAC][HMAC-SHA256] and
[AES-CMAC] when AES is more readily available than a hash function.