Skip to main content

Last Call Review of draft-turner-md4-to-historic-

Request Review of draft-turner-md4-to-historic
Requested revision No specific revision (document currently at 11)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2010-12-29
Requested 2010-12-03
Authors Sean Turner
I-D last updated 2010-12-16
Completed reviews Secdir Last Call review of -?? by Catherine Meadows
Assignment Reviewer Catherine Meadows
State Completed
Review review-turner-md4-to-historic-secdir-lc-meadows-2010-12-16
Completed 2010-12-16
I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

This document recommends that the MD4 hash algorithm be retired and moved to
historic status and gives the rationale for doing this, namely its known
vulnerability to collision and pre-image attacks. The impact is mostly minimal,
except for three Microsoft RFCs that are still supported in various versions of
 Windows and the RADIUS and EAP RFCs .  It would be helpful to learn what other
algorithms these OSs and RFCs support.  This would give a better idea of the
effect of dropping MD4; if there are other alternatives supported by the OS's
the impact should be minimal here as well.

Other than that, I have no problems with the decision or rationale.  I agree,
as I am sure that everyone else does, that MD4 should be retired.

Some nits:

1.  "Section 6 also discussed" should be "Section 6 also discusses"   This
occurs in several places.

2. " The RC4-HMAC is supported in Microsoft's Windows 2000 and
           later for backwards compatibility with Windows 2000. "
later supported by what?  I assume later versions of Windows, but it is
probably a good idea to make this clear.

3. When you say that with one exception the impact of retiring MD4 would be
minimal, it would be a good idea to mention that exception upfront. It is
fairly clear after you read the whole impact section  that the exception is the
Microsoft RFCs, but nowhere where is that  said explicitly.

4.  I'm not sure wether or not   the discussion of MD4's resistance against key
recovery attack really belongs in the impacts section (in the discussion of
RC4-HMAC).  It might give the impression that RC4-HMAC is secure against key
recovery, and, given the other attacks found against MD4, it is reasonable to
believe that this security is only temporary.  I would suggest putting this
discussion in the security considerations section, and also, wherever it does
end up, adding the appropriate caveats.

Catherine Meadows
Naval Research Laboratory
Code 5543
4555 Overlook Ave., S.W.
Washington DC, 20375
phone: 202-767-3490
fax: 202-404-7942
email: catherine.meadows at