Updated Security Considerations for the MD5 Message-Digest and the HMAC-MD5 Algorithms
RFC 6151
| Document | Type |
RFC - Informational
(March 2011; No errata)
Was draft-turner-md5-seccon-update (individual in sec area)
|
|
|---|---|---|---|
| Last updated | 2015-10-14 | ||
| Stream | IETF | ||
| Formats | plain text html pdf htmlized bibtex | ||
| Stream | WG state | (None) | |
| Document shepherd | No shepherd assigned | ||
| IESG | IESG state | RFC 6151 (Informational) | |
| Consensus Boilerplate | Unknown | ||
| Telechat date | |||
| Responsible AD | Alexey Melnikov | ||
| Send notices to | (None) | ||
Internet Engineering Task Force (IETF) S. Turner
Request for Comments: 6151 IECA
Updates: 1321, 2104 L. Chen
Category: Informational NIST
ISSN: 2070-1721 March 2011
Updated Security Considerations for
the MD5 Message-Digest and the HMAC-MD5 Algorithms
Abstract
This document updates the security considerations for the MD5 message
digest algorithm. It also updates the security considerations for
HMAC-MD5.
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for informational purposes.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Not all documents
approved by the IESG are a candidate for any level of Internet
Standard; see Section 2 of RFC 5741.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc6151.
Copyright Notice
Copyright (c) 2011 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Turner & Chen Informational [Page 1]
RFC 6151 MD5 and HMAC-MD5 Security Considerations March 2011
1. Introduction
MD5 [MD5] is a message digest algorithm that takes as input a message
of arbitrary length and produces as output a 128-bit "fingerprint" or
"message digest" of the input. The published attacks against MD5
show that it is not prudent to use MD5 when collision resistance is
required. This document replaces the security considerations in RFC
1321 [MD5].
[HMAC] defined a mechanism for message authentication using
cryptographic hash functions. Any message digest algorithm can be
used, but the cryptographic strength of HMAC depends on the
properties of the underlying hash function. [HMAC-MD5] defined test
cases for HMAC-MD5. This document updates the security
considerations in [HMAC], which [HMAC-MD5] points to for its security
considerations.
[HASH-Attack] summarizes the use of hashes in many protocols and
discusses how attacks against a message digest algorithm's one-way
and collision-free properties affect and do not affect Internet
protocols. Familiarity with [HASH-Attack] is assumed. One of the
uses of message digest algorithms in [HASH-Attack] was integrity
protection. Where the MD5 checksum is used inline with the protocol
solely to protect against errors, an MD5 checksum is still an
acceptable use. Applications and protocols need to clearly state in
their security considerations what security services, if any, are
expected from the MD5 checksum. In fact, any application and
protocol that employs MD5 for any purpose needs to clearly state the
expected security services from their use of MD5.
2. Security Considerations
MD5 was published in 1992 as an Informational RFC. Since that time,
MD5 has been extensively studied and new cryptographic attacks have
been discovered. Message digest algorithms are designed to provide
collision, pre-image, and second pre-image resistance. In addition,
message digest algorithms are used with a shared secret value for
message authentication in HMAC, and in this context, some people may
find the guidance for key lengths and algorithm strengths in
[SP800-57] and [SP800-131] useful.
MD5 is no longer acceptable where collision resistance is required
such as digital signatures. It is not urgent to stop using MD5 in
other ways, such as HMAC-MD5; however, since MD5 must not be used for
digital signatures, new protocol designs should not employ HMAC-MD5.
Alternatives to HMAC-MD5 include HMAC-SHA256 [HMAC] [HMAC-SHA256] and
[AES-CMAC] when AES is more readily available than a hash function.
Turner & Chen Informational [Page 2]
RFC 6151 MD5 and HMAC-MD5 Security Considerations March 2011
2.1. Collision Resistance
Pseudo-collisions for the compress function of MD5 were first
Show full document text