Dave Cridland wrote:
ISSUE #3: Which hashing algorithms?Description: The Council discussion seemed to assume that version 1.5 [4] says SHA-1 is mandatory-to-implement ("MTI"). In fact, version 1.5 does not mandate implementation of any specific algorithm. Be that as it may, some Council members suggested that we recommend MD5 instead of SHA-1 (the only concrete reason I heard in the meeting is that MD5 output is smaller).(Kind of. One issue is that MD5 might actually be more secure.)
Far be it from me to weigh in on such issues, because I am not a cryptographer by any means. However, I have read some of the papers referred to from RFC 4270 and some of the URLs you posted. It seems to me that both MD5 and the SHA family use the Damgard-Merkle construction (the "standard" way of making iterated hash functions). So are both MD5 and SHA-1 subject to some of the same vulnerabilities? Are there (again, potential) vulnerabilities that SHA-1 is subject to but MD5 is not? For example, Kelsey and Schneier 2004 suggests a line of reasoning whereby SHA-1 could more easily subject to a preimage attack than previously thought when large messages are used (for us that would equate to a large value of "S" in XEP-0115), but the input messages are on the order of 2^55 blocks long *and* they don't need to match any kind of defined structure (as message would to be used in a preimage attack against entity capabilities).
I will try to expand upon the text describing the (potential) preimage attack so that we define it more clearly.
Peter -- Peter Saint-Andre https://stpeter.im/
smime.p7s
Description: S/MIME Cryptographic Signature
