diff options
Diffstat (limited to 'doc/rfc/rfc6150.txt')
-rw-r--r-- | doc/rfc/rfc6150.txt | 563 |
1 files changed, 563 insertions, 0 deletions
diff --git a/doc/rfc/rfc6150.txt b/doc/rfc/rfc6150.txt new file mode 100644 index 0000000..8b61e52 --- /dev/null +++ b/doc/rfc/rfc6150.txt @@ -0,0 +1,563 @@ + + + + + + +Internet Engineering Task Force (IETF) S. Turner +Request for Comments: 6150 IECA +Obsoletes: 1320 L. Chen +Category: Informational NIST +ISSN: 2070-1721 March 2011 + + + MD4 to Historic Status + +Abstract + + This document retires RFC 1320, which documents the MD4 algorithm, + and discusses the reasons for doing so. This document moves RFC 1320 + to Historic status. + +Status of This Memo + + This document is not an Internet Standards Track specification; it is + published for informational purposes. + + This document is a product of the Internet Engineering Task Force + (IETF). It represents the consensus of the IETF community. It has + received public review and has been approved for publication by the + Internet Engineering Steering Group (IESG). Not all documents + approved by the IESG are a candidate for any level of Internet + Standard; see Section 2 of RFC 5741. + + Information about the current status of this document, any errata, + and how to provide feedback on it may be obtained at + http://www.rfc-editor.org/info/rfc6150. + +Copyright Notice + + Copyright (c) 2011 IETF Trust and the persons identified as the + document authors. All rights reserved. + + This document is subject to BCP 78 and the IETF Trust's Legal + Provisions Relating to IETF Documents + (http://trustee.ietf.org/license-info) in effect on the date of + publication of this document. Please review these documents + carefully, as they describe your rights and restrictions with respect + to this document. Code Components extracted from this document must + include Simplified BSD License text as described in Section 4.e of + the Trust Legal Provisions and are provided without warranty as + described in the Simplified BSD License. + + + + + + +Turner & Chen Informational [Page 1] + +RFC 6150 MD2 to Historic Status March 2011 + + +1. Introduction + + MD4 [MD4] is a message digest algorithm that takes as input a message + of arbitrary length and produces as output a 128-bit "fingerprint" or + "message digest" of the input. This document retires [MD4]. + Specifically, this document moves RFC 1320 [MD4] to Historic status. + The reasons for taking this action are discussed. + + [HASH-Attack] summarizes the use of hashes in many protocols and + discusses how attacks against a message digest algorithm's one-way + and collision-free properties affect and do not affect Internet + protocols. Familiarity with [HASH-Attack] is assumed. + +2. Rationale + + MD4 was published in 1992 as an Informational RFC. Since its + publication, MD4 has been under attack [denBORBOS1992] [DOBB1995] + [DOBB1996] [GLRW2010] [WLDCY2005] [LUER2008]. In fact, RSA, in 1996, + suggested that MD4 should not be used [RSA-AdviceOnMD4]. Microsoft + also made similar statements [MS-AdviceOnMD4]. + + In Section 6, this document discusses attacks against MD4 that + indicate use of MD4 is no longer appropriate when collision + resistance is required. Section 6 also discusses attacks against + MD4's pre-image and second pre-image resistance. Additionally, + attacks against MD4 used in message authentication with a shared + secret (i.e., HMAC-MD4) are discussed. + +3. Documents that Reference RFC 1320 + + Use of MD4 has been specified in the following RFCs: + + Internet Standard (IS): + + o [RFC2289] A One-Time Password System. + + Draft Standard (DS): + + o [RFC1629] Guidelines for OSI NSAP Allocation in the Internet. + + Proposed Standard (PS): + + o [RFC3961] Encryption and Checksum Specifications for Kerberos 5. + + Best Current Practice (BCP): + + o [RFC4086] Randomness Requirements for Security. + + + + +Turner & Chen Informational [Page 2] + +RFC 6150 MD2 to Historic Status March 2011 + + + Informational: + + o [RFC1760] The S/KEY One-Time Password System. + + o [RFC1983] Internet Users' Glossary. + + o [RFC2433] Microsoft PPP CHAP Extensions. + + o [RFC2759] Microsoft PPP CHAP Extensions, Version 2. + + o [RFC3174] US Secure Hash Algorithm 1 (SHA1). + + o [RFC4757] The RC4-HMAC Kerberos Encryption Types Used by + Microsoft Windows. + + o [RFC5126] CMS Advanced Electronic Signatures (CAdES). + + There are other RFCs that refer to MD2, but they have been either + moved to Historic status or obsoleted by a later RFC. References and + discussions about these RFCs are omitted. The notable exceptions + are: + + o [RFC2313] PKCS #1: RSA Encryption Version 1.5. + + o [RFC2437] PKCS #1: RSA Cryptography Specifications Version 2.0. + + o [RFC3447] Public-Key Cryptography Standards (PKCS) #1: RSA + Cryptography Specifications Version 2.1. + +4. Impact of Moving MD4 to Historic + + The impact of moving MD4 to Historic is minimal with the one + exception of Microsoft's use of MD4 as part of RC4-HMAC in Windows, + as described below. + + Regarding DS, PS, and BCP RFCs: + + o The initial One-Time Password systems, based on [RFC2289], have + ostensibly been replaced by HMAC-based mechanism, as specified in + "HOTP: An HMAC-Based One-Time Password Algorithm" [RFC4226]. + [RFC4226] suggests following recommendations in [RFC4086] for + random input, and in [RFC4086] weaknesses of MD4 are discussed. + + o MD4 was used in the Inter-Domain Routing Protocol (IDRP); each IDRP + message carries a 16-octet hash that is computed by applying the + MD-4 algorithm (RFC 1320) to the context of the message itself. + Over time, IDRP was replaced by BGP-4 [RFC4271], which required at + least [MD5]. + + + +Turner & Chen Informational [Page 3] + +RFC 6150 MD2 to Historic Status March 2011 + + + o Kerberos Version 5 [RFC3961] specifies the use of MD4 for DES + encryption types and checksum types. They were specified, never + really used, and are in the process of being deprecated by + [DES-DIE]. Further, the mandatory-to-implement encrypted types and + checksum types specified by Kerberos are based on AES-256 and HMAC- + SHA1 [RFC3962]. + + Regarding Informational RFCs: + + o PKCS#1 v1.5 [RFC2313] indicated that there was no reason to not use + MD4. PKCS#1 v2.0 [RFC2437] and v2.1 [RFC3447] recommend against + MD4 due to cryptoanalytic progress having uncovered weaknesses in + the collision resistance of MD4. + + o Randomness Requirements [RFC4086] does mention MD4, but not in a + good way; it explains how the algorithm works and that there have + been a number of attacks found against it. + + o The "Internet Users' Glossary" [RFC1983] provided a definition for + Message Digest and listed MD4 as one example. + + o The IETF OTP specification [RFC2289] was based on S/KEY technology. + So S/KEY was replaced by OTP, at least in theory. Additionally, + the S/KEY implementations in the wild have started to use MD5 in + lieu of MD4. + + o The CAdES document [RFC5126] lists MD4 as a hash algorithm, + disparages it, and then does not mention it again. + + o The SHA-1 document [RFC3174] mentions MD4 in the acknowledgements + section. + + o The three RFCs describing Microsoft protocols, [RFC2433], + [RFC2759], and [RFC4757], are very widely deployed as MS-CHAP v1, + MS-CHAP v2, and RC4-HMAC, respectively. + + o MS-CHAP Version 1 is supported in Microsoft's Windows XP, 2000, + 98, 95, NT 4.0, NT 3.51, and NT 3.5, but support has been + dropped in Vista. MS-CHAP Version 2 is supported in Microsoft's + Windows 7, Vista, XP, 2000, 98, 95, and NT 4.0. Both versions + of MS-CHAP are also supported by RADIUS [RFC2548] and the + Extensible Authentication Protocol (EAP) [RFC5281]. In 2007, + [RFC4962] listed MS-CHAP v1 and v2 as flawed and recommended + against their use; these incidents were presented as a strong + indication for the necessity of built-in crypto-algorithm + agility in Authentication, Authorization, and Accounting (AAA) + protocols. + + + + +Turner & Chen Informational [Page 4] + +RFC 6150 MD2 to Historic Status March 2011 + + + o The RC4-HMAC is supported in Microsoft's Windows 2000 and later + versions of Windows for backwards compatibility with Windows + 2000. As [RFC4757] stated, RC4-HMAC doesn't rely on the + collision resistance property of MD4, but uses it to generate a + key from a password, which is then used as input to HMAC-MD5. + For an attacker to recover the password from RC4-HMAC, the + attacker first needs to recover the key that is used with HMAC- + MD5. As noted in [RFC6151], key recovery attacks on HMAC-MD5 + are not yet practical. + +5. Other Considerations + + rsync [RSYNC], a non-IETF protocol, once specified the use of MD4, + but as of version 3.0.0 published in 2008, it has adopted MD5 [MD5]. + +6. Security Considerations + + This section addresses attacks against MD4's collisions, pre-image, + and second pre-image resistance. Additionally, attacks against HMAC- + MD4 are discussed. + + Some may find the guidance for key lengths and algorithm strengths in + [SP800-57] and [SP800-131] useful. + +6.1. Collision Resistance + + A practical attack on MD4 was shown by Dobbertin in 1996 with + complexity 2^20 of MD4 hash computations [DOBB1996]. In 2004, a more + devastating result presented by Xiaoyun Wang showed that the + complexity can be reduced to 2^8 of MD4 hash operations. At the Rump + Session of Crypto 2004, Wang said that as a matter of fact, finding a + collision of MD4 can be accomplished with a pen on a piece of paper. + The formal result was presented at EUROCRYPT 2005 in [WLDCY2005]. + +6.2. Pre-Image and Second Pre-Image Resistance + + The first pre-image attack on full MD4 was accomplished in [LUER2008] + with complexity 2^100. Some improvements are shown on pre-image + attacks and second pre-image attacks of MD4 with certain pre- + computations [GLRW2010], where complexity is reduced to 2^78.4 and + 2^69.4 for pre-image and second pre-image, respectively. The pre- + image attacks on MD4 are practical. It cannot be used as a one-way + function. For example, it must not be used to hash a cryptographic + key of 80 bits or longer. + + + + + + + +Turner & Chen Informational [Page 5] + +RFC 6150 MD2 to Historic Status March 2011 + + +6.3. HMAC + + The attacks on Hash-based Message Authentication Code (HMAC) + algorithms [RFC2104] presented so far can be classified in three + types: distinguishing attacks, existential forgery attacks, and key + recovery attacks. Of course, among all these attacks, key recovery + attacks are the most severe attacks. + + The best results on key recovery attacks on HMAC-MD4 were published + at EUROCRYPT 2008 with 2^72 queries and 2^77 MD4 computations + [WOK2008]. + +7. Recommendation + + Despite MD4 seeing some deployment on the Internet, this + specification obsoletes [MD4] because MD4 is not a reasonable + candidate for further standardization and should be deprecated in + favor of one or more existing hash algorithms (e.g., SHA-256 [SHS]). + + RSA Security considers it appropriate to move the MD4 algorithm to + Historic status. + + It takes a number of years to deploy crypto and it also takes a + number of years to withdraw it. Algorithms need to be withdrawn + before a catastrophic break is discovered. MD4 is clearly showing + signs of weakness, and implementations should strongly consider + removing support and migrating to another hash algorithm. + +8. Acknowledgements + + We'd like to thank RSA for publishing MD4. Obviously, we have to + thank all the cryptographers who produced the results we refer to in + this document. We'd also like to thank Ran Atkinson, Sue Hares, Sam + Hartman, Alfred Hoenes, John Linn, Catherine Meadows, Magnus Nystrom, + and Martin Rex for their input. + +9. Informative References + + [denBORBOS1992] + B. den Boer and A. Bosselaers. An attack on the last two + rounds of MD4. In Advances in Cryptology - Crypto '91, + pages 194-203, Springer-Verlag, 1992. + + [DES-DIE] Astrand, L., "Deprecate DES support for Kerberos", Work + in Progress, July 2010. + + [DOBB1995] H. Dobbertin. Alf swindles Ann. CryptoBytes, 1(3): 5, + 1995. + + + +Turner & Chen Informational [Page 6] + +RFC 6150 MD2 to Historic Status March 2011 + + + [DOBB1996] H. Dobbertin. Cryptanalysis of MD4. In Proceedings of + the 3rd Workshop on Fast Software Encryption, Cambridge, + U.K., pages 53-70, Lecture Notes in Computer Science + 1039, Springer-Verlag, 1996. + + [GLRW2010] Guo, J., Ling, S., Rechberger, C., and H. Wang, "Advanced + Meet-in-the-Middle Preimage Attacks: First Results on + Full Tiger, and Improved Results on MD4 and SHA-2", + http://eprint.iacr.org/2010/016.pdf. + + [HASH-Attack] + Hoffman, P. and B. Schneier, "Attacks on Cryptographic + Hashes in Internet Protocols", RFC 4270, November 2005. + + [LUER2008] G. Leurent. MD4 is Not One-Way. Fast Software + Encryption 2008, Lausanne, Switzerland, February 10-13, + 2008, LNCS 5086. Springer, 2008. + + [MD4] Rivest, R., "The MD4 Message-Digest Algorithm", RFC 1320, + April 1992. + + [MD5] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, + April 1992. + + [MS-AdviceOnMD4] + Howard, M., "Secure Habits: 8 Simple Rules For Developing + More Secure Code", http://msdn.microsoft.com/ + en-us/magazine/cc163518.aspx#S6. + + [RFC1629] Colella, R., Callon, R., Gardner, E., and Y. Rekhter, + "Guidelines for OSI NSAP Allocation in the Internet", RFC + 1629, May 1994. + + [RFC1760] Haller, N., "The S/KEY One-Time Password System", RFC + 1760, February 1995. + + [RFC1983] Malkin, G., Ed., "Internet Users' Glossary", FYI 18, RFC + 1983, August 1996. + + [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- + Hashing for Message Authentication", RFC 2104, February + 1997. + + [RFC2289] Haller, N., Metz, C., Nesser, P., and M. Straw, "A One- + Time Password System", STD 61, RFC 2289, February 1998. + + [RFC2313] Kaliski, B., "PKCS #1: RSA Encryption Version 1.5", RFC + 2313, March 1998. + + + +Turner & Chen Informational [Page 7] + +RFC 6150 MD2 to Historic Status March 2011 + + + [RFC2433] Zorn, G. and S. Cobb, "Microsoft PPP CHAP Extensions", + RFC 2433, October 1998. + + [RFC2437] Kaliski, B., and J. Staddon, "PKCS #1: RSA Cryptography + Specifications Version 2.0", RFC 2437, October 1998. + + [RFC2548] Zorn, G., "Microsoft Vendor-specific RADIUS Attributes", + RFC 2548, March 1999. + + [RFC2759] Zorn, G., "Microsoft PPP CHAP Extensions, Version 2", RFC + 2759, January 2000. + + [RFC3174] Eastlake 3rd, D. and P. Jones, "US Secure Hash Algorithm + 1 (SHA1)", RFC 3174, September 2001. + + [RFC3447] Jonsson, J. and B. Kaliski, "Public-Key Cryptography + Standards (PKCS) #1: RSA Cryptography Specifications + Version 2.1", RFC 3447, February 2003. + + [RFC3961] Raeburn, K., "Encryption and Checksum Specifications for + Kerberos 5", RFC 3961, February 2005. + + [RFC3962] Raeburn, K., "Advanced Encryption Standard (AES) + Encryption for Kerberos 5", RFC 3962, February 2005. + + [RFC4086] Eastlake 3rd, D., Schiller, J., and S. Crocker, + "Randomness Requirements for Security", BCP 106, RFC + 4086, June 2005. + + [RFC4226] M'Raihi, D., Bellare, M., Hoornaert, F., Naccache, D., + and O. Ranen, "HOTP: An HMAC-Based One-Time Password + Algorithm", RFC 4226, December 2005. + + [RFC4271] Rekhter, Y., Ed., Li, T., Ed., and S. Hares, Ed., "A + Border Gateway Protocol 4 (BGP-4)", RFC 4271, January + 2006. + + [RFC4757] Jaganathan, K., Zhu, L., and J. Brezak, "The RC4-HMAC + Kerberos Encryption Types Used by Microsoft Windows", RFC + 4757, December 2006. + + [RFC4962] Housley, R. and B. Aboba, "Guidance for Authentication, + Authorization, and Accounting (AAA) Key Management", BCP + 132, RFC 4962, July 2007. + + [RFC5126] Pinkas, D., Pope, N., and J. Ross, "CMS Advanced + Electronic Signatures (CAdES)", RFC 5126, March 2008. + + + + +Turner & Chen Informational [Page 8] + +RFC 6150 MD2 to Historic Status March 2011 + + + [RFC5281] Funk, P. and S. Blake-Wilson, "Extensible Authentication + Protocol Tunneled Transport Layer Security Authenticated + Protocol Version 0 (EAP-TTLSv0)", RFC 5281, August 2008. + + [RFC6151] Turner, S. and L. Chen, "Updated Security Considerations + for the MD5 Message-Digest and the HMAC-MD5 Algorithms", + RFC 6151, March 2011. + + [RSA-AdviceOnMD4] + Robshaw, M.J.B., "On Recent Results for MD2, MD4 and + MD5", November 1996, + ftp://ftp.rsasecurity.com/pub/pdfs/bulletn4.pdf. + + [RSYNC] rsync web pages, http://www.samba.org/rsync/. + + [SHS] National Institute of Standards and Technology (NIST), + FIPS Publication 180-3: Secure Hash Standard, October + 2008. + + [SP800-57] National Institute of Standards and Technology (NIST), + Special Publication 800-57: Recommendation for Key + Management - Part 1 (Revised), March 2007. + + [SP800-131] National Institute of Standards and Technology (NIST), + Special Publication 800-131: DRAFT Recommendation for the + Transitioning of Cryptographic Algorithms and Key Sizes, + June 2010. + + [WLDCY2005] X. Wang, X. Lai, D. Feng, H. Chen, and X. Yu, + Cryptanalysis of Hash Functions MD4 and RIPEMD, LNCS + 3944, Advances in Cryptology - EUROCRYPT2005, Springer, + 2005. + + [WOK2008] L. Wang, K. Ohta, and N. Kunihiro, New Key-recovery + Attacks on HMAC/NMAC-MD4 and NMAC-MD5, EUROCRYPT 2008, + LNCS 4965, Springer, 2008. + + + + + + + + + + + + + + + +Turner & Chen Informational [Page 9] + +RFC 6150 MD2 to Historic Status March 2011 + + +Authors' Addresses + + Sean Turner + IECA, Inc. + 3057 Nutley Street, Suite 106 + Fairfax, VA 22031 + USA + + EMail: turners@ieca.com + + Lily Chen + National Institute of Standards and Technology + 100 Bureau Drive, Mail Stop 8930 + Gaithersburg, MD 20899-8930 + USA + + EMail: lily.chen@nist.gov + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Turner & Chen Informational [Page 10] + |