Internet Engineering Task Force (IETF) S. Turner
Request for Comments: 6151 IECA
Updates: 1321, 2104 L. Chen
Category: Informational NIST
ISSN: 2070-1721 March 2011
Internet Engineering Task Force (IETF) S. Turner
Request for Comments: 6151 IECA
Updates: 1321, 2104 L. Chen
Category: Informational NIST
ISSN: 2070-1721 March 2011
Updated Security Considerations for the MD5 Message-Digest and the HMAC-MD5 Algorithms
更新了MD5消息摘要和HMAC-MD5算法的安全注意事项
Abstract
摘要
This document updates the security considerations for the MD5 message digest algorithm. It also updates the security considerations for HMAC-MD5.
本文档更新了MD5消息摘要算法的安全注意事项。它还更新了HMAC-MD5的安全注意事项。
Status of This Memo
关于下段备忘
This document is not an Internet Standards Track specification; it is published for informational purposes.
本文件不是互联网标准跟踪规范;它是为了提供信息而发布的。
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are a candidate for any level of Internet Standard; see Section 2 of RFC 5741.
本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。并非IESG批准的所有文件都适用于任何级别的互联网标准;见RFC 5741第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc6151.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc6151.
Copyright Notice
版权公告
Copyright (c) 2011 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2011 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。
MD5 [MD5] is a message digest algorithm that takes as input a message of arbitrary length and produces as output a 128-bit "fingerprint" or "message digest" of the input. The published attacks against MD5 show that it is not prudent to use MD5 when collision resistance is required. This document replaces the security considerations in RFC 1321 [MD5].
MD5[MD5]是一种消息摘要算法,它将任意长度的消息作为输入,并生成输入的128位“指纹”或“消息摘要”作为输出。已发布的针对MD5的攻击表明,在需要抗碰撞时使用MD5是不谨慎的。本文件取代了RFC 1321[MD5]中的安全注意事项。
[HMAC] defined a mechanism for message authentication using cryptographic hash functions. Any message digest algorithm can be used, but the cryptographic strength of HMAC depends on the properties of the underlying hash function. [HMAC-MD5] defined test cases for HMAC-MD5. This document updates the security considerations in [HMAC], which [HMAC-MD5] points to for its security considerations.
[HMAC]定义了使用加密哈希函数进行消息身份验证的机制。可以使用任何消息摘要算法,但HMAC的加密强度取决于底层哈希函数的属性。[HMAC-MD5]定义了HMAC-MD5的测试用例。本文档更新了[HMAC]中的安全注意事项,[HMAC-MD5]指出了其安全注意事项。
[HASH-Attack] summarizes the use of hashes in many protocols and discusses how attacks against a message digest algorithm's one-way and collision-free properties affect and do not affect Internet protocols. Familiarity with [HASH-Attack] is assumed. One of the uses of message digest algorithms in [HASH-Attack] was integrity protection. Where the MD5 checksum is used inline with the protocol solely to protect against errors, an MD5 checksum is still an acceptable use. Applications and protocols need to clearly state in their security considerations what security services, if any, are expected from the MD5 checksum. In fact, any application and protocol that employs MD5 for any purpose needs to clearly state the expected security services from their use of MD5.
[哈希攻击]总结了哈希在许多协议中的使用,并讨论了针对消息摘要算法的单向和无冲突属性的攻击如何影响和不影响Internet协议。假设熟悉[哈希攻击]。[哈希攻击]中消息摘要算法的一个用途是完整性保护。如果MD5校验和与协议内联使用仅用于防止错误,则MD5校验和仍然是可接受的用途。应用程序和协议需要在其安全注意事项中明确说明MD5校验和需要哪些安全服务(如果有)。事实上,任何出于任何目的而使用MD5的应用程序和协议都需要清楚地说明使用MD5的预期安全服务。
MD5 was published in 1992 as an Informational RFC. Since that time, MD5 has been extensively studied and new cryptographic attacks have been discovered. Message digest algorithms are designed to provide collision, pre-image, and second pre-image resistance. In addition, message digest algorithms are used with a shared secret value for message authentication in HMAC, and in this context, some people may find the guidance for key lengths and algorithm strengths in [SP800-57] and [SP800-131] useful.
MD5于1992年作为信息RFC发布。从那时起,人们对MD5进行了广泛的研究,并发现了新的密码攻击。消息摘要算法旨在提供冲突、预映像和第二预映像抵抗。此外,在HMAC中,消息摘要算法与共享秘密值一起用于消息身份验证,在这种情况下,一些人可能会发现[SP800-57]和[SP800-131]中有关密钥长度和算法强度的指南很有用。
MD5 is no longer acceptable where collision resistance is required such as digital signatures. It is not urgent to stop using MD5 in other ways, such as HMAC-MD5; however, since MD5 must not be used for digital signatures, new protocol designs should not employ HMAC-MD5. Alternatives to HMAC-MD5 include HMAC-SHA256 [HMAC] [HMAC-SHA256] and [AES-CMAC] when AES is more readily available than a hash function.
MD5不再适用于需要抗碰撞的情况,如数字签名。停止以其他方式使用MD5并不紧急,例如HMAC-MD5;然而,由于MD5不能用于数字签名,新的协议设计不应使用HMAC-MD5。当AES比哈希函数更容易使用时,HMAC-MD5的替代方案包括HMAC-SHA256[HMAC][HMAC-SHA256]和[AES-CMAC]。
Pseudo-collisions for the compress function of MD5 were first described in 1993 [denBBO1993]. In 1996, [DOB1995] demonstrated a collision pair for the MD5 compression function with a chosen initial value. The first paper that demonstrated two collision pairs for MD5 was published in 2004 [WFLY2004]. The detailed attack techniques for MD5 were published at EUROCRYPT 2005 [WAYU2005]. Since then, a lot of research results have been published to improve collision attacks on MD5. The attacks presented in [KLIM2006] can find MD5 collision in about one minute on a standard notebook PC (Intel Pentium, 1.6GHz). [STEV2007] claims that it takes 10 seconds or less on a 2.6Ghz Pentium4 to find collisions. In [STEV2007], [SLdeW2007], [SSALMOdeW2009], and [SLdeW2009], the collision attacks on MD5 were successfully applied to X.509 certificates.
1993年首次描述了MD5压缩函数的伪碰撞[denBBO1993]。1996年,[1995]演示了MD5压缩函数的碰撞对,并选择了初始值。第一篇演示MD5的两个碰撞对的论文发表于2004年[WFLY2004]。MD5的详细攻击技术发表在EUROCRYPT 2005[WAYU2005]上。从那时起,已经发表了许多研究成果来改进MD5上的碰撞攻击。[KLIM2006]中提出的攻击可以在标准笔记本电脑(英特尔奔腾,1.6GHz)上在大约一分钟内发现MD5碰撞。[STEV2007]声称在2.6Ghz奔腾4上查找碰撞只需10秒或更短时间。在[STEV2007]、[SLdeW2007]、[SSALMOdeW2009]和[SLdeW2009]中,MD5上的碰撞攻击成功应用于X.509证书。
Notice that the collision attack on MD5 can also be applied to password-based challenge-and-response authentication protocols such as the APOP (Authenticated Post Office Protocol) option in POP [POP] used in post office authentication as presented in [LEUR2007].
请注意,MD5上的冲突攻击也可应用于基于密码的质询和响应身份验证协议,如[LEUR2007]中所述的邮局身份验证中使用的POP[POP]中的APOP(Authenticated Post Office Protocol)选项。
In fact, more delicate attacks on MD5 to improve the speed of finding collisions have been published recently. However, the aforementioned results have provided sufficient reason to eliminate MD5 usage in applications where collision resistance is required such as digital signatures.
事实上,最近发布了针对MD5的更微妙的攻击,以提高发现碰撞的速度。然而,上述结果提供了充分的理由,可以在需要抗冲突的应用程序(如数字签名)中消除MD5的使用。
Even though the best result can find a pre-image attack of MD5 faster than exhaustive search, as presented in [SAAO2009], the complexity 2^123.4 is still pretty high.
即使最好的结果可以比穷举搜索更快地发现MD5的图像前攻击,如[SAAO2009]所示,复杂性2^123.4仍然相当高。
The cryptanalysis of HMAC-MD5 is usually conducted together with NMAC (Nested MAC) since they are closely related. NMAC uses two independent keys K1 and K2 such that NMAC(K1, K2, M) = H(K1, H(K2, M), where K1 and K2 are used as secret initialization vectors (IVs) for hash function H(IV, M). If we re-write the HMAC equation using two secret IVs such that IV2 = H(K Xor ipad) and IV1 = H(K Xor opad), then HMAC(K, M) = NMAC(IV1, IV2, M). Here it is very important to notice that IV1 and IV2 are not independently selected.
HMAC-MD5的密码分析通常与NMAC(嵌套MAC)一起进行,因为它们密切相关。NMAC使用两个独立的密钥K1和K2,使得NMAC(K1,K2,M)=H(K1,H(K2,M),其中K1和K2被用作哈希函数H(IV,M)的秘密初始化向量(IVs)。如果我们使用两个秘密IVs重写HMAC方程,使得IV2=H(kxor ipad)和IV1=H(kxor opad),那么HMAC(K,M)=NMAC(IV1,IV2,M).这里需要注意的是,IV1和IV2不是独立选择的。
The first analysis was explored on NMAC-MD5 using related keys in [COYI2006]. The partial key recovery attack cannot be extended to HMAC-MD5, since for HMAC, recovering partial secret IVs can hardly lead to recovering (partial) key K. Another paper presented at
在[COYI2006]中,首次使用相关键对NMAC-MD5进行了分析。部分密钥恢复攻击不能扩展到HMAC-MD5,因为对于HMAC,恢复部分秘密IVs很难导致恢复(部分)密钥K
Crypto 2007 [FLN2007] extended results of [COYI2006] to a full key recovery attack on NMAC-MD5. Since it also uses related key attack, it does not seem applicable to HMAC-MD5.
Crypto 2007[FLN2007]将[COYI2006]的结果扩展到NMAC-MD5上的完全密钥恢复攻击。由于它还使用相关的密钥攻击,因此它似乎不适用于HMAC-MD5。
A EUROCRYPT 2009 paper presented a distinguishing attack on HMAC-MD5 [WYWZZ2009] without using related keys. It can distinguish an instantiation of HMAC with MD5 from an instantiation with a random function with 2^97 queries with probability 0.87. This is called distinguishing-H. Using the distinguishing attack, it can recover some bits of the intermediate status of the second block. However, as it is pointed out in [WYWZZ2009], it cannot be used to recover the (partial) inner key H(K Xor ipad). It is not obvious how the attack can be used to form a forgery attack either.
EUROCRYPT 2009年的一篇论文在不使用相关密钥的情况下对HMAC-MD5[WYWZZ2009]提出了一种独特的攻击。它可以区分带有MD5的HMAC实例化和带有概率为0.87的2^97个查询的随机函数实例化。这称为区分-H。使用区分攻击,它可以恢复第二个块中间状态的一些位。但是,正如[WYWZZ2009]中指出的,它不能用于恢复(部分)内部密钥H(K Xor)。也不清楚如何利用该攻击形成伪造攻击。
The attacks on HMAC-MD5 do not seem to indicate a practical vulnerability when used as a message authentication code. Considering that the distinguishing-H attack is different from a distinguishing-R attack, which distinguishes an HMAC from a random function, the practical impact on HMAC usage as a pseudorandom function (PRF) such as in a key derivation function is not well understood.
对HMAC-MD5的攻击似乎并不表明在用作消息身份验证代码时存在实际漏洞。考虑到区分-H攻击不同于区分HMAC与随机函数的区分-R攻击,对HMAC作为伪随机函数(PRF)使用的实际影响(例如在密钥导出函数中)没有很好的理解。
Therefore, it may not be urgent to remove HMAC-MD5 from the existing protocols. However, since MD5 must not be used for digital signatures, for a new protocol design, a ciphersuite with HMAC-MD5 should not be included. Options include HMAC-SHA256 [HMAC] [HMAC-SHA256] and [AES-CMAC] when AES is more readily available than a hash function.
因此,从现有协议中删除HMAC-MD5可能并不紧迫。但是,由于MD5不得用于数字签名,因此对于新的协议设计,不应包括带有HMAC-MD5的密码套件。当AES比哈希函数更容易使用时,选项包括HMAC-SHA256[HMAC][HMAC-SHA256]和[AES-CMAC]。
Obviously, we have to thank all the cryptographers who produced the results we refer to in this document. We'd also like to thank Wesley Eddy, Sam Hartman, Alfred Hoenes, Martin Rex, Benne de Weger, and Lloyd Wood for their comments.
显然,我们必须感谢所有产生我们在本文中提到的结果的密码学家。我们还要感谢卫斯理·艾迪、山姆·哈特曼、阿尔弗雷德·霍恩斯、马丁·雷克斯、本恩·德·韦格和劳埃德·伍德的评论。
[AES-CMAC] Song, JH., Poovendran, R., Lee, J., and T. Iwata, "The AES-CMAC Algorithm", RFC 4493, June 2006.
[AES-CMAC]Song,JH.,Poovendran,R.,Lee,J.,和T.Iwata,“AES-CMAC算法”,RFC 4493,2006年6月。
[COYI2006] S. Contini, Y.L. Yin. Forgery and partial key-recovery attacks on HMAC and NMAC using hash collisions. ASIACRYPT 2006. LNCS 4284, Springer, 2006.
[COYI2006]S.Contini,Y.L.Yin。使用哈希冲突对HMAC和NMAC进行伪造和部分密钥恢复攻击。亚洲展翅2006。LNCS 4284,斯普林格,2006年。
[denBBO1993] den Boer, B. and A. Bosselaers, "Collisions for the compression function of MD5", Eurocrypt 1993.
[denBBO1993]den Boer,B.和A.Bosselaers,“MD5压缩功能的碰撞”,Eurocrypt 1993。
[DOB1995] Dobbertin, H., "Cryptanalysis of MD5 Compress", Eurocrypt 1996.
[Dobbertin,H.,“MD5压缩的密码分析”,Eurocrypt 1996。
[FLN2007] Fouque, P.-A., Leurent, G., Nguyen, P.Q.: Full key-recovery attacks on HMAC/NMAC-MD4 and NMAC-MD5. CRYPTO 2007. LNCS 4622, Springer, 2007.
[FLN2007]Fouque,P.-A.,Leurent,G.,Nguyen,P.Q.:对HMAC/NMAC-MD4和NMAC-MD5的全密钥恢复攻击。加密2007。LNCS 4622,斯普林格,2007年。
[HASH-Attack] Hoffman, P. and B. Schneier, "Attacks on Cryptographic Hashes in Internet Protocols", RFC 4270, November 2005.
[散列攻击]Hoffman,P.和B.Schneier,“对互联网协议中加密散列的攻击”,RFC 42702005年11月。
[HMAC] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-Hashing for Message Authentication", RFC 2104, February 1997.
[HMAC]Krawczyk,H.,Bellare,M.,和R.Canetti,“HMAC:用于消息身份验证的键控哈希”,RFC 2104,1997年2月。
[HMAC-MD5] Cheng, P. and R. Glenn, "Test Cases for HMAC-MD5 and HMAC-SHA-1", RFC 2202, September 1997.
[HMAC-MD5]Cheng,P.和R.Glenn,“HMAC-MD5和HMAC-SHA-1的测试案例”,RFC 2202,1997年9月。
[HMAC-SHA256] Nystrom, M., "Identifiers and Test Vectors for HMAC-SHA-224, HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512", RFC 4231, December 2005.
[HMAC-SHA256]Nystrom,M.“HMAC-SHA-224、HMAC-SHA-256、HMAC-SHA-384和HMAC-SHA-512的标识符和测试向量”,RFC 42312005年12月。
[KLIM2006] V. Klima. Tunnels in Hash Functions: MD5 Collisions within a Minute. Cryptology ePrint Archive, Report 2006/105 (2006), http://eprint.iacr.org/2006/105.
[KLIM2006]V.Klima。散列函数中的隧道:一分钟内发生MD5冲突。密码学ePrint档案,报告2006/105(2006),http://eprint.iacr.org/2006/105.
[LEUR2007] G. Leurent, Message freedom in MD4 and MD5 collisions: Application to APOP. Proceedings of FSE 2007. Lecture Notes in Computer Science 4715. Springer, 2007.
[LEUR2007]G.Leurent,MD4和MD5碰撞中的消息自由:APOP的应用。FSE 2007年会议记录。计算机科学课堂讲稿4715。斯普林格,2007年。
[MD5] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, April 1992.
[MD5]Rivest,R.,“MD5消息摘要算法”,RFC 13211992年4月。
[POP] Myers, J. and M. Rose, "Post Office Protocol - Version 3", STD 53, RFC 1939, May 1996.
[POP]迈尔斯,J.和M.罗斯,“邮局协议-第3版”,STD 53,RFC 1939,1996年5月。
[SAAO2009] Y. Sasaki and K. Aoki. Finding preimages in full MD5 faster than exhaustive search. Advances in Cryptology - EUROCRYPT 2009, LNCS 5479 of Lecture Notes in Computer Science, Springer, 2009.
[SAAO2009]Y.Sasaki和K.Aoki。在完整MD5中查找前图像比穷举搜索更快。密码学进展-EUROCRYPT 2009,LNCS 5479计算机科学课堂讲稿,Springer,2009。
[SLdeW2007] Stevens, M., Lenstra, A., de Weger, B., Chosen-prefix Collisions for MD5 and Colliding X.509 Certificates for Different Identities. EuroCrypt 2007.
[SLdeW2007]Stevens,M.,Lenstra,A.,de Weger,B.,为MD5选择前缀冲突,并为不同身份选择冲突的X.509证书。欧洲密码2007。
[SLdeW2009] Stevens, M., Lenstra, A., de Weger, B., "Chosen-prefix Collisions for MD5 and Applications", Journal of Cryptology, 2009.
[SLdeW2009]Stevens,M.,Lenstra,A.,de Weger,B.,“MD5和应用程序的选择前缀冲突”,密码学杂志,2009年。
[SSALMOdeW2009] Stevens, M., Sotirov, A., Appelbaum, J., Lenstra, A., Molnar, D., Osvik, D., and B. de Weger. Short chosen-prefix collisions for MD5 and the creation of a rogue CA certificate, Crypto 2009.
[SSALMOdeW2009]Stevens,M.,Sotirov,A.,Appelbaum,J.,Lenstra,A.,Molnar,D.,Osvik,D.,和B.de Weger。MD5的短前缀冲突和恶意CA证书的创建,Crypto 2009。
[SP800-57] National Institute of Standards and Technology (NIST), Special Publication 800-57: Recommendation for Key Management - Part 1 (Revised), March 2007.
[SP800-57]国家标准与技术研究所(NIST),特别出版物800-57:关键管理建议-第1部分(修订版),2007年3月。
[SP800-131] National Institute of Standards and Technology (NIST), Special Publication 800-131: DRAFT Recommendation for the Transitioning of Cryptographic Algorithms and Key Sizes, June 2010.
[SP800-131]国家标准与技术研究所(NIST),专门出版物800-131:密码算法和密钥大小转换建议草案,2010年6月。
[STEV2007] Stevens, M., "On Collisions for MD5", Master's Thesis, Eindhoven University of Technology, http://www.win.tue.nl/hashclash/ On%20Collisions%20for%20MD5%20-%20M.M.J.%20Stevens.pdf.
史蒂文斯,M.,《关于MD5的碰撞》,硕士论文,埃因霍温理工大学,http://www.win.tue.nl/hashclash/ 对于%20MD5%20-%20M.M.J.%20Stevens.pdf,在%20碰撞%20上。
[WAYU2005] X. Wang and H. Yu. How to Break MD5 and other Hash Functions. LNCS 3494. Advances in Cryptology - EUROCRYPT2005, Springer, 2005.
[WAYU2005]X.Wang和H.Yu。如何中断MD5和其他哈希函数。LNCS 3494。密码学进展-欧洲密码2005,斯普林格,2005。
[WFLY2004] X. Wang, D. Feng, X. Lai, H. Yu, Collisions for Hash
Functions MD4, MD5, HAVAL-128 and RIPEMD, 2004,
http://eprint.iacr.org/2004/199.pdf
[WFLY2004] X. Wang, D. Feng, X. Lai, H. Yu, Collisions for Hash
Functions MD4, MD5, HAVAL-128 and RIPEMD, 2004,
http://eprint.iacr.org/2004/199.pdf
[WYWZZ2009] X. Wang, H. Yu, W. Wang, H. Zhang, and T. Zhan. Cryptanalysis of HMAC/NMAC-MD5 and MD5-MAC. LNCS 5479. Advances in Cryptology - EUROCRYPT2009, Springer, 2009.
[WYWZZ2009]X.Wang,H.Yu,W.Wang,H.Zhang,T.Zhan。HMAC/NMAC-MD5和MD5-MAC的密码分析。LNCS 5479。密码学进展-欧洲密码2009,斯普林格,2009。
Authors' Addresses
作者地址
Sean Turner IECA, Inc. 3057 Nutley Street, Suite 106 Fairfax, VA 22031 USA
Sean Turner IECA,Inc.美国弗吉尼亚州费尔法克斯市努特利街3057号106室,邮编22031
EMail: turners@ieca.com
EMail: turners@ieca.com
Lily Chen National Institute of Standards and Technology 100 Bureau Drive, Mail Stop 8930 Gaithersburg, MD 20899-8930 USA
美国马里兰州盖瑟斯堡邮政站8930号,美国马里兰州盖瑟斯堡市局道100号,Lily Chen国家标准与技术研究所,邮编20899-8930
EMail: lily.chen@nist.gov
EMail: lily.chen@nist.gov