Internet Engineering Task Force (IETF) S. Turner Request for Comments: 6149 IECA Obsoletes: 1319 L. Chen Category: Informational NIST ISSN: 2070-1721 March 2011
Internet Engineering Task Force (IETF) S. Turner Request for Comments: 6149 IECA Obsoletes: 1319 L. Chen Category: Informational NIST ISSN: 2070-1721 March 2011
MD2 to Historic Status
MD2的历史地位
Abstract
摘要
This document retires MD2 and discusses the reasons for doing so. This document moves RFC 1319 to Historic status.
本文将停用MD2,并讨论这样做的原因。本文件将RFC 1319移至历史状态。
Status of This Memo
关于下段备忘
This document is not an Internet Standards Track specification; it is published for informational purposes.
本文件不是互联网标准跟踪规范;它是为了提供信息而发布的。
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are a candidate for any level of Internet Standard; see Section 2 of RFC 5741.
本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。并非IESG批准的所有文件都适用于任何级别的互联网标准;见RFC 5741第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc6149.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc6149.
Copyright Notice
版权公告
Copyright (c) 2011 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2011 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。
MD2 [MD2] is a message digest algorithm that takes as input a message of arbitrary length and produces as output a 128-bit "fingerprint" or "message digest" of the input. This document retires MD2. Specifically, this document moves RFC 1319 [MD2] to Historic status. The reasons for taking this action are discussed.
MD2[MD2]是一种消息摘要算法,它将任意长度的消息作为输入,并生成输入的128位“指纹”或“消息摘要”作为输出。此文档使MD2失效。具体而言,本文件将RFC 1319[MD2]移至历史状态。讨论了采取这一行动的原因。
[HASH-Attack] summarizes the use of hashes in many protocols and discusses how attacks against a message digest algorithm's one-way and collision-free properties affect and do not affect Internet protocols. Familiarity with [HASH-Attack] is assumed.
[哈希攻击]总结了哈希在许多协议中的使用,并讨论了针对消息摘要算法的单向和无冲突属性的攻击如何影响和不影响Internet协议。假设熟悉[哈希攻击]。
MD2 was published in 1992 as an Informational RFC. Since its publication, MD2 has been shown to not be collision-free [ROCH1995] [KNMA2005] [ROCH1997], albeit successful collision attacks for properly implemented MD2 are not that damaging. Successful pre-image and second pre-image attacks against MD2 have been shown [KNMA2005] [MULL2004] [KMM2010].
MD2于1992年作为信息RFC出版。自其发布以来,MD2已被证明不是无碰撞的[ROCH1995][KNMA2005][ROCH1997],尽管正确实施MD2的成功碰撞攻击没有那么大的破坏性。已显示针对MD2的成功预映像和第二次预映像攻击[KNM2005][MULL2004][KMM2010]。
Use of MD2 has been specified in the following RFCs:
以下RFC中规定了MD2的使用:
Proposed Standard (PS):
建议标准(PS):
o [RFC3279] Algorithms and Identifiers for the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile.
o [RFC3279]Internet X.509公钥基础结构证书和证书吊销列表(CRL)配置文件的算法和标识符。
o [RFC4572] Connection-Oriented Media Transport over the Transport Layer Security (TLS) Protocol in the Session Description Protocol (SDP).
o [RFC4572]会话描述协议(SDP)中传输层安全(TLS)协议上的面向连接的媒体传输。
Informational:
信息性:
o [RFC1983] Internet Users' Glossary.
o [RFC1983]互联网用户词汇表。
o [RFC2315] PKCS #7: Cryptographic Message Syntax Version 1.5.
o [RFC2315]PKCS#7:加密消息语法版本1.5。
o [RFC2898] PKCS #5: Password-Based Cryptography Specification Version 2.0.
o [RFC2898]PKCS#5:基于密码的加密规范版本2.0。
o [RFC3447] Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1.
o [RFC3447]公钥加密标准(PKCS)#1:RSA加密规范版本2.1。
Experimental:
实验性:
o [RFC2660] The Secure HyperText Transfer Protocol.
o [RFC2660]安全超文本传输协议。
There are other RFCs that refer to MD2, but they have been either moved to Historic status or obsoleted by a later RFC. References and discussions about these RFCs are omitted. The exceptions are:
还有其他引用MD2的RFC,但它们要么已被移至历史状态,要么已被后来的RFC淘汰。关于这些RFC的参考和讨论被省略。例外情况如下:
o [RFC2313] PKCS #1: RSA Encryption Version 1.5.
o [RFC2313]PKCS#1:RSA加密版本1.5。
o [RFC2437] PKCS #1: RSA Cryptography Specifications Version 2.0.
o [RFC2437]PKCS#1:RSA加密规范2.0版。
The impact of moving MD2 to Historic on the RFCs specified in Section 3 is minimal, as described below.
如下文所述,将MD2移动到历史位置对第3节中规定的RFC的影响最小。
Regarding PS RFCs:
关于PS RFC:
o MD2 support in TLS was dropped in TLS 1.1.
o TLS 1.1中删除了TLS中的MD2支持。
o MD2 support is optional in [RFC4572], and SHA-1 is specified as the preferred algorithm.
o MD2支持在[RFC4572]中是可选的,SHA-1被指定为首选算法。
o MD2 is included in the original PKIX certificate profile and the PKIX algorithm document [RFC3279] for compatibility with older applications, but its use is discouraged. SHA-1 is identified as the preferred algorithm for the Internet PKI.
o MD2包含在原始PKIX证书配置文件和PKIX算法文档[RFC3279]中,以与旧应用程序兼容,但不鼓励使用。SHA-1被确定为互联网PKI的首选算法。
Regarding Informational RFCs:
关于信息RFC:
o The Internet Users' Guide [RFC1983] provided a definition for Message Digest and listed MD2 as one example.
o 互联网用户指南[RFC1983]提供了消息摘要的定义,并将MD2列为一个示例。
o PKCS#1 v1.5 [RFC2313] stated that there are no known attacks against MD2. PKCS#1 v2.0 [RFC2437] updated this stance to indicate that MD2 should only be supported for backward compatibility and to mention the attacks in [ROCH1995]. PKCS#1 [RFC3447] indicates that support of MD2 is only retained for compatibility with existing applications.
o PKCS#1 v1.5[RFC2313]表示,目前还没有针对MD2的已知攻击。PKCS#1 v2.0[RFC2437]更新了这一立场,指出MD2只应支持向后兼容性,并提及[1995]中的攻击。PKCS#1[RFC3447]表明,MD2的支持仅在与现有应用程序兼容时才保留。
o PKCS#5 [RFC2898] recommends that the Password-Based Encryption Scheme (PBES) that uses MD2 not be used for new applications.
o PKCS#5[RFC2898]建议新应用程序不要使用使用MD2的基于密码的加密方案(PBES)。
o PKCS#7 [RFC2315] was replaced by a series of Standards Track publications, "Cryptographic Message Syntax" [RFC2630] [RFC3369] [RFC5652] and "Cryptographic Message Syntax (CMS) Algorithms" [RFC3370]. Support for MD2 was dropped in [RFC3370].
o PKCS#7[RFC2315]被一系列标准轨道出版物所取代,“加密消息语法”[RFC2630][RFC3369][RFC5652]和“加密消息语法(CMS)算法”[RFC3370]。[RFC3370]中放弃了对MD2的支持。
RFC 2818, "HTTP Over TLS", which does not reference MD2, largely supplanted implementation of [RFC2660]. [RFC2660] specified MD2 for use both as a digest algorithm and as a MAC (Message Authentication Code) algorithm [RFC2104]. Note that this is the only reference to HMAC-MD2 found in the RFC repository.
RFC 2818,“HTTP Over TLS”,它没有引用MD2,在很大程度上取代了[RFC2660]的实现。[RFC2660]指定MD2用作摘要算法和MAC(消息身份验证码)算法[RFC2104]。请注意,这是在RFC存储库中找到的对HMAC-MD2的唯一引用。
MD2 has also fallen out of favor because it is slower than both MD4 [MD4] and MD5 [MD5]. This is because MD2 was optimized for 8-bit machines, while MD4 and MD5 were optimized for 32-bit machines. MD2 is also slower than the Secure Hash Standard (SHS) [SHS] algorithms: SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512.
MD2也不受欢迎,因为它比MD4[MD4]和MD5[MD5]都慢。这是因为MD2针对8位机器进行了优化,而MD4和MD5针对32位机器进行了优化。MD2也比安全哈希标准(SHS)[SHS]算法慢:SHA-1、SHA-224、SHA-256、SHA-384和SHA-512。
MD2 is different from MD4 and MD5 in that is not a straight Merkle-Damgaard design. For a padded message with t blocks, it generates a nonlinear checksum as its t+1 block. The checksum is considered as the final block input of MD2.
MD2与MD4和MD5的不同之处在于它不是一种直接的Merkle-Damgaard设计。对于具有t块的填充消息,它生成一个非线性校验和作为其t+1块。校验和被视为MD2的最终块输入。
As confirmed in 1997 by Rogier et al. [ROCH1997], the collision resistance property of MD2 highly depends on the nonlinear checksum. Without the checksum, a collision can be found in 2^12 MD2 operations, while with the checksum, the best collision attack takes 2^63.3 operations with 2^50 memory complexity [MULL2004], which is not significantly better than the birthday attack.
正如Rogier等人[1997]在1997年确认的那样,MD2的抗碰撞性能高度依赖于非线性校验和。如果没有校验和,可以在2^12 MD2操作中发现冲突,而使用校验和,最好的冲突攻击采用2^63.3操作,内存复杂度为2^50[MULL2004],这并没有明显优于生日攻击。
Even though collision attacks on MD2 are not significantly more powerful than the birthday attack, MD2 was found not to be one-way. In [KMM2010], a pre-image can be found with 2^104 MD2 operations. In an improved attack described in [KMM2010], a pre-image can be found in 2^73 MD2 operations. Because of this "invertible" property of MD2, when using MD2 in HMAC, it may leak information of the keys.
尽管MD2上的碰撞攻击并不明显比生日攻击更强大,但MD2并不是单向的。在[KMM2010]中,可以找到具有2^104 MD2操作的预映像。在[KMM2010]中描述的改进攻击中,可以在2^73 MD2操作中找到预映像。由于MD2的这种“可逆”特性,在HMAC中使用MD2时,可能会泄漏密钥信息。
Obviously, the pre-image attack can be used to find a second pre-image. The second pre-image attack is even more severe than a collision attack to digital signatures. Therefore, MD2 must not be used for digital signatures.
显然,预映像攻击可用于查找第二个预映像。第二种图像前攻击甚至比对数字签名的碰撞攻击更严重。因此,MD2不能用于数字签名。
Some may find the guidance for key lengths and algorithm strengths in [SP800-57] and [SP800-131] useful.
有些人可能会发现[SP800-57]和[SP800-131]中关于密钥长度和算法强度的指南很有用。
Despite MD2 seeing some deployment on the Internet, this specification recommends obsoleting MD2. MD2 is not a reasonable candidate for further standardization and should be deprecated in favor of one or more existing hash algorithms (e.g., SHA-256 [SHS]).
尽管MD2在Internet上有一些部署,但本规范建议淘汰MD2。MD2不是进一步标准化的合理候选者,应该反对使用一个或多个现有哈希算法(例如SHA-256[SHS])。
RSA Security considers it appropriate to move the MD2 algorithm to Historic status.
RSA Security认为将MD2算法移动到历史状态是合适的。
It takes a number of years to deploy crypto and it also takes a number of years to withdraw it. Algorithms need to be withdrawn before a catastrophic break is discovered. MD2 is clearly showing signs of weakness, and implementations should strongly consider removing support and migrating to another hash algorithm.
部署crypto需要几年时间,撤销crypto也需要几年时间。在发现灾难性中断之前,需要撤销算法。显然,M2显示了弱点,并且实现应该强烈考虑移除支持并迁移到另一个哈希算法。
We'd like to thank RSA for publishing MD2. We'd also like to thank all the cryptographers who studied the algorithm. For their contributions to this document, we'd like to thank Ran Atkinson, Alfred Hoenes, John Linn, and Martin Rex.
我们要感谢RSA发布MD2。我们还要感谢所有研究该算法的密码学家。感谢Ran Atkinson、Alfred Hoenes、John Linn和Martin Rex对本文件的贡献。
[HASH-Attack] Hoffman, P. and B. Schneier, "Attacks on Cryptographic Hashes in Internet Protocols", RFC 4270, November 2005.
[散列攻击]Hoffman,P.和B.Schneier,“对互联网协议中加密散列的攻击”,RFC 42702005年11月。
[KMM2010] Knudsen, L., Mathiassen, J., Muller, F., and Thomsen, S., "Cryptanalysis of MD2", Journal of Cryptology, 23(1):72-90, 2010.
[KMM2010]Knudsen,L.,Mathiassen,J.,Muller,F.,和Thomsen,S.,“MD2的密码分析”,密码学杂志,23(1):72-902010。
[KNMA2005] Knudsen, L., and J. Mathiassen, "Preimage and Collision Attacks on MD2", FSE 2005.
[KNMA2005]Knudsen,L.和J.Mathiassen,“MD2的前映像和碰撞攻击”,FSE 2005。
[MD2] Kaliski, B., "The MD2 Message-Digest Algorithm", RFC 1319, April 1992.
[MD2]Kaliski,B.,“MD2消息摘要算法”,RFC 1319,1992年4月。
[MD4] Rivest, R., "The MD4 Message-Digest Algorithm", RFC 1320, April 1992.
[MD4]Rivest,R.,“MD4消息摘要算法”,RFC1320,1992年4月。
[MD5] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, April 1992.
[MD5]Rivest,R.,“MD5消息摘要算法”,RFC 13211992年4月。
[MULL2004] Muller, F., "The MD2 Hash Function Is Not One-Way", ASIACRYPT, LNCS 3329, pp. 214-229, Springer, 2004.
[Muller,F.,“MD2散列函数不是单向的”,ASIACRYPT,LNCS 3329,第214-229页,Springer,2004年。
[RFC1983] Malkin, G., Ed., "Internet Users' Glossary", FYI 18, RFC 1983, August 1996.
[RFC1983]Malkin,G.,Ed.,“互联网用户词汇表”,FYI 18,RFC 1983,1996年8月。
[RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-Hashing for Message Authentication", RFC 2104, February 1997.
[RFC2104]Krawczyk,H.,Bellare,M.,和R.Canetti,“HMAC:用于消息认证的键控哈希”,RFC 2104,1997年2月。
[RFC2313] Kaliski, B., "PKCS #1: RSA Encryption Version 1.5", RFC 2313, March 1998.
[RFC2313]Kaliski,B.,“PKCS#1:RSA加密版本1.5”,RFC 2313,1998年3月。
[RFC2315] Kaliski, B., "PKCS #7: Cryptographic Message Syntax Version 1.5", RFC 2315, March 1998.
[RFC2315]Kaliski,B.,“PKCS#7:加密消息语法版本1.5”,RFC 2315,1998年3月。
[RFC2437] Kaliski, B. and J. Staddon, "PKCS #1: RSA Cryptography Specifications Version 2.0", RFC 2437, October 1998.
[RFC2437]Kaliski,B.和J.Staddon,“PKCS#1:RSA加密规范2.0版”,RFC 2437,1998年10月。
[RFC2630] Housley, R., "Cryptographic Message Syntax", RFC 2630, June 1999.
[RFC2630]Housley,R.,“加密消息语法”,RFC2630,1999年6月。
[RFC2660] Rescorla, E. and A. Schiffman, "The Secure HyperText Transfer Protocol", RFC 2660, August 1999.
[RFC2660]Rescorla,E.和A.Schiffman,“安全超文本传输协议”,RFC 2660,1999年8月。
[RFC2898] Kaliski, B., "PKCS #5: Password-Based Cryptography Specification Version 2.0", RFC 2898, September 2000.
[RFC2898]Kaliski,B.,“PKCS#5:基于密码的加密规范版本2.0”,RFC 28982000年9月。
[RFC3279] Bassham, L., Polk, W., and R. Housley, "Algorithms and Identifiers for the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 3279, April 2002.
[RFC3279]Bassham,L.,Polk,W.,和R.Housley,“互联网X.509公钥基础设施证书和证书撤销列表(CRL)配置文件的算法和标识符”,RFC 3279,2002年4月。
[RFC3369] Housley, R., "Cryptographic Message Syntax (CMS)", RFC 3369, August 2002.
[RFC3369]Housley,R.,“加密消息语法(CMS)”,RFC3369,2002年8月。
[RFC3370] Housley, R., "Cryptographic Message Syntax (CMS) Algorithms", RFC 3370, August 2002.
[RFC3370]Housley,R.,“加密消息语法(CMS)算法”,RFC3370,2002年8月。
[RFC3447] Jonsson, J. and B. Kaliski, "Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1", RFC 3447, February 2003.
[RFC3447]Jonsson,J.和B.Kaliski,“公钥密码标准(PKCS)#1:RSA密码规范版本2.1”,RFC 3447,2003年2月。
[RFC4572] Lennox, J., "Connection-Oriented Media Transport over the Transport Layer Security (TLS) Protocol in the Session Description Protocol (SDP)", RFC 4572, July 2006.
[RFC4572]Lennox,J.,“会话描述协议(SDP)中传输层安全(TLS)协议上的面向连接的媒体传输”,RFC 4572,2006年7月。
[RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70, RFC 5652, September 2009.
[RFC5652]Housley,R.,“加密消息语法(CMS)”,STD 70,RFC 56522009年9月。
[ROCH1995] Rogier, N., and P. Chauvaud, "The compression function of MD2 is not collision free", Presented at Selected Areas in Cryptography '95, Carleton University, Ottawa, Canada. May 18-19, 1995.
[Rochier,N.,和P.Chauvaud,“MD2的压缩功能不是无冲突的”,发表于加拿大渥太华Carleton大学1995年密码学部分领域。1995年5月18日至19日。
[ROCH1997] Rogier, N. and P. Chauvaud, "MD2 is not secure without the checksum byte", Des. Codes Cryptogr. 12(3), 245-251 (1997).
[Rochier,N.和P.Chauvaud,“没有校验和字节,MD2是不安全的”,Des。密码加密器。12(3), 245-251 (1997).
[SHS] National Institute of Standards and Technology (NIST), FIPS Publication 180-3: Secure Hash Standard, October 2008.
[SHS]国家标准与技术研究所(NIST),FIPS出版物180-3:安全哈希标准,2008年10月。
[SP800-57] National Institute of Standards and Technology (NIST), Special Publication 800-57: Recommendation for Key Management - Part 1 (Revised), March 2007.
[SP800-57]国家标准与技术研究所(NIST),特别出版物800-57:关键管理建议-第1部分(修订版),2007年3月。
[SP800-131] National Institute of Standards and Technology (NIST), Special Publication 800-131: DRAFT Recommendation for the Transitioning of Cryptographic Algorithms and Key Sizes, June 2010.
[SP800-131]国家标准与技术研究所(NIST),专门出版物800-131:密码算法和密钥大小转换建议草案,2010年6月。
Authors' Addresses
作者地址
Sean Turner IECA, Inc. 3057 Nutley Street, Suite 106 Fairfax, VA 22031 USA
Sean Turner IECA,Inc.美国弗吉尼亚州费尔法克斯市努特利街3057号106室,邮编22031
EMail: turners@ieca.com
EMail: turners@ieca.com
Lily Chen National Institute of Standards and Technology 100 Bureau Drive, Mail Stop 8930 Gaithersburg, MD 20899-8930 USA
美国马里兰州盖瑟斯堡邮政站8930号,美国马里兰州盖瑟斯堡市局道100号,Lily Chen国家标准与技术研究所,邮编20899-8930
EMail: lily.chen@nist.gov
EMail: lily.chen@nist.gov