Network Working Group S. Turner Internet Draft IECA Updates: 1319 (once approved) June 8, 2010 Intended Status: Informational Expires: December 8, 2010 MD2 to Historic Status draft-turner-md2-to-historic-00.txt Abstract This document recommends the retirement of MD2 and discusses the reasons for doing so. This document recommends RFC 1319 be moved to Historic status. Status of this Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. This document may contain material from IETF Documents or IETF Contributions published or made publicly available before November 10, 2008. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on December 8, 2010. Copyright Notice Copyright (c) 2010 IETF Trust and the persons identified as the document authors. All rights reserved. Turner Expires December 8, 2010 [Page 1] Internet-Draft MD2 to Historic Status May 2010 This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. 1. Introduction MD2 [MD2] is a message digest algorithm that takes as input a message of arbitrary length and produces as output a 128-bit "fingerprint" or "message digest" of the input. This document recommends that MD2 be retired. Specifically, this document recommends RFC 1319 [MD2] be moved to Historic status. The reasons for taking this action are discussed. 1.1. Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 2. Rationale MD2 was published in 1992 as an Informational RFC. Since its publication, MD2 has been shown to not be collision free [MD2-Collisions]. In fact, RSA, in 1996, suggested that MD2 should not be used [RSA-AdviceOnMD2]. 3. Documents that Reference RFC 1319 MD2 has been specified in the following RFCs: Proposed Standard (PS): o [RFC2246] The TLS Protocol Version 1.0. o [RFC2459] Internet X.509 Public Key Infrastructure Certificate and CRL Profile. o [RFC3279] Algorithms and Identifiers for the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. Turner Expires December 8, 2010 [Page 2] Internet-Draft MD2 to Historic Status May 2010 o [RFC4572] Connection-Oriented Media Transport over the Transport Layer Security (TLS) Protocol in the Session Description Protocol (SDP). Informational: o [RFC2313] PKCS #1: RSA Encryption Version 1.5. o [RFC2315] PKCS #7: Cryptographic Message Syntax Version 1.5. o [RFC2437] PKCS #1: RSA Cryptography Specifications Version 2.0. o [RFC2898] PKCS #5: Password-Based Cryptography Specification Version 2.0. o [RFC3447] Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1. Experimental: o [RFC2660] The Secure HyperText Transfer Protocol. Historic: o [RFC1423] Privacy Enhancement for Internet Electronic Mail: Part III: Algorithms, Modes, and Identifiers. 4. Impact of Moving MD2 to Historic. The impact of moving MD2 to Historic on the RFCs specified in Section 3 is minimal, as described below. Concentrating on the PS RFCs: o MD2 support in TLS was dropped in TLS 1.1. Additionally, many TLS implementations, OpenSSL, Network Security Services, and GNUTLS, have disabled support for MD2. o MD2 support is optional in [RFC4572], and SHA-1 is specified as the preferred algorithm. o MD2 is included in the original PKIX certificate profile [RFC2459] and the PKIX algorithm document [RFC3279] for compatibility with older applications, but its use is discouraged. SHA-1 is identified as the preferred algorithm for the Internet PKI. Turner Expires December 8, 2010 [Page 3] Internet-Draft MD2 to Historic Status May 2010 Looking at the Informational RFCs: o PKCS#1 [RFC2313] indicates that support MD2 is only retained for compatibility with existing applications. One of the motivations for updating PKCS#1 was to add support for algorithms such as SHA-224, SHA-256, SHA-384, and SHA-512. o PKCS#5 [RFC2898] recommends that the Password Based Encryption Scheme (PBES) that uses MD2 not be used for new applications. o PKCS#7 [RFC2315] was replaced by a series of standards track publications, "Cryptographic Message Syntax" [RFC2630] [RFC3369] [RFC3852] [RFC5652] and "Cryptographic Message Syntax (CMS) Algorithms" [RFC3370]. Support for MD2 was dropped in [RFC3370]. RFC 2818 "HTTP Over TLS", which does not reference MD2, largely supplanted implementation of RFC 2660. S/MIME has largely replaced implementations of PEM. Support for MD2 was dropped in S/MIME v3.1 [RFC3851]. 5. Recommendation Implementers have been warned for many years not to implement MD2 due to its lack of collision resistance. It is RECOMMENDED that [MD2] be moved to Historic Status. 6. IANA Considerations None. 7. Security Considerations MD2 MUST continue to be considered non-collision resistant. 8. References 8.1. Informative References [MD2] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1319, April 1992. [MD2-Collisions] Rogier, N., and P. Chauvaud, "The compression function of MD2 is not collision free." Presented at Selected Areas in Cryptography '95, Carleton University, Ottawa, Canada. May 18-19, 1995. Turner Expires December 8, 2010 [Page 4] Internet-Draft MD2 to Historic Status May 2010 [RFC1423] Balenson, T., "Privacy Enhancement for Internet Electronic Mail: Part III: Algorithms, Modes, and Identifiers", RFC 1423, February 1993. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC2313] Kaliski, B., "PKCS #1: RSA Encryption Version 1.5", RFC 2313, March 1998. [RFC2315] Kaliski, B., "PKCS #7: Cryptographic Message Syntax Version 1.5," RFC 2315, March 1998. [RFC2246] Dierks, T., Allen, C., "The TLS Protocol Version 1.0", RFC 2246, January 1999. [RFC2437] Kaliski, B., and J. Staddon, "PKCS #1: RSA Cryptography Specifications Version 2.0", RFC 2437, October 1998. [RFC2459] Housley, R., Ford, W., Polk, W. and D. Solo, "Internet X.509 Public Key Infrastructure Certificate and CRL Profile", RFC 2459, January 1999. [RFC2630] Housley, R., "Cryptographic Message Syntax", RFC 2630, June 1999. [RFC2660] Rescorla, E., and A. Schiffman, "The Secure HyperText Transfer Protocol", RFC 2660, August 1999. [RFC2898] Kaliski, B., "PKCS #5: Password-Based Cryptography Specification Version 2.0", RFC 2898, September 2000. [RFC3279] Polk, W., Housley, R., and L. Bassham, "Algorithms and Identifiers for the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 3279, April 2002. [RFC3369] Housley, R., "Cryptographic Message Syntax (CMS)", RFC 3369, August 2002. [RFC3370] Housley, R., "Cryptographic Message Syntax (CMS) Algorithms", RFC 3370, August 2002. Turner Expires December 8, 2010 [Page 5] Internet-Draft MD2 to Historic Status May 2010 [RFC3447] Jonsson, J. and B. Kaliski, "Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1" RFC 3447, February 2003. [RFC3851] Ramsdell, B., Ed., "Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.1 Message Specification", RFC 3851, July 2004. [RFC3852] Housley, R., "Cryptographic Message Syntax (CMS) Algorithms", RFC 3852, July 2004. [RFC4572] Lennox, J., "Connection-Oriented Media Transport over the Transport Layer Security (TLS) Protocol in the Session Description Protocol (SDP)", RFC 4572, July 2006. [RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", RFC 5652, August 2002. [RSA-AdviceOnMD2] Robshaw, M.J.B., "On Recent Results for MD2, MD4 and MD5", Novemeber 1996, ftp://ftp.rsasecurity.com/pub/pdfs/bulletn4.pdf Authors' Addresses Sean Turner IECA, Inc. 3057 Nutley Street, Suite 106 Fairfax, VA 22031 USA EMail: turners@ieca.com Turner Expires December 8, 2010 [Page 6]