81 pages

English

Découvre YouScribe en t'inscrivant gratuitement

Je m'inscris

Message Freedom in MD4 and

pefav - Gaëtan Leurent

Découvre YouScribe en t'inscrivant gratuitement

Je m'inscris

Obtenez un accès à la bibliothèque pour le consulter en ligne
En savoir plus

81 pages

English

Obtenez un accès à la bibliothèque pour le consulter en ligne
En savoir plus

A propos
Informations
Extrait

Description

Message Freedom in MD4 and MD5 Collisions. Application to APOP. Gaëtan Leurent APOP Description Attack MD4/MD5 Collisions The MD4 family Collisions: Wang's technique Revisiting Wang Message freedom The APOP attack in practice Message Freedom in MD4 and MD5 Collisions. Application to APOP. Gaëtan Leurent Laboratoire d'Informatique de l'École Normale Supérieure, Département d'Informatique, 45 rue d'Ulm, Paris 75230 Cedex 05, France Fast Software Encryption 2007 1 / 27

laboratoire d'informatique de l'ecole normale

client-chosen randomness

server client

md5 collisions

authentication protocol

unilateral challenge-response

allows chosen-text

Sujets

Authentication protocol

Informations

Publié par	pefav
Nombre de lectures	18
Langue	English
Poids de l'ouvrage	1 Mo

Extrait

Message Freedom in MD4 and MD5 Collisions. Application to APOP.

Gaëtan Leurent

APOP Description Attack

MD4/MD5 Collisions The MD4 family Collisions: Wan ’ techngiqsue Revisiting Wang Me freesdsoagme

The APOP attack in practice

1 / 27

Message

Freedom in MD Application

4 and MD to APOP.

Gaëtan

Leurent

Collisions.

Laboratoire d’Informatique de l’École Normale Supérieure, Département d’Informatique, 45 rue d’Ulm, Paris 75230 Cedex 05, France Gaetan.Leurent@ens.fr

Fast Software

Encryption

2007

Message Freedom in MD4 and MD5 Collisions. Application to APOP.

Gaëtan Leurent

APOP Description Attack

MD4/MD5 Collisions The MD4 family

Collisions: Wahng’s tec nique Revisiting Wang frMeeesdsoagme

The APOP attack in practice

2 /

Outline

APOP Description Attack

MD4/MD5 Collisions The MD4 family Collisions: Wang’s technique Revisiting Wang Message freedom

The

APOP

attack

practice

Message Freedom in MD4 and MD5 Collisions. Application to APOP.

Gaëtan Leurent

APOP Description Attack MD4/MD5 Collisions The MD4 family

Collisions: Wan ’s techngique Revisiting Wang fMressage eedom The APOP attack in practice

3 / 27

The Post Oﬃce Protocol

POP3 Standard protocol for remote access to a mailbox RFC 1460,1725,1939 (ﬁrst version 1993)

Supported by virtually every mail provider and every mail user agent Widely used (tend to be replaced by IMAP)

Supported authentication command USER/PASS: plaintext password APOP: “secure” authentication AUTH Kerberos,: any IMAP authentication mechanism: GSS-API, S/Key, CRAM-MD5

Message Freedom in MD4 and MD5 Collisions. Application to APOP. Gaëtan Leurent

APOP Description Attack MD4/MD5 Collisions The MD4 family Collisions: Wang’s technique Revisiting Wang fMreeessdaogme The APOP attack in practice

4 / 27

APOP authentication

What is APOP? Unilateralchallenge-responseauthentication protocol based on a MAC:hk(m) =MD5(m||k)

Server

id⇒p

Client

idp

Challenges form:>mai@mcol.48742997291211.1< Origin authentication and replay protection

First remarks hk(m) =MD5(m||k)is not a secure MAC: oﬄine collisions and envelope attack. The protocol allows chosen-text attack. There should be some client-chosen randomness.

Message Freedom in MD4 and MD5 Collisions. Application to APOP. Gaëtan Leurent

APOP Description Attack MD4/MD5 Collisions The MD4 family Collisions: Wang’s technique Revisiting Wang fMessaogme reed The APOP attack in practice

4 / 27

APOP authentication

What is APOP? Unilateralchallenge-responseauthentication protocol based on a MAC:hk(m) =MD5(m||k) c Server Client

idMD5(c||pwd)

Challenges form:29.11147<12ail.com>489729@m Origin authentication and replay protection

First remarks hk(m) =MD5(m||k)is not a secure MAC: oﬄine collisions and envelope attack. The protocol allows chosen-text attack. There should be some client-chosen randomness.

Message Freedom in MD4 and MD5 Collisions. Application to APOP. Gaëtan Leurent

APOP Description Attack MD4/MD5 Collisions The MD4 family Collisions: W ng’ a s technique Revisiting Wang Message freedom The APOP attack in practice

4 / 27

APOP authentication

What is APOP? Unilateralchallenge-responseauthentication protocol based on a MAC:hk(m) =MD5(m||k) c Server Client

idMD5(c||pwd)

Challenges form:1921<2amli27@944981.71om.c> Origin authentication and replay protection

First remarks hk(m) =MD5(m||k)is not a secure MAC: oﬄine collisions and envelope attack. The protocol allows chosen-text attack. There should be some client-chosen randomness.

Message Freedom in MD4 and MD5 Collisions. Application to APOP.

Gaëtan Leurent

APOP

Description Attack MD4/MD5 Collisions The MD4 family Collisions: Wang s ’ technique Revisiting Wang fMreessdage e om The APOP attack in practice

5 / 27

The APOP Attack

Attack setting Active attack

: impersonate the server

Server

Attacker

Client

No server authentication in POP. Typical scenario: open WiFi network. We can use the client to log on the server and access the mails, but the password should still be safe...

Message Freedom in MD4 and MD5 Collisions. Application to APOP.

Gaëtan Leurent

APOP Description

Attack MD4/MD5 Collisions The MD4 family

Collisions: Wan ’s techngique Revisiting Wang Messa freedogme The APOP attack in practice

6 / 27

The APOP Attack Basic idea

Basic idea: use collisions

Attacker

h1=?h2

h1=MD5(c1||pwd)

h2=MD5(c2||pwd)

Client

Chosen message attack: craft challenges. Choose the challenge size to isolate some part of the key in a block. Same idea as the key-recovery against the envelope method by Preneel and van Oorschot.