Cet ouvrage fait partie de la bibliothèque YouScribe
Obtenez un accès à la bibliothèque pour le lire en ligne
En savoir plus

Message Freedom in MD4 and

De
81 pages
Message Freedom in MD4 and MD5 Collisions. Application to APOP. Gaëtan Leurent APOP Description Attack MD4/MD5 Collisions The MD4 family Collisions: Wang's technique Revisiting Wang Message freedom The APOP attack in practice Message Freedom in MD4 and MD5 Collisions. Application to APOP. Gaëtan Leurent Laboratoire d'Informatique de l'École Normale Supérieure, Département d'Informatique, 45 rue d'Ulm, Paris 75230 Cedex 05, France Fast Software Encryption 2007 1 / 27

  • laboratoire d'informatique de l'ecole normale

  • client-chosen randomness

  • server client

  • md5 collisions

  • authentication protocol

  • unilateral challenge-response

  • allows chosen-text


Voir plus Voir moins
Message Freedom in MD4 and MD5 Collisions. Application to APOP.
Gaëtan Leurent
APOP Description Attack
MD4/MD5 Collisions The MD4 family Collisions: Wan ’ techngiqsue Revisiting Wang Me freesdsoagme
The APOP attack in practice
1 / 27
Message
Freedom in MD Application
5
4 and MD to APOP.
Gaëtan
Leurent
Collisions.
Laboratoire d’Informatique de l’École Normale Supérieure, Département d’Informatique, 45 rue d’Ulm, Paris 75230 Cedex 05, France Gaetan.Leurent@ens.fr
Fast Software
Encryption
2007
Message Freedom in MD4 and MD5 Collisions. Application to APOP.
Gaëtan Leurent
APOP Description Attack
MD4/MD5 Collisions The MD4 family
Collisions: Wahng’s tec nique Revisiting Wang frMeeesdsoagme
The APOP attack in practice
2 /
27
Outline
1
2
3
APOP Description Attack
MD4/MD5 Collisions The MD4 family Collisions: Wang’s technique Revisiting Wang Message freedom
The
APOP
attack
in
practice
Message Freedom in MD4 and MD5 Collisions. Application to APOP.
Gaëtan Leurent
APOP Description Attack MD4/MD5 Collisions The MD4 family
Collisions: Wan ’s techngique Revisiting Wang fMressage eedom The APOP attack in practice
3 / 27
The Post Office Protocol
POP3 Standard protocol for remote access to a mailbox RFC 1460,1725,1939 (first version 1993)
Supported by virtually every mail provider and every mail user agent Widely used (tend to be replaced by IMAP)
Supported authentication command USER/PASS: plaintext password APOP: “secure” authentication AUTH Kerberos,: any IMAP authentication mechanism: GSS-API, S/Key, CRAM-MD5
Message Freedom in MD4 and MD5 Collisions. Application to APOP. Gaëtan Leurent
APOP Description Attack MD4/MD5 Collisions The MD4 family Collisions: Wang’s technique Revisiting Wang fMreeessdaogme The APOP attack in practice
4 / 27
APOP authentication
What is APOP? Unilateralchallenge-responseauthentication protocol based on a MAC:hk(m) =MD5(m||k)
Server
idp
Client
idp
Challenges form:>mai@mcol.48742997291211.1< Origin authentication and replay protection
First remarks hk(m) =MD5(m||k)is not a secure MAC: offline collisions and envelope attack. The protocol allows chosen-text attack. There should be some client-chosen randomness.
Message Freedom in MD4 and MD5 Collisions. Application to APOP. Gaëtan Leurent
APOP Description Attack MD4/MD5 Collisions The MD4 family Collisions: Wang’s technique Revisiting Wang fMessaogme reed The APOP attack in practice
4 / 27
APOP authentication
What is APOP? Unilateralchallenge-responseauthentication protocol based on a MAC:hk(m) =MD5(m||k) c Server Client
idMD5(c||pwd)
Challenges form:29.11147<12ail.com>489729@m Origin authentication and replay protection
First remarks hk(m) =MD5(m||k)is not a secure MAC: offline collisions and envelope attack. The protocol allows chosen-text attack. There should be some client-chosen randomness.
Message Freedom in MD4 and MD5 Collisions. Application to APOP. Gaëtan Leurent
APOP Description Attack MD4/MD5 Collisions The MD4 family Collisions: W ng’ a s technique Revisiting Wang Message freedom The APOP attack in practice
4 / 27
APOP authentication
What is APOP? Unilateralchallenge-responseauthentication protocol based on a MAC:hk(m) =MD5(m||k) c Server Client
idMD5(c||pwd)
Challenges form:1921<2amli27@944981.71om.c> Origin authentication and replay protection
First remarks hk(m) =MD5(m||k)is not a secure MAC: offline collisions and envelope attack. The protocol allows chosen-text attack. There should be some client-chosen randomness.
Message Freedom in MD4 and MD5 Collisions. Application to APOP.
Gaëtan Leurent
APOP
Description Attack MD4/MD5 Collisions The MD4 family Collisions: Wang s technique Revisiting Wang fMreessdage e om The APOP attack in practice
5 / 27
The APOP Attack
Attack setting Active attack
: impersonate the server
Server
Attacker
Client
No server authentication in POP. Typical scenario: open WiFi network. We can use the client to log on the server and access the mails, but the password should still be safe...
Message Freedom in MD4 and MD5 Collisions. Application to APOP.
Gaëtan Leurent
APOP Description
Attack MD4/MD5 Collisions The MD4 family
Collisions: Wan ’s techngique Revisiting Wang Messa freedogme The APOP attack in practice
6 / 27
The APOP Attack Basic idea
Basic idea: use collisions
Attacker
h1=?h2
c1
h1=MD5(c1||pwd)
c2
h2=MD5(c2||pwd)
Client
Chosen message attack: craft challenges. Choose the challenge size to isolate some part of the key in a block. Same idea as the key-recovery against the envelope method by Preneel and van Oorschot.
Un pour Un
Permettre à tous d'accéder à la lecture
Pour chaque accès à la bibliothèque, YouScribe donne un accès à une personne dans le besoin