Presentation is loading. Please wait.

Presentation is loading. Please wait.

Africacrypt 2008 Security of Challenge and Response Yu Sasaki 1, Lei Wang 2, Kazuo Ohta 2, Noboru Kunihiro 2 Impossible Differential Attack on Hash Functions.

Published byCharlene Fields Modified over 8 years ago

Similar presentations

Presentation on theme: "Africacrypt 2008 Security of Challenge and Response Yu Sasaki 1, Lei Wang 2, Kazuo Ohta 2, Noboru Kunihiro 2 Impossible Differential Attack on Hash Functions."— Presentation transcript:

1 Africacrypt 2008 Security of Challenge and Response Yu Sasaki 1, Lei Wang 2, Kazuo Ohta 2, Noboru Kunihiro 2 Impossible Differential Attack on Hash Functions 2:The University of Electro-Communications 1:NTT Information Platform Laboratories, NTT Cooperation

2 Africacrypt 2008 Contents Background and our results How to recover a password? Basic idea Overview of our improvement Details of our attack Recent results 2

3 Africacrypt 2008 Analyze the security of hash-based challenge/response password authentication. 3 Server Client Challenge C R = Hash (C, P) Compute R by itself. If (=), authenticate. ( password: P ) Response R Are they practically secure ? Motivation Classical schemes are still used.

4 Africacrypt 2008 4 Classification of Schemes Suffix approach:R = Hash (C || P) - used in APOP (e-mail fetching protocol) Prefix approach:R = Hash (P || C) - used in CHAP (challenge handshake protocol) Hybrid approach:R = Hash (P || C || P) - proposed by Tsudik in 1992

5 Africacrypt 2008 5 Client Chosen challenge C’ R’ = Hash (C’, P) ( password: P ) Response R’ We consider the adaptive chosen challenge attack. Attack Model Attacker This situation can be practically achieved by hijacking rooters, and so on. An attack with practical number of queries is a critical issue for protocols. Recover the password.

6 Africacrypt 2008 6 Known Results PrefixSuffixHybrid Theoretical (general hash) [PO96] Theoretical (MD4 or MD5) [CY06] 2 61 [WOK08] 2 37 [CY06] 2 61 Practical (MD4 or MD5) AAAA [L07] [SYA07] [SWOK08]

7 Africacrypt 2008 7 Our Results PrefixSuffixHybrid Theoretical (general hash) [PO96] Theoretical (MD4 or MD5) [CY06] 2 61 [WOK08] 2 37 [CY06] 2 61 Practical (MD4 or MD5) New !! (8-octet) 2 4 (12-octet) 2 10 New !! (8-octet) 2 8 [L07] [SYA07] [SWOK08] Main target of this presentation

8 Africacrypt 2008 How to Recover a Password ? Introduction of MD4 Basic idea Previous approach Our approach

9 Africacrypt 2008 Introduction of MD4 IV=H 0 M0M0 H1H1 Input M M1M1 H n-1 M n-1 H2H2 HnHn ( M 0, M 1,, M n-1 ) 9 padding M* divide (100…00Len) CF IV=H n-1 ( P || C ) R CF Our attacks need to know R, and H n-1, so |(P||C)| must be 1-block. 512 128 Merkle-Damgard Structure

10 Africacrypt 2008 MD4 Compression Function IV = (a 0, b 0, c 0, d 0 ) 10 (a 48, b 48, c 48, d 48 ) HnHn Input message M i (512-bit) PCPad ( m 0, m 1,, m 15 ), |m i |=32 If | P | = 8-octet : P m 0, m 1 C m 2,, m 12 Pad m 13, m 14, m 15 m  (47) <<s f (a 47, b 47, c 47, d 47 ) (a 0, b 0, c 0, d 0 ) m  (0) <<s f (a 1, b 1, c 1, d 1 ) Steps 1-16: 1 st Round Steps 17-32: 2 nd Round Steps 33-48: 3 rd Round

11 Africacrypt 2008 MD4 Message Expansion  (0)  (15)  (16)  (31)  (32)  (47) 0123456789101112131415 0481215913261014371115 0841221061419513311715 If | P | = 8-octet :Only m 0 and m 1 are unknown. m 2 to m 15 are known to an attacker. 11 P 0-3 P 4-7 P 0-3 P 4-7 m 0 to m 15 are used in this order. Each m i is 32-bit, 4-octet.

12 Africacrypt 2008 12 Ask C and obtain R. Basic Idea (1/2) 3R R=MD4( P || C ) 2R 1R ( IV, (P || C || pad) ) Ask C’ and obtain R’. 3R R’=MD4( P || C’ ) 2R 1R ( IV, (P || C’ || pad) ) CC RR Expect two computations follow some differential path.

13 Africacrypt 2008 13 Basic Idea (2/2) If (P||C) and (P||C’) follow a differential path, the attacker can know information on a part of P. Remaining tasks 1. How to find a good differential path? 2. How to detect (P||C) and (P||C’) follow the path? (Only R and R’ can be observed.)

14 Africacrypt 2008 Previous work 1 [CY06] 14 3R R=MD4( P || C ) 2R 1R ( IV, (P || C || pad) ) 3R R’=MD4( P || C’ ) 2R 1R ( IV, (P || C’ || pad) ) CC  R = 0 A randomly chosen pair collides with probability 2 -61. Detection is easy, just compare R and R’. Additional 2 45 queries are necessary to recover P.

15 Africacrypt 2008 Previous work 2 [WOK08] 15 3R R=MD4( P || C ) 2R 1R ( IV, (P || C || pad) ) 3R R’=MD4( P || C’ ) 2R 1R ( IV, (P || C’ || pad) ) CC  2R = 0 A randomly chosen pair collides until 2R with prob. 2 -37. How to detect 2R-collision?  R = random Additional 2 34 queries are necessary to recover P.

16 Africacrypt 2008 0123456789101112131415 0481215913261014371115 0841221061419513311715 16 Previous work 2 (detect 2R-collision) Remember, m 2 m 15 are known to the attacker.  m is inserted to m 9, m 11, and m 13.   2R-collision  = 0 Collision is preserved. Inversely compute the last 7 steps, and detect a collision. Inversely compute! P 0-3 P 4-7 P 0-3 P 4-7   (0)  (15)  (16)  (31)  (32)  (47)

17 Africacrypt 2008 Our Idea 17 3R R=MD4( P || C ) 2R 1R ( IV, (P || C || pad) ) 3R R’=MD4( P || C’ ) 2R 1R ( IV, (P || C’ || pad) ) CC  1R = 0 A random pair collides with 2 -4. Detect an 1R-collision similarly to key recovery approach of Impossible Differential Attack.  R = random

18 Africacrypt 2008 0123456789101112131415 0481215913261014371115 0841221061419513311715 18 Our Idea (detect 1R-collision)  m is inserted to m 7, m 11.  1R-collision  = 0 During inverse computation, exhaustively guess m 1. Inversely compute limited  Exhaustive guess Inversely compute P 0-3 P 4-7 P 0-3 P 4-7     (0)  (15)  (16)  (31)  (32)  (47)

19 Africacrypt 2008 1R 2R 3R IV mm mm m0m0 m1m1 P 0-3 P 4-7 m7m7 m 11 m0m0 P 0-3 m1m1 P 4-7 mm m 11 mm m7m7 mm mm m7m7 m1m1 P 4-7 m0m0 P 0-3 RR’R’ Make local collision No difference Inverse computation from R, R’ (Pr = 2 -4 ) Possible difference is very limited. Overall Procedure 19 Wrong guess reaches impossible difference.

20 Africacrypt 2008 Details of our attack 1. Recovering password length 2. Constructing differential path 3. Detecting an 1R-collision

21 Africacrypt 2008 Password Length Recovery on MD Structure [WOK08] IV P || C || Pad 1 21 CF IV P || C || Pad 1 L R1R1 x||Pad 2 R2R2 CF R1R1 If guess is right, x starts from the initial bit of the 2 nd block. Client Attacker C R1R1 C||Pad 1 L ||x R2R2 Guess the password length L. Then, Pad 1 L is determined. Therefore, CF(R 1, x||pad 2 L ) = R 2. Each guess is confirmed by one query.

22 Africacrypt 2008 Local collision of MD4 22 aiai bibi cici didi b i+2 a i+2 c i+2 d i+2 b i+3 a i+3 c i+3 d i+3 b i+4 a i+4 c i+4 d i+4 b i+5 a i+5 c i+5 d i+5 b i+6 a i+6 c i+6 d i+6 m(i)m(i) <<s f m  (i+1) <<s f m  (i+2) <<s f m  (i+3) <<s f m  (i+4) <<s f 2 -1 2j2j 2j+s2j+s In the 1R of MD4,  m  (i) =2 j and  m  (i+4) =2 j+s form a local collision for any message pair with Pr.=2 -4. Choose i so that m  (i) and m  (i+4) appear late steps in the 2R. 0123456789101112131415 0481215913261014371115 0841221061419513311715

23 Africacrypt 2008 Detecting an 1R-collision (1/2) 23 m0m0 <<s f Step function is invertible. aiai bibi cici didi a i+1 b i+1 c i+1 d i+1 known password known  is known  = 0 Moreover, even if a message is password,  of a i = b i-3 can be computed. By inverse computation for step i, followings can be computed. bibi c i = b i-1 d i = c i-1 = b i-2 a i = d i-1 = c i-2 = b i-3

24 Africacrypt 2008 0123456789101112131415 0481215913261014371115 0841221061419513311715 24 2j2j 2j+s2j+s Exhaustive guess 2j2j 2j+s2j+s 2j2j 2j+s2j+s Local collision (2 -4 )  b 28 =0  b 29 =2 j+s  a 31 =  d 30 =  c 29 =  b 28 b 31 c 31 =b 30 d 31 =c 30 =b 29 Collision is detected by comparing  b 29 and  b 28.  (0)  (15)  (16)  (31)  (32)  (47) Detecting an 1R-collision (2/2)

25 Africacrypt 2008 Attack Complexity 25 To obtain a local collision, we need 2 4 challenge pairs. For each pair, we exhaustively guess m 1, so try 2 32 values. For each guess, we inversely compute Steps 38 to 31, 8/48 steps. Total complexity is 2*2 4 *2 32 *(8/48) ≦ 2 35 MD4 computations. Remark: If (P||C) and (P||C’) do not collide, they satisfy  b 28 =0,  b 29 =2 j+s with prob. 2 -64, which is very low compared to 2 35.

26 Africacrypt 2008 0123456789101112131415 0481215913261014371115 0841221061419513311715 26 Password Recovery on Prefix, 12-octet Possible patterns of  is increased, but still is detected by inverse computation.  1R-collision  = 0 Inversely compute limited  Exhaustive guess P 0-3 P 4-7 P 0-3 P 4-7     (0)  (15)  (16)  (31)  (32)  (47) limited  P 8-11

27 Africacrypt 2008 0123456789101112131415 0481215913261014371115 0841221061419513311715 27 Password Recovery on Hybrid, 8-octet  1R-collision  = 0 Inversely compute limited  Exhaustive guess (32 bits) P 0-3 P 4-7 P 0-3 P 4-7     (0)  (15)  (16)  (31)  (32)  (47) limited  P 0-3 P 4-7 P 0-3 P 4-7 P 0-3 PaddingChallenge

28 Africacrypt 2008 Conclusion We propose practical password recovery attacks on prefix and hybrid using MD4. 28 Attack targetQueriesOff-line complexity Prefix 8-octet2424 2 35 Prefix 12-octet2 10 2 40 Hybrid 8-octet2828 2 39

29 Africacrypt 2008 Recent Results Number of queries can be reduced. Use challenge-quartets instead of challenge-pairs. For example, Prefix, 8-octet can be attacked with only 8 queries. Thank you for your attention !! 29

Download ppt "Africacrypt 2008 Security of Challenge and Response Yu Sasaki 1, Lei Wang 2, Kazuo Ohta 2, Noboru Kunihiro 2 Impossible Differential Attack on Hash Functions."

Similar presentations

Lecture 5: Cryptographic Hashes

Lecture 5: Cryptographic Hashes
Xiutao Feng Institute of Software Chinese Academy of Sciences A Byte-Based Guess and Determine Attack on SOSEMANUK.

Xiutao Feng Institute of Software Chinese Academy of Sciences A Byte-Based Guess and Determine Attack on SOSEMANUK.
Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.
The Hash Function “Fugue” Shai Halevi William E. Hall Charanjit S. Jutla IBM T. J. Watson Research Center.

The Hash Function “Fugue” Shai Halevi William E. Hall Charanjit S. Jutla IBM T. J. Watson Research Center.
Differential Fault Analysis on AES Variants Kazuo Sakiyama, Yang Li The University of Electro-Communications Nagoya, Japan.

Differential Fault Analysis on AES Variants Kazuo Sakiyama, Yang Li The University of Electro-Communications Nagoya, Japan.
Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
MD Collision Sought Marian Ščerbák University of Pavol Jozef Šafárik Košice.

MD Collision Sought Marian Ščerbák University of Pavol Jozef Šafárik Košice.
Wide Collisions in Practice Xin Ye, Thomas Eisenbarth Florida Atlantic University, USA 10 th ACNS 2012- Singapore.

Wide Collisions in Practice Xin Ye, Thomas Eisenbarth Florida Atlantic University, USA 10 th ACNS Singapore.
Hard and easy components of collision search in the Zémor- Tillich hash function: New attacks and reduced variants with equivalent security Christophe.

Hard and easy components of collision search in the Zémor- Tillich hash function: New attacks and reduced variants with equivalent security Christophe.
Foundations of Cryptography Lecture 12 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 12 Lecturer: Moni Naor.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
1 Chapter 5 Hashes and Message Digests Instructor: 孫宏民 Room: EECS 6402, Tel:03-5742968, Fax : 886-3-572-3694.

1 Chapter 5 Hashes and Message Digests Instructor: 孫宏民 Room: EECS 6402, Tel: , Fax :
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.

Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.
FEAL FEAL 1.

FEAL FEAL 1.
Foundations of Network and Computer Security J J ohn Black Lecture #8 Sep 15 th 2005 CSCI 6268/TLEN 5831, Fall 2005.

Foundations of Network and Computer Security J J ohn Black Lecture #8 Sep 15 th 2005 CSCI 6268/TLEN 5831, Fall 2005.
Overview of Cryptography Anupam Datta CMU Fall 2007-08 18739A: Foundations of Security and Privacy.

Overview of Cryptography Anupam Datta CMU Fall A: Foundations of Security and Privacy.
CS470, A.SelcukHash Functions1 Cryptographic Hash Functions CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukHash Functions1 Cryptographic Hash Functions CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
1 CS 255 Lecture 6 Hash Functions Brent Waters. 2 Recap-Notions of Security What attacker can do Random plaintext attack Chosen plaintext attack Chosen.

1 CS 255 Lecture 6 Hash Functions Brent Waters. 2 Recap-Notions of Security What attacker can do Random plaintext attack Chosen plaintext attack Chosen.

Similar presentations

Ads by Google