Upload
erin-scott
View
19
Download
2
Embed Size (px)
DESCRIPTION
Impossible Differential Attack on Hash Functions. Security of Challenge and Response. Yu Sasaki 1 , Lei Wang 2 , Kazuo Ohta 2 , Noboru Kunihiro 2. 1:NTT Information Platform Laboratories, NTT Cooperation. 2:The University of Electro-Communications. Contents. Background and our results - PowerPoint PPT Presentation
Citation preview
Africacrypt 2008
Security of Challenge and Response
Yu Sasaki1, Lei Wang2,Kazuo Ohta2, Noboru Kunihiro2
Impossible Differential Attack on Hash Functions
2:The University of Electro-Communications
1:NTT Information Platform Laboratories, NTT Cooperation
Africacrypt 2008Africacrypt 2008
Contents
Background and our resultsHow to recover a password?
Basic ideaOverview of our improvement
Details of our attackRecent results
2
Africacrypt 2008Africacrypt 2008
Analyze the security of hash-based challenge/response password authentication.
3
ServerClient Challenge C
R = Hash (C, P)
Compute R by itself.If (=), authenticate.
( password: P )
( password: P )
Response R
Are they practically secure ?
Motivation
Classical schemes are still used.
Africacrypt 2008Africacrypt 2008
4
Classification of Schemes
• Suffix approach: R = Hash (C || P)
- used in APOP (e-mail fetching protocol)
• Prefix approach: R = Hash (P || C)- used in CHAP (challenge handshake protocol)
• Hybrid approach: R = Hash (P || C || P)- proposed by Tsudik in 1992
Africacrypt 2008Africacrypt 2008
5
Client Chosen challenge C’
R’ = Hash (C’, P)
( password: P )
Response R’
• We consider the adaptive chosen challenge attack.
Attack Model
Attacker
• This situation can be practically achieved by hijacking rooters, and so on.
• An attack with practical number of queries is a critical issue for protocols.
Recover the password.
Africacrypt 2008Africacrypt 2008
6
Known ResultsPrefix Suffix Hybrid
Theoretical(general hash)
[PO96] [PO96]
Theoretical(MD4 or MD5)
[CY06] 261
[WOK08] 237
[CY06] 261
Practical(MD4 or MD5)
AA
[L07][SYA07]
[SWOK08]
Africacrypt 2008Africacrypt 2008
7
Our ResultsPrefix Suffix Hybrid
Theoretical(general hash)
[PO96] [PO96]
Theoretical(MD4 or MD5)
[CY06] 261
[WOK08] 237
[CY06] 261
Practical(MD4 or MD5)
New !!(8-octet) 24
(12-octet) 210
New !!(8-octet) 28
[L07][SYA07]
[SWOK08]
Main target of this presentation
Africacrypt 2008
How to Recover a Password ?
Introduction of MD4Basic idea
Previous approachOur approach
Africacrypt 2008Africacrypt 2008
Introduction of MD4
IV=H0
M0
H1
Input M
M1
Hn-1
Mn-1
H2 Hn
( M0, M1, , Mn-1)
9
padding M* divide(100…00Len)
CF CF CF
IV=Hn-1
( P || C )
RCF
Our attacks need to know R, and Hn-1 , so |(P||C)| must be 1-block.
512
128 128
Merkle-Damgard Structure
Africacrypt 2008Africacrypt 2008
MD4 Compression FunctionIV = (a0, b0, c0, d0 )
10
(a48, b48, c48, d48 )
Hn
Input message Mi (512-bit)
P C Pad
( m0, m1, , m15), |mi|=32
If | P | = 8-octet :
P m0, m1
C m2, , m12
Pad m13, m14, m15
m(47) <<sf
(a47, b47, c47, d47 )
(a0, b0, c0, d0 )
m(0) <<sf
(a1, b1, c1, d1 )
Steps 1-16: 1st Round
Steps 17-32: 2nd Round
Steps 33-48: 3rd Round
Africacrypt 2008Africacrypt 2008
MD4 Message Expansion
(0) (15)
(16) (31)
(32) (47)
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
0 4 8 12 1 5 9 13 2 6 10 14 3 7 11 15
0 8 4 12 2 10 6 14 1 9 5 13 3 11 7 15
• If | P | = 8-octet : Only m0 and m1 are unknown.
m2 to m15 are known to an attacker.
11
P0-3 P4-7
P0-3
P0-3
P4-7
P4-7
• m0 to m15 are used in this order.
• Each mi is 32-bit, 4-octet.
Africacrypt 2008Africacrypt 2008
12
• Ask C and obtain R.
Basic Idea (1/2)
3R
R=MD4( P || C )
2R
1R
(IV, (P || C || pad)) • Ask C’ and obtain R’.
3R
R’=MD4( P || C’ )
2R
1R
(IV, (P || C’ || pad)) C
R
Expect two computations follow some differential path.
Africacrypt 2008Africacrypt 2008
13
Basic Idea (2/2)
• If (P||C) and (P||C’) follow a differential path, the attacker can know information on a part of P.
Remaining tasks
1. How to find a good differential path?
2. How to detect (P||C) and (P||C’) follow the path?
(Only R and R’ can be observed.)
Africacrypt 2008Africacrypt 2008
Previous work 1 [CY06]
14
3R
R=MD4( P || C )
2R
1R
(IV, (P || C || pad))
3R
R’=MD4( P || C’ )
2R
1R
(IV, (P || C’ || pad)) C
R = 0
A randomly chosen pair collides with probability 2-61.
Detection is easy, just compare R and R’.Additional 245 queries are necessary to recover P.
Africacrypt 2008Africacrypt 2008
Previous work 2 [WOK08]
15
3R
R=MD4( P || C )
2R
1R
(IV, (P || C || pad))
3R
R’=MD4( P || C’ )
2R
1R
(IV, (P || C’ || pad)) C
2R = 0
A randomly chosen pair collides until 2R with prob. 2-37.
How to detect 2R-collision?
R = random
Additional 234 queries are necessary to recover P.
Africacrypt 2008Africacrypt 2008
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
0 4 8 12 1 5 9 13 2 6 10 14 3 7 11 15
0 8 4 12 2 10 6 14 1 9 5 13 3 11 7 15
16
Previous work 2 (detect 2R-collision)
• Remember, m2 m15 are known to the attacker.
• m is inserted to m9, m11, and m13.
2R-collision
= 0 Collision is preserved.
• Inversely compute the last 7 steps, and detect a collision.
Inversely compute!
P0-3 P4-7
P0-3
P0-3
P4-7
P4-7
(0) (15)
(16) (31)
(32) (47)
Africacrypt 2008Africacrypt 2008
Our Idea
17
3R
R=MD4( P || C )
2R
1R
(IV, (P || C || pad))
3R
R’=MD4( P || C’ )
2R
1R
(IV, (P || C’ || pad)) C
1R = 0
A random pair collides with 2-4.
Detect an 1R-collision similarly to key recovery approach of Impossible Differential Attack.
R = random
Africacrypt 2008Africacrypt 2008
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
0 4 8 12 1 5 9 13 2 6 10 14 3 7 11 15
0 8 4 12 2 10 6 14 1 9 5 13 3 11 7 15
18
Our Idea (detect 1R-collision)
• m is inserted to m7, m11.
1R-collision
= 0
• During inverse computation, exhaustively guess m1.
Inversely compute
limited
Exhaustive guessInversely compute
P0-3 P4-7
P0-3
P0-3
P4-7
P4-7
(0) (15)
(16) (31)
(32) (47)
Africacrypt 2008
1R
2R
3R
IV
m
m
m0m1
P0-3
P4-7
m7
m11
m0P0-3
m1P4-7
m m11
m m7
mm11mm7
m1P4-7
m0P0-3
R R’
Make local collision
No difference
Inverse computation from R, R’
(Pr = 2-4)
Possible difference is very limited.
Overall Procedure
19
Wrong guess reaches impossible difference.
Africacrypt 2008
Details of our attack
1. Recovering password length2. Constructing differential path3. Detecting an 1R-collision
Africacrypt 2008Africacrypt 2008
Password Length Recovery on MD Structure [WOK08]
IV
P || C || Pad1
21
CF
IV
P || C || Pad1L
R1
x||Pad2
R2CF CF
R1
If guess is right, x starts from the initial bit of the 2nd block.
ClientAttacker
C
R1
C||Pad1L||x
R2
Guess the password length L. Then, Pad1
L is determined.
Therefore, CF(R1, x||pad2L) = R2.
Each guess is confirmed by one query.
Africacrypt 2008Africacrypt 2008
Local collision of MD4
22
ai bi ci di
bi+2ai+2 ci+2 di+2
bi+3ai+3 ci+3 di+3
bi+4ai+4 ci+4 di+4
bi+5ai+5 ci+5 di+5
bi+6ai+6 ci+6 di+6
m(i) <<sf
m(i+1) <<sf
m(i+2) <<sf
m(i+3) <<sf
m(i+4) <<sf
2-1
2-1
2-1
2-1
2j
2j+s
• In the 1R of MD4, m(i)=2j and m(i+4)=2j+s form a local collision for any message pair with Pr.=2-4.
• Choose i so that m(i) and m(i+4) appear late steps in the 2R.
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
0 4 8 12 1 5 9 13 2 6 10 14 3 7 11 15
0 8 4 12 2 10 6 14 1 9 5 13 3 11 7 15
Africacrypt 2008Africacrypt 2008
Detecting an 1R-collision (1/2)
23
m0
<<s
f
• Step function is invertible.ai bi ci di
ai+1 bi+1 ci+1 di+1known known known known
password
known known known is known
= 0
• Moreover, even if a message is password, of ai = bi-3 can be computed.
• By inverse computation for step i, followings can be computed.
bi
ci = bi-1
di = ci-1 = bi-2
ai = di-1 = ci-2 = bi-3
Africacrypt 2008Africacrypt 2008
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
0 4 8 12 1 5 9 13 2 6 10 14 3 7 11 15
0 8 4 12 2 10 6 14 1 9 5 13 3 11 7 15
24
2j 2j+s
Exhaustive guess
2j 2j+s
2j2j+s
Local collision (2-4)
b28=0b29=2j+s
a31=d30=c29=b28
b31
c31=b30
d31=c30=b29
• Collision is detected by comparing b29 and b28.
(0) (15)
(16) (31)
(32) (47)
Detecting an 1R-collision (2/2)
Africacrypt 2008Africacrypt 2008
Attack Complexity
25
• To obtain a local collision, we need 24 challenge pairs.
• For each pair, we exhaustively guess m1, so try 232 values.
• For each guess, we inversely compute Steps 38 to 31, 8/48 steps.
• Total complexity is 2*24*232*(8/48) 2≦ 35 MD4 computations.
Remark:
If (P||C) and (P||C’) do not collide, they satisfy b28=0, b29=2j+s with prob. 2-64, which is very low compared to 235.
Africacrypt 2008Africacrypt 2008
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
0 4 8 12 1 5 9 13 2 6 10 14 3 7 11 15
0 8 4 12 2 10 6 14 1 9 5 13 3 11 7 15
26
Password Recovery on Prefix, 12-octet
• Possible patterns of is increased, but still is detected by inverse computation.
1R-collision
= 0
Inversely compute
limited
Exhaustive guess
P0-3 P4-7
P0-3
P0-3
P4-7
P4-7
(0) (15)
(16) (31)
(32) (47)
limited
P8-11
P8-11
P8-11
Africacrypt 2008Africacrypt 2008
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
0 4 8 12 1 5 9 13 2 6 10 14 3 7 11 15
0 8 4 12 2 10 6 14 1 9 5 13 3 11 7 15
27
Password Recovery on Hybrid, 8-octet
1R-collision
= 0
Inversely compute
limited
Exhaustive guess (32 bits)
P0-3 P4-7
P0-3
P0-3
P4-7
P4-7
(0) (15)
(16) (31)
(32) (47)
limited
P0-3 P4-7
P0-3 P4-7
P4-7P0-3
PaddingChallenge
Africacrypt 2008Africacrypt 2008
Conclusion We propose practical password recovery
attacks on prefix and hybrid using MD4.
28
Attack target Queries Off-linecomplexity
Prefix 8-octet 24 235
Prefix 12-octet 210 240
Hybrid 8-octet 28 239
Africacrypt 2008Africacrypt 2008
Recent Results
Number of queries can be reduced.Use challenge-quartets instead of
challenge-pairs.For example, Prefix, 8-octet can be
attacked with only 8 queries.
Thank you for your attention !!
29