Africacrypt 2008 Security of Challenge and Response Yu Sasaki 1, Lei Wang 2, Kazuo Ohta 2, Noboru Kunihiro 2 Impossible Differential Attack on Hash Functions 2:The University of Electro-Communications 1:NTT Information Platform Laboratories, NTT Cooperation
Africacrypt 2008 Contents Background and our results How to recover a password? Basic idea Overview of our improvement Details of our attack Recent results 2
Africacrypt 2008 Analyze the security of hash-based challenge/response password authentication. 3 Server Client Challenge C R = Hash (C, P) Compute R by itself. If (=), authenticate. ( password: P ) Response R Are they practically secure ? Motivation Classical schemes are still used.
Africacrypt Classification of Schemes Suffix approach:R = Hash (C || P) - used in APOP ( fetching protocol) Prefix approach:R = Hash (P || C) - used in CHAP (challenge handshake protocol) Hybrid approach:R = Hash (P || C || P) - proposed by Tsudik in 1992
Africacrypt Client Chosen challenge C’ R’ = Hash (C’, P) ( password: P ) Response R’ We consider the adaptive chosen challenge attack. Attack Model Attacker This situation can be practically achieved by hijacking rooters, and so on. An attack with practical number of queries is a critical issue for protocols. Recover the password.
Africacrypt Known Results PrefixSuffixHybrid Theoretical (general hash) [PO96] Theoretical (MD4 or MD5) [CY06] 2 61 [WOK08] 2 37 [CY06] 2 61 Practical (MD4 or MD5) AAAA [L07] [SYA07] [SWOK08]
Africacrypt Our Results PrefixSuffixHybrid Theoretical (general hash) [PO96] Theoretical (MD4 or MD5) [CY06] 2 61 [WOK08] 2 37 [CY06] 2 61 Practical (MD4 or MD5) New !! (8-octet) 2 4 (12-octet) 2 10 New !! (8-octet) 2 8 [L07] [SYA07] [SWOK08] Main target of this presentation
Africacrypt 2008 How to Recover a Password ? Introduction of MD4 Basic idea Previous approach Our approach
Africacrypt 2008 Introduction of MD4 IV=H 0 M0M0 H1H1 Input M M1M1 H n-1 M n-1 H2H2 HnHn ( M 0, M 1,, M n-1 ) 9 padding M* divide (100…00Len) CF IV=H n-1 ( P || C ) R CF Our attacks need to know R, and H n-1, so |(P||C)| must be 1-block Merkle-Damgard Structure
Africacrypt 2008 MD4 Compression Function IV = (a 0, b 0, c 0, d 0 ) 10 (a 48, b 48, c 48, d 48 ) HnHn Input message M i (512-bit) PCPad ( m 0, m 1,, m 15 ), |m i |=32 If | P | = 8-octet : P m 0, m 1 C m 2,, m 12 Pad m 13, m 14, m 15 m (47) <<s f (a 47, b 47, c 47, d 47 ) (a 0, b 0, c 0, d 0 ) m (0) <<s f (a 1, b 1, c 1, d 1 ) Steps 1-16: 1 st Round Steps 17-32: 2 nd Round Steps 33-48: 3 rd Round
Africacrypt 2008 MD4 Message Expansion (0) (15) (16) (31) (32) (47) If | P | = 8-octet :Only m 0 and m 1 are unknown. m 2 to m 15 are known to an attacker. 11 P 0-3 P 4-7 P 0-3 P 4-7 m 0 to m 15 are used in this order. Each m i is 32-bit, 4-octet.
Africacrypt Ask C and obtain R. Basic Idea (1/2) 3R R=MD4( P || C ) 2R 1R ( IV, (P || C || pad) ) Ask C’ and obtain R’. 3R R’=MD4( P || C’ ) 2R 1R ( IV, (P || C’ || pad) ) CC RR Expect two computations follow some differential path.
Africacrypt Basic Idea (2/2) If (P||C) and (P||C’) follow a differential path, the attacker can know information on a part of P. Remaining tasks 1. How to find a good differential path? 2. How to detect (P||C) and (P||C’) follow the path? (Only R and R’ can be observed.)
Africacrypt 2008 Previous work 1 [CY06] 14 3R R=MD4( P || C ) 2R 1R ( IV, (P || C || pad) ) 3R R’=MD4( P || C’ ) 2R 1R ( IV, (P || C’ || pad) ) CC R = 0 A randomly chosen pair collides with probability Detection is easy, just compare R and R’. Additional 2 45 queries are necessary to recover P.
Africacrypt 2008 Previous work 2 [WOK08] 15 3R R=MD4( P || C ) 2R 1R ( IV, (P || C || pad) ) 3R R’=MD4( P || C’ ) 2R 1R ( IV, (P || C’ || pad) ) CC 2R = 0 A randomly chosen pair collides until 2R with prob How to detect 2R-collision? R = random Additional 2 34 queries are necessary to recover P.
Africacrypt Previous work 2 (detect 2R-collision) Remember, m 2 m 15 are known to the attacker. m is inserted to m 9, m 11, and m 13. 2R-collision = 0 Collision is preserved. Inversely compute the last 7 steps, and detect a collision. Inversely compute! P 0-3 P 4-7 P 0-3 P 4-7 (0) (15) (16) (31) (32) (47)
Africacrypt 2008 Our Idea 17 3R R=MD4( P || C ) 2R 1R ( IV, (P || C || pad) ) 3R R’=MD4( P || C’ ) 2R 1R ( IV, (P || C’ || pad) ) CC 1R = 0 A random pair collides with Detect an 1R-collision similarly to key recovery approach of Impossible Differential Attack. R = random
Africacrypt Our Idea (detect 1R-collision) m is inserted to m 7, m 11. 1R-collision = 0 During inverse computation, exhaustively guess m 1. Inversely compute limited Exhaustive guess Inversely compute P 0-3 P 4-7 P 0-3 P 4-7 (0) (15) (16) (31) (32) (47)
Africacrypt R 2R 3R IV mm mm m0m0 m1m1 P 0-3 P 4-7 m7m7 m 11 m0m0 P 0-3 m1m1 P 4-7 mm m 11 mm m7m7 mm mm m7m7 m1m1 P 4-7 m0m0 P 0-3 RR’R’ Make local collision No difference Inverse computation from R, R’ (Pr = 2 -4 ) Possible difference is very limited. Overall Procedure 19 Wrong guess reaches impossible difference.
Africacrypt 2008 Details of our attack 1. Recovering password length 2. Constructing differential path 3. Detecting an 1R-collision
Africacrypt 2008 Password Length Recovery on MD Structure [WOK08] IV P || C || Pad 1 21 CF IV P || C || Pad 1 L R1R1 x||Pad 2 R2R2 CF R1R1 If guess is right, x starts from the initial bit of the 2 nd block. Client Attacker C R1R1 C||Pad 1 L ||x R2R2 Guess the password length L. Then, Pad 1 L is determined. Therefore, CF(R 1, x||pad 2 L ) = R 2. Each guess is confirmed by one query.
Africacrypt 2008 Local collision of MD4 22 aiai bibi cici didi b i+2 a i+2 c i+2 d i+2 b i+3 a i+3 c i+3 d i+3 b i+4 a i+4 c i+4 d i+4 b i+5 a i+5 c i+5 d i+5 b i+6 a i+6 c i+6 d i+6 m(i)m(i) <<s f m (i+1) <<s f m (i+2) <<s f m (i+3) <<s f m (i+4) <<s f j2j 2j+s2j+s In the 1R of MD4, m (i) =2 j and m (i+4) =2 j+s form a local collision for any message pair with Pr.=2 -4. Choose i so that m (i) and m (i+4) appear late steps in the 2R
Africacrypt 2008 Detecting an 1R-collision (1/2) 23 m0m0 <<s f Step function is invertible. aiai bibi cici didi a i+1 b i+1 c i+1 d i+1 known password known is known = 0 Moreover, even if a message is password, of a i = b i-3 can be computed. By inverse computation for step i, followings can be computed. bibi c i = b i-1 d i = c i-1 = b i-2 a i = d i-1 = c i-2 = b i-3
Africacrypt j2j 2j+s2j+s Exhaustive guess 2j2j 2j+s2j+s 2j2j 2j+s2j+s Local collision (2 -4 ) b 28 =0 b 29 =2 j+s a 31 = d 30 = c 29 = b 28 b 31 c 31 =b 30 d 31 =c 30 =b 29 Collision is detected by comparing b 29 and b 28. (0) (15) (16) (31) (32) (47) Detecting an 1R-collision (2/2)
Africacrypt 2008 Attack Complexity 25 To obtain a local collision, we need 2 4 challenge pairs. For each pair, we exhaustively guess m 1, so try 2 32 values. For each guess, we inversely compute Steps 38 to 31, 8/48 steps. Total complexity is 2*2 4 *2 32 *(8/48) ≦ 2 35 MD4 computations. Remark: If (P||C) and (P||C’) do not collide, they satisfy b 28 =0, b 29 =2 j+s with prob , which is very low compared to 2 35.
Africacrypt Password Recovery on Prefix, 12-octet Possible patterns of is increased, but still is detected by inverse computation. 1R-collision = 0 Inversely compute limited Exhaustive guess P 0-3 P 4-7 P 0-3 P 4-7 (0) (15) (16) (31) (32) (47) limited P 8-11
Africacrypt Password Recovery on Hybrid, 8-octet 1R-collision = 0 Inversely compute limited Exhaustive guess (32 bits) P 0-3 P 4-7 P 0-3 P 4-7 (0) (15) (16) (31) (32) (47) limited P 0-3 P 4-7 P 0-3 P 4-7 P 0-3 PaddingChallenge
Africacrypt 2008 Conclusion We propose practical password recovery attacks on prefix and hybrid using MD4. 28 Attack targetQueriesOff-line complexity Prefix 8-octet Prefix 12-octet Hybrid 8-octet
Africacrypt 2008 Recent Results Number of queries can be reduced. Use challenge-quartets instead of challenge-pairs. For example, Prefix, 8-octet can be attacked with only 8 queries. Thank you for your attention !! 29