africacrypt 2008 security of challenge and response yu sasaki 1, lei wang 2, kazuo ohta 2, noboru...
TRANSCRIPT
Africacrypt 2008
Security of Challenge and Response
Yu Sasaki1, Lei Wang2,Kazuo Ohta2, Noboru Kunihiro2
Impossible Differential Attack on Hash Functions
2:The University of Electro-Communications
1:NTT Information Platform Laboratories, NTT Cooperation
Africacrypt 2008Africacrypt 2008
Contents
Background and our resultsHow to recover a password?
Basic ideaOverview of our improvement
Details of our attackRecent results
2
Africacrypt 2008Africacrypt 2008
Analyze the security of hash-based challenge/response password authentication.
3
ServerClient Challenge C
R = Hash (C, P)
Compute R by itself.If (=), authenticate.
( password: P )
( password: P )
Response R
Are they practically secure ?
Motivation
Classical schemes are still used.
Africacrypt 2008Africacrypt 2008
4
Classification of Schemes
• Suffix approach: R = Hash (C || P)
- used in APOP (e-mail fetching protocol)
• Prefix approach: R = Hash (P || C)- used in CHAP (challenge handshake protocol)
• Hybrid approach: R = Hash (P || C || P)- proposed by Tsudik in 1992
Africacrypt 2008Africacrypt 2008
5
Client Chosen challenge C’
R’ = Hash (C’, P)
( password: P )
Response R’
• We consider the adaptive chosen challenge attack.
Attack Model
Attacker
• This situation can be practically achieved by hijacking rooters, and so on.
• An attack with practical number of queries is a critical issue for protocols.
Recover the password.
Africacrypt 2008Africacrypt 2008
6
Known ResultsPrefix Suffix Hybrid
Theoretical(general hash)
[PO96] [PO96]
Theoretical(MD4 or MD5)
[CY06] 261
[WOK08] 237
[CY06] 261
Practical(MD4 or MD5)
AA
[L07][SYA07]
[SWOK08]
Africacrypt 2008Africacrypt 2008
7
Our ResultsPrefix Suffix Hybrid
Theoretical(general hash)
[PO96] [PO96]
Theoretical(MD4 or MD5)
[CY06] 261
[WOK08] 237
[CY06] 261
Practical(MD4 or MD5)
New !!(8-octet) 24
(12-octet) 210
New !!(8-octet) 28
[L07][SYA07]
[SWOK08]
Main target of this presentation
Africacrypt 2008
How to Recover a Password ?
Introduction of MD4Basic idea
Previous approachOur approach
Africacrypt 2008Africacrypt 2008
Introduction of MD4
IV=H0
M0
H1
Input M
M1
Hn-1
Mn-1
H2 Hn
( M0, M1, , Mn-1)
9
padding M* divide(100…00Len)
CF CF CF
IV=Hn-1
( P || C )
RCF
Our attacks need to know R, and Hn-1 , so |(P||C)| must be 1-block.
512
128 128
Merkle-Damgard Structure
Africacrypt 2008Africacrypt 2008
MD4 Compression FunctionIV = (a0, b0, c0, d0 )
10
(a48, b48, c48, d48 )
Hn
Input message Mi (512-bit)
P C Pad
( m0, m1, , m15), |mi|=32
If | P | = 8-octet :
P m0, m1
C m2, , m12
Pad m13, m14, m15
m(47) <<sf
(a47, b47, c47, d47 )
(a0, b0, c0, d0 )
m(0) <<sf
(a1, b1, c1, d1 )
Steps 1-16: 1st Round
Steps 17-32: 2nd Round
Steps 33-48: 3rd Round
Africacrypt 2008Africacrypt 2008
MD4 Message Expansion
(0) (15)
(16) (31)
(32) (47)
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
0 4 8 12 1 5 9 13 2 6 10 14 3 7 11 15
0 8 4 12 2 10 6 14 1 9 5 13 3 11 7 15
• If | P | = 8-octet : Only m0 and m1 are unknown.
m2 to m15 are known to an attacker.
11
P0-3 P4-7
P0-3
P0-3
P4-7
P4-7
• m0 to m15 are used in this order.
• Each mi is 32-bit, 4-octet.
Africacrypt 2008Africacrypt 2008
12
• Ask C and obtain R.
Basic Idea (1/2)
3R
R=MD4( P || C )
2R
1R
(IV, (P || C || pad)) • Ask C’ and obtain R’.
3R
R’=MD4( P || C’ )
2R
1R
(IV, (P || C’ || pad)) C
R
Expect two computations follow some differential path.
Africacrypt 2008Africacrypt 2008
13
Basic Idea (2/2)
• If (P||C) and (P||C’) follow a differential path, the attacker can know information on a part of P.
Remaining tasks
1. How to find a good differential path?
2. How to detect (P||C) and (P||C’) follow the path?
(Only R and R’ can be observed.)
Africacrypt 2008Africacrypt 2008
Previous work 1 [CY06]
14
3R
R=MD4( P || C )
2R
1R
(IV, (P || C || pad))
3R
R’=MD4( P || C’ )
2R
1R
(IV, (P || C’ || pad)) C
R = 0
A randomly chosen pair collides with probability 2-61.
Detection is easy, just compare R and R’.Additional 245 queries are necessary to recover P.
Africacrypt 2008Africacrypt 2008
Previous work 2 [WOK08]
15
3R
R=MD4( P || C )
2R
1R
(IV, (P || C || pad))
3R
R’=MD4( P || C’ )
2R
1R
(IV, (P || C’ || pad)) C
2R = 0
A randomly chosen pair collides until 2R with prob. 2-37.
How to detect 2R-collision?
R = random
Additional 234 queries are necessary to recover P.
Africacrypt 2008Africacrypt 2008
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
0 4 8 12 1 5 9 13 2 6 10 14 3 7 11 15
0 8 4 12 2 10 6 14 1 9 5 13 3 11 7 15
16
Previous work 2 (detect 2R-collision)
• Remember, m2 m15 are known to the attacker.
• m is inserted to m9, m11, and m13.
2R-collision
= 0 Collision is preserved.
• Inversely compute the last 7 steps, and detect a collision.
Inversely compute!
P0-3 P4-7
P0-3
P0-3
P4-7
P4-7
(0) (15)
(16) (31)
(32) (47)
Africacrypt 2008Africacrypt 2008
Our Idea
17
3R
R=MD4( P || C )
2R
1R
(IV, (P || C || pad))
3R
R’=MD4( P || C’ )
2R
1R
(IV, (P || C’ || pad)) C
1R = 0
A random pair collides with 2-4.
Detect an 1R-collision similarly to key recovery approach of Impossible Differential Attack.
R = random
Africacrypt 2008Africacrypt 2008
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
0 4 8 12 1 5 9 13 2 6 10 14 3 7 11 15
0 8 4 12 2 10 6 14 1 9 5 13 3 11 7 15
18
Our Idea (detect 1R-collision)
• m is inserted to m7, m11.
1R-collision
= 0
• During inverse computation, exhaustively guess m1.
Inversely compute
limited
Exhaustive guessInversely compute
P0-3 P4-7
P0-3
P0-3
P4-7
P4-7
(0) (15)
(16) (31)
(32) (47)
Africacrypt 2008
1R
2R
3R
IV
m
m
m0m1
P0-3
P4-7
m7
m11
m0P0-3
m1P4-7
m m11
m m7
mm11mm7
m1P4-7
m0P0-3
R R’
Make local collision
No difference
Inverse computation from R, R’
(Pr = 2-4)
Possible difference is very limited.
Overall Procedure
19
Wrong guess reaches impossible difference.
Africacrypt 2008
Details of our attack
1. Recovering password length2. Constructing differential path3. Detecting an 1R-collision
Africacrypt 2008Africacrypt 2008
Password Length Recovery on MD Structure [WOK08]
IV
P || C || Pad1
21
CF
IV
P || C || Pad1L
R1
x||Pad2
R2CF CF
R1
If guess is right, x starts from the initial bit of the 2nd block.
ClientAttacker
C
R1
C||Pad1L||x
R2
Guess the password length L. Then, Pad1
L is determined.
Therefore, CF(R1, x||pad2L) = R2.
Each guess is confirmed by one query.
Africacrypt 2008Africacrypt 2008
Local collision of MD4
22
ai bi ci di
bi+2ai+2 ci+2 di+2
bi+3ai+3 ci+3 di+3
bi+4ai+4 ci+4 di+4
bi+5ai+5 ci+5 di+5
bi+6ai+6 ci+6 di+6
m(i) <<sf
m(i+1) <<sf
m(i+2) <<sf
m(i+3) <<sf
m(i+4) <<sf
2-1
2-1
2-1
2-1
2j
2j+s
• In the 1R of MD4, m(i)=2j and m(i+4)=2j+s form a local collision for any message pair with Pr.=2-4.
• Choose i so that m(i) and m(i+4) appear late steps in the 2R.
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
0 4 8 12 1 5 9 13 2 6 10 14 3 7 11 15
0 8 4 12 2 10 6 14 1 9 5 13 3 11 7 15
Africacrypt 2008Africacrypt 2008
Detecting an 1R-collision (1/2)
23
m0
<<s
f
• Step function is invertible.ai bi ci di
ai+1 bi+1 ci+1 di+1known known known known
password
known known known is known
= 0
• Moreover, even if a message is password, of ai = bi-3 can be computed.
• By inverse computation for step i, followings can be computed.
bi
ci = bi-1
di = ci-1 = bi-2
ai = di-1 = ci-2 = bi-3
Africacrypt 2008Africacrypt 2008
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
0 4 8 12 1 5 9 13 2 6 10 14 3 7 11 15
0 8 4 12 2 10 6 14 1 9 5 13 3 11 7 15
24
2j 2j+s
Exhaustive guess
2j 2j+s
2j2j+s
Local collision (2-4)
b28=0b29=2j+s
a31=d30=c29=b28
b31
c31=b30
d31=c30=b29
• Collision is detected by comparing b29 and b28.
(0) (15)
(16) (31)
(32) (47)
Detecting an 1R-collision (2/2)
Africacrypt 2008Africacrypt 2008
Attack Complexity
25
• To obtain a local collision, we need 24 challenge pairs.
• For each pair, we exhaustively guess m1, so try 232 values.
• For each guess, we inversely compute Steps 38 to 31, 8/48 steps.
• Total complexity is 2*24*232*(8/48) 2≦ 35 MD4 computations.
Remark:
If (P||C) and (P||C’) do not collide, they satisfy b28=0, b29=2j+s with prob. 2-64, which is very low compared to 235.
Africacrypt 2008Africacrypt 2008
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
0 4 8 12 1 5 9 13 2 6 10 14 3 7 11 15
0 8 4 12 2 10 6 14 1 9 5 13 3 11 7 15
26
Password Recovery on Prefix, 12-octet
• Possible patterns of is increased, but still is detected by inverse computation.
1R-collision
= 0
Inversely compute
limited
Exhaustive guess
P0-3 P4-7
P0-3
P0-3
P4-7
P4-7
(0) (15)
(16) (31)
(32) (47)
limited
P8-11
P8-11
P8-11
Africacrypt 2008Africacrypt 2008
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
0 4 8 12 1 5 9 13 2 6 10 14 3 7 11 15
0 8 4 12 2 10 6 14 1 9 5 13 3 11 7 15
27
Password Recovery on Hybrid, 8-octet
1R-collision
= 0
Inversely compute
limited
Exhaustive guess (32 bits)
P0-3 P4-7
P0-3
P0-3
P4-7
P4-7
(0) (15)
(16) (31)
(32) (47)
limited
P0-3 P4-7
P0-3 P4-7
P4-7P0-3
PaddingChallenge
Africacrypt 2008Africacrypt 2008
Conclusion We propose practical password recovery
attacks on prefix and hybrid using MD4.
28
Attack target Queries Off-linecomplexity
Prefix 8-octet 24 235
Prefix 12-octet 210 240
Hybrid 8-octet 28 239
Africacrypt 2008Africacrypt 2008
Recent Results
Number of queries can be reduced.Use challenge-quartets instead of
challenge-pairs.For example, Prefix, 8-octet can be
attacked with only 8 queries.
Thank you for your attention !!
29