290 likes | 414 Views
Impossible Differential Attack on Hash Functions. Security of Challenge and Response. Yu Sasaki 1 , Lei Wang 2 , Kazuo Ohta 2 , Noboru Kunihiro 2. 1:NTT Information Platform Laboratories, NTT Cooperation. 2:The University of Electro-Communications. Contents. Background and our results
E N D
Impossible Differential Attack on Hash Functions Security of Challenge and Response Yu Sasaki1, Lei Wang2, Kazuo Ohta2, Noboru Kunihiro2 1:NTT Information Platform Laboratories, NTT Cooperation 2:The University of Electro-Communications
Contents • Background and our results • How to recover a password? • Basic idea • Overview of our improvement • Details of our attack • Recent results 2
Motivation • Analyze the security of hash-based challenge/response password authentication. (password: P) (password: P) Challenge C Server Client R = Hash (C, P) Response R Compute R by itself. If (=), authenticate. Classical schemes are still used. Are they practically secure ? 3
Classification of Schemes • Suffix approach: R = Hash (C || P) - used in APOP (e-mail fetching protocol) • Prefix approach: R = Hash (P || C) - used in CHAP (challenge handshake protocol) • Hybrid approach: R = Hash (P || C || P) - proposed by Tsudik in 1992 4
Attack Model • We consider the adaptive chosen challenge attack. • This situation can be practically achieved by hijacking rooters, and so on. • An attack with practical number of queries is a critical issue for protocols. (password: P) Attacker Chosen challenge C’ Client R’ = Hash (C’, P) Response R’ Recover the password. 5
Known Results [L07] [SYA07] [SWOK08] 6
Main target of this presentation Our Results [L07] [SYA07] [SWOK08] 7
How to Recover a Password ? Introduction of MD4 Basic idea Previous approach Our approach
CF CF CF CF Introduction of MD4 padding divide Input M M* ( M0, M1, , Mn-1) (100…00Len) Merkle-Damgard Structure 512 M0 M1 Mn-1 IV=H0 H1 H2 Hn-1 Hn 128 128 Our attacks need to know R, and Hn-1 , so |(P||C)| must be 1-block. ( P || C ) IV=Hn-1 R 9
f f <<s <<s m0, m1 P m2, , m12 C m13, m14, m15 Pad MD4 Compression Function IV = (a0, b0, c0, d0 ) Steps 1-16: 1st Round Steps 17-32: 2nd Round (a0, b0, c0, d0 ) Steps 33-48: 3rd Round mp(0) Input message Mi (512-bit) (a1, b1, c1, d1 ) P C Pad (a47, b47, c47, d47 ) ( m0, m1, , m15), |mi|=32 mp(47) If | P | = 8-octet : (a48, b48, c48, d48 ) Hn 10
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 4 8 12 1 5 9 13 2 6 10 14 3 7 11 15 0 8 4 12 2 10 6 14 1 9 5 13 3 11 7 15 MD4 Message Expansion • m0 to m15 are used in this order. P0-3 P4-7 p(0)p(15) P0-3 P4-7 p(16)p(31) P4-7 P0-3 p(32)p(47) • Each mi is 32-bit, 4-octet. • If | P | = 8-octet : Only m0 and m1 are unknown. m2 to m15 are known to an attacker. 11
Basic Idea (1/2) • Ask C and obtain R. • Ask C’ and obtain R’. DC (IV, (P || C || pad)) (IV, (P || C’ || pad)) 1R 1R Expect two computations follow some differential path. 2R 2R 3R 3R DR R=MD4( P || C ) R’=MD4( P || C’ ) 12
Basic Idea (2/2) • If (P||C) and (P||C’) follow a differential path, the attacker can know information on a part of P. Remaining tasks • How to find a good differential path? • How to detect (P||C) and (P||C’) follow the path? (Only R and R’ can be observed.) 13
Previous work 1 [CY06] DC (IV, (P || C || pad)) (IV, (P || C’ || pad)) 1R 1R A randomly chosen pair collides with probability 2-61. 2R 2R 3R 3R DR = 0 R=MD4( P || C ) R’=MD4( P || C’ ) Detection is easy, just compare R and R’. Additional 245 queries are necessary to recover P. 14
Previous work 2 [WOK08] DC (IV, (P || C || pad)) (IV, (P || C’ || pad)) A randomly chosen pair collides until 2R with prob. 2-37. 1R 1R 2R 2R 3R 3R D2R = 0 DR = random R=MD4( P || C ) R’=MD4( P || C’ ) How to detect 2R-collision? Additional 234 queries are necessary to recover P. 15
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 4 8 12 1 5 9 13 2 6 10 14 3 7 11 15 0 8 4 12 2 10 6 14 1 9 5 13 3 11 7 15 Previous work 2 (detect 2R-collision) D D D P0-3 P4-7 p(0)p(15) D D D P0-3 P4-7 p(16)p(31) 2R-collision D D D P4-7 P0-3 p(32)p(47) D = 0 Inversely compute! Collision is preserved. • Dm is inserted to m9, m11, and m13. • Remember, m2m15 are known to the attacker. • Inversely compute the last 7 steps, and detect a collision. 16
Our Idea DC (IV, (P || C || pad)) (IV, (P || C’ || pad)) A random pair collides with 2-4. 1R 1R 2R 2R D1R = 0 3R 3R DR = random R=MD4( P || C ) R’=MD4( P || C’ ) Detect an 1R-collision similarly to key recovery approach of Impossible Differential Attack. 17
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 4 8 12 1 5 9 13 2 6 10 14 3 7 11 15 0 8 4 12 2 10 6 14 1 9 5 13 3 11 7 15 Our Idea (detect 1R-collision) D D P0-3 P4-7 p(0)p(15) 1R-collision D D P0-3 P4-7 p(16)p(31) D = 0 limited D D D P4-7 P0-3 p(32)p(47) Inversely compute Inversely compute Exhaustive guess • Dm is inserted to m7, m11. • During inverse computation, exhaustively guess m1. 18
Overall Procedure IV P0-3 m0 P4-7 m1 1R Dm m7 (Pr = 2-4) Make local collision Dm m11 P0-3 m0 No difference P4-7 m1 2R Possible difference is very limited. Dm m7 Dm m11 Wrong guess reaches impossible difference. m0 P0-3 P4-7 m1 Inverse computation from R, R’ 3R m11 Dm Dm m7 R R’ 19
Details of our attack Recovering password length Constructing differential path Detecting an 1R-collision
CF CF CF Password Length Recovery on MD Structure [WOK08] P || C || Pad1 C IV R1 Attacker R1 Client Guess the password length L. Then, Pad1L is determined. C||Pad1L||x P || C || Pad1L x||Pad2 R2 R1 R2 IV If guess is right, x starts from the initial bit of the 2nd block. Therefore, CF(R1, x||pad2L) = R2. Each guess is confirmed by one query. 21
ai bi ci di f f f f f <<s <<s <<s <<s <<s ai+2 ci+2 di+2 bi+2 ai+3 ci+3 di+3 bi+3 ai+4 ci+4 di+4 bi+4 ai+5 ci+5 di+5 bi+5 ai+6 ci+6 di+6 bi+6 Local collision of MD4 2j • In the 1R of MD4, Dmp(i)=2j and Dmp(i+4)=2j+s form a local collision for any message pair with Pr.=2-4. mp(i) mp(i+1) 2-1 • Choose i so that mp(i) and mp(i+4) appear late steps in the 2R. mp(i+2) 2-1 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 mp(i+3) 0 4 8 12 1 5 9 13 2 6 10 14 3 7 11 15 2-1 0 8 4 12 2 10 6 14 1 9 5 13 3 11 7 15 2j+s mp(i+4) 2-1 22
Detecting an 1R-collision (1/2) D is known • Step function is invertible. known known known ai bi ci di • By inverse computation for step i, followings can be computed. f m0 bi password <<s D = 0 ci = bi-1 di = ci-1 = bi-2 ai+1 bi+1 ci+1 di+1 ai = di-1 = ci-2 = bi-3 known known known known • Moreover, even if a message is password, D of ai =bi-3can be computed. 23
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 4 8 12 1 5 9 13 2 6 10 14 3 7 11 15 0 8 4 12 2 10 6 14 1 9 5 13 3 11 7 15 Detecting an 1R-collision (2/2) Local collision (2-4) 2j 2j+s p(0)p(15) 2j 2j+s p(16)p(31) Db28=0 Db29=2j+s 2j+s 2j p(32)p(47) Exhaustive guess b31 c31=b30 • Collision is detected by comparing Db29 and Db28. d31=c30=b29 Da31=Dd30=Dc29=Db28 24
Attack Complexity • To obtain a local collision, we need 24 challenge pairs. • For each pair, we exhaustively guess m1, so try 232 values. • For each guess, we inversely compute Steps 38 to 31, 8/48 steps. • Total complexity is 2*24*232*(8/48)≦235 MD4 computations. Remark: If (P||C) and (P||C’) do not collide, they satisfy Db28=0, Db29=2j+s with prob. 2-64, which is very low compared to 235. 25
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 4 8 12 1 5 9 13 2 6 10 14 3 7 11 15 0 8 4 12 2 10 6 14 1 9 5 13 3 11 7 15 Password Recovery on Prefix, 12-octet D D P0-3 P4-7 P8-11 p(0)p(15) 1R-collision D D P8-11 P0-3 P4-7 p(16)p(31) D = 0 limited D D D P4-7 P8-11 P0-3 p(32)p(47) Inversely compute limited D Exhaustive guess • Possible patterns of D is increased, but still is detected by inverse computation. 26
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 4 8 12 1 5 9 13 2 6 10 14 3 7 11 15 0 8 4 12 2 10 6 14 1 9 5 13 3 11 7 15 Password Recovery on Hybrid, 8-octet Challenge Padding D D P0-3 P4-7 P0-3 P4-7 p(0)p(15) 1R-collision D D P4-7 P0-3 P0-3 P4-7 p(16)p(31) D = 0 limited D D D P4-7 P4-7 P0-3 P0-3 p(32)p(47) Inversely compute limited D Exhaustive guess (32 bits) 27
Conclusion • We propose practical password recovery attacks on prefix and hybrid using MD4. 28
Recent Results • Number of queries can be reduced. • Use challenge-quartets instead of challenge-pairs. • For example, Prefix, 8-octet can be attacked with only 8 queries. Thank you for your attention !! 29