Re: AH-MD5

[colin@nyx10.cs.du.edu (Colin Plumb)]

I just figured out the attack on prepend-only MD5.
Thanks to Perry Metzger for indirectly pointing it out to me.

If I hash "abcd", MD5Transform is invoked once, on the 16 words:

 'abcd'  80000000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000020

The trailing "20" is the message length in bits (32 bits).
If I have the hash of this, I can compose a message which begins
with this information, then adds another block with additional data,
and compute the hash on the larger message by adding the appropriate
padding and (revised) bit count, and call MD5Transform to convert the
original hash to the hash of the revised message.  I can do this even
if I don't know the "ab" authenticator part of the message, but the
recipient who's going to "verify" theh hash does.

In light of this, appending seems safer.

However, it's easier to discover collisions in MD5 if you have the inputs
to the MD5Transform function, which a secret key deprives you of.

One possibility is to place the secret key into its own MD5Transform block,
enabling the output hash from the first block to be precomputed and used
directly.  Or change the input "magic constants" directly.  This avoids
the extra time overhead.
-- 
	-Colin

---

Follow-Ups:

• Re: AH-MD5
• From: Charlie Watt <watt@sware.com>
• Re: AH-MD5
• From: "Perry E. Metzger" <perry@imsi.com>

---

• Prev by Date: Re: keyed-MD5 placement of secret
• Next by Date: Re: on a more serious note... do we want MD5?
• Prev by thread: Re[2]: AH-MD5
• Next by thread: Re: AH-MD5
• Index(es):
  • Main
  • Thread