[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: AH-MD5



> From: colin@nyx10.cs.du.edu (Colin Plumb)
> I just figured out the attack on prepend-only MD5.
> If I hash "abcd", MD5Transform is invoked once, on the 16 words:
>
>  'abcd'  80000000 00000000 00000000 00000000 00000000 00000000 00000000
> 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000020
>
Sigh.  Whatever does this have to do with the current AH draft, or the
AH-MD5 draft?  Have you read them?

Both drafts explicitly state that the IP Total Length is included in the
hash.

That would, in your example for secret 'ab' and data 'cd', yield:

'ab'0002 'cd'8000 00000000 00000000 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000020

An appending attack would add 'ef' after 'cd'.  Exactly how is the hash
recomputed, when the 0002 is changed to something larger?

Bill.Simpson@um.cc.umich.edu