[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: AH-MD5
Colin Plumb says:
> I just figured out the attack on prepend-only MD5.
> Thanks to Perry Metzger for indirectly pointing it out to me.
>
> If I hash "abcd", MD5Transform is invoked once, on the 16 words:
>
> 'abcd' 80000000 00000000 00000000 00000000 00000000 00000000 00000000
> 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000020
>
> The trailing "20" is the message length in bits (32 bits).
> If I have the hash of this, I can compose a message which begins
> with this information, then adds another block with additional data,
> and compute the hash on the larger message by adding the appropriate
> padding and (revised) bit count, and call MD5Transform to convert the
> original hash to the hash of the revised message. I can do this even
> if I don't know the "ab" authenticator part of the message, but the
> recipient who's going to "verify" theh hash does.
>
> In light of this, appending seems safer.
Colin;
This is the famous "appending attack". Its fairly well known. We
defend against it because we include the length of the message in the
authenticated message at a fixed location, which means that we could
detect received messages that had been tampered with.
Perry
References:
- Re: AH-MD5
- From: colin@nyx10.cs.du.edu (Colin Plumb)