[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: AH-MD5

To: colin@nyx10.cs.du.edu (Colin Plumb)
Subject: Re: AH-MD5
From: "Perry E. Metzger" <perry@imsi.com>
Date: Thu, 26 Jan 1995 12:39:51 -0500
Cc: ipsec@ans.net
In-Reply-To: Your message of "Thu, 26 Jan 1995 07:16:47 MST." <9501261416.AA12671@nyx10.cs.du.edu>
Reply-To: perry@imsi.com


Colin Plumb says:
> I just figured out the attack on prepend-only MD5.
> Thanks to Perry Metzger for indirectly pointing it out to me.
> 
> If I hash "abcd", MD5Transform is invoked once, on the 16 words:
> 
>  'abcd'  80000000 00000000 00000000 00000000 00000000 00000000 00000000
> 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000020
> 
> The trailing "20" is the message length in bits (32 bits).
> If I have the hash of this, I can compose a message which begins
> with this information, then adds another block with additional data,
> and compute the hash on the larger message by adding the appropriate
> padding and (revised) bit count, and call MD5Transform to convert the
> original hash to the hash of the revised message.  I can do this even
> if I don't know the "ab" authenticator part of the message, but the
> recipient who's going to "verify" theh hash does.
> 
> In light of this, appending seems safer.

Colin;

This is the famous "appending attack". Its fairly well known. We
defend against it because we include the length of the message in the
authenticated message at a fixed location, which means that we could
detect received messages that had been tampered with.

Perry

References:

Re: AH-MD5

From: colin@nyx10.cs.du.edu (Colin Plumb)

Prev by Date: Re: AH-MD5
Next by Date: keyed-MD5 placement of secret
Prev by thread: Re: AH-MD5
Next by thread: Re: AH-MD5
Index(es):
- Main
- Thread