[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: (radius) FWD: (mobile-ip) MD5 Key recovery attack



There are (at least :-) two directions in which to look for solutions:

 1) Internet Draft "draft-krawczyk-keyed-md5-01.txt" presents an
    analysis of the use of hash functions as Message Authenticators.
    It suggests using the construct:

       Hash(Key, Pad2, Hash(Key, Pad1, Text))

    in lieu of other structures such as Hash(Key, Text, Key).
    The Krawczyk MAC relies on significantly fewer assumptions about
    the properties of the hash algorithm than do other methods (which
    were apparently concocted without much in the way of security
    analysis).

 2) The Secure Hash Algorithm (SHA) (ftp://csrc.ncsl.nist.gov/pub/fips/
    fip180-1.txt) produces a 160 bit hash value as opposed to MD5's 128
    bit value.  I am not aware of an analysis of the inherent strengths
    of the two algorithms, but assuming they are equivalent, SHA's
    additional 32 bits would increase the work factor of the attack by
    2**32. It would be interesting to know if in fact the attack
    referenced below is effective at all against SHA.

Netscape's SSL Version 3 (ftp://ftp.netscape.com/pub/review/ssl-spec.tar.Z)
has adopted the Krawczyk MAC using both MD5 and SHA.  Also, a very
influential vendor consortium recently switched from using MD5 to SHA
because, despite the increased size of its hash value, SHA is
computationally faster than MD5.

Food for thought.

Regards,

Dave Kemp


==================================

> I am forwarding this memo from the mobile-ip IETF mailing list, as it
> addresses MD5 used to hide keys (passwords).  I haven't been following
> this thread on the mobile-ip list, but thought it may be of some interest 
> to us.
> 
> Regards,
> 
> Dave Nelson
> Internetworking Products Engineering Group
> Digital Equipment Corporation 
> 
> --------------------------------------------------------------------------
> 
> It seems that MD5 isn't as secure as we thought.
> I'd suggest we shop around for a fix to this problem
> before finishing Working Group last call.  The algorithm
> we are using to compute authenticators is (apparently)
> called an MD5-envelope algorithm.  I'm not a security
> weenie, but here's my distillation of the article.
> 
> 1) MD5 was not designed to hide keys.
> 
> 2) It's possible to choose plaintexts and trial keys
>    in such a way to dramatically reduce the amount of
>    time needed to recover a key, to about 2**64
>    keyed operations on 2**13 plaintexts in some cases.
>    Were we expecting 2**128 key trials to be needed?
> 
> 3) If keys are chosen poorly, even fewer trials are
>    needed to find the key.
> 
> The danger could be that, even if 2**64 is still good
> enough for our purposes (is it??), that this result
> will point the way towards another drastic reduction
> in the security of MD5(key||text||key).
> 
> Does anyone know if "suffix-only" mode is more secure
> than the "envelope" or "prefix+suffix" mode that we
> have specified in the mobile-IP draft?
> 
> Regards,
> Charlie Perkins