[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re[2]: (radius) FWD: (mobile-ip) MD5 Key recovery attack
>There are (at least :-) two directions in which to look for solutions:
>1) Internet Draft "draft-krawczyk-keyed-md5-01.txt" presents an
>analysis of the use of hash functions as Message Authenticators.
>It suggests using the construct:
>Hash(Key, Pad2, Hash(Key, Pad1, Text))
>...
>2) The Secure Hash Algorithm (SHA) (ftp://csrc.ncsl.nist.gov/pub/fips/
>fip180-1.txt) produces a 160 bit hash value as opposed to MD5's 128
>bit value. I am not aware of an analysis of the inherent strengths
>of the two algorithms, but assuming they are equivalent, SHA's
>additional 32 bits would increase the work factor of the attack by
>2**32. It would be interesting to know if in fact the attack
>referenced below is effective at all against SHA.
At the expense of being a pain about my extensions proposal, the
extended authentication mechanism allows for alternate encryption
schemes. There exists a flag in the message header which is used for
this. You will notice that I have only defined the current MD5 method,
but there are plenty of bits left which may be used in order to
indicate the encoding scheme. I would certainly be interested in
talking about any "new" encoding schemes and add these to my
proposals.
The only lacking piece is that both peers should negotiate an encoding
scheme BEFORE authentication begins. This should be done in the
NAS-Reboot message, where certain other negotiations exists.
Pat R. Calhoun e-mail: pcalhoun@usr.com
Project Engineer - Lan Access R&D phone: (847) 933-5181
US Robotics Access Corp.