[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re[2]: (radius) FWD: (mobile-ip) MD5 Key recovery attack

>There are (at least :-) two directions in which to look for solutions:
     
 >1) Internet Draft "draft-krawczyk-keyed-md5-01.txt" presents an
    >analysis of the use of hash functions as Message Authenticators. 
    >It suggests using the construct:
     
       >Hash(Key, Pad2, Hash(Key, Pad1, Text))
     
     >...
     
 >2) The Secure Hash Algorithm (SHA) (ftp://csrc.ncsl.nist.gov/pub/fips/
    >fip180-1.txt) produces a 160 bit hash value as opposed to MD5's 128 
    >bit value.  I am not aware of an analysis of the inherent strengths 
    >of the two algorithms, but assuming they are equivalent, SHA's 
    >additional 32 bits would increase the work factor of the attack by 
    >2**32. It would be interesting to know if in fact the attack 
    >referenced below is effective at all against SHA.
     
     At the expense of being a pain about my extensions proposal, the 
     extended authentication mechanism allows for alternate encryption 
     schemes. There exists a flag in the message header which is used for 
     this. You will notice that I have only defined the current MD5 method, 
     but there are plenty of bits left which may be used in order to 
     indicate the encoding scheme. I would certainly be interested in 
     talking about any "new" encoding schemes and add these to my 
     proposals.
     
     The only lacking piece is that both peers should negotiate an encoding 
     scheme BEFORE authentication begins. This should be done in the 
     NAS-Reboot message, where certain other negotiations exists.
     
Pat R. Calhoun                                  e-mail: pcalhoun@usr.com 
Project Engineer - Lan Access R&D                phone: (847) 933-5181 
US Robotics Access Corp.