[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: (radius) FWD: (mobile-ip) MD5 Key recovery attack
>From: dpkemp@missi.ncsc.mil (David P. Kemp)
>Message-Id: <199602121439.JAA02761@argon.ncsc.mil>
>
>There are (at least :-) two directions in which to look for solutions:
>
> 1) Internet Draft "draft-krawczyk-keyed-md5-01.txt" presents an
> analysis of the use of hash functions as Message Authenticators.
> It suggests using the construct:
>
> Hash(Key, Pad2, Hash(Key, Pad1, Text))
>
> in lieu of other structures such as Hash(Key, Text, Key).
> The Krawczyk MAC relies on significantly fewer assumptions about
> the properties of the hash algorithm than do other methods (which
> were apparently concocted without much in the way of security
> analysis).
Just to expand a bit: the above scheme is assured to serve as
a good MAC as long as the following two conditions hold. (This
applies for any iterated hash function, in particular MD5 and SHA).
1. The hash function is collision-free.
This is what hash functions are designed for. (In fact, only a
considerably weaker-than-standard collision-freeness assumption is
needed, namely that collisions are hard to find when the iterated
construction starts with a *random and secret* IV, rather than with
the fixed public IV. Furthermore, parallel collision-finding attacks
a la Van-Oorschot-Weiner are infeasible here.)
2. The internal compression function of the hash function
is a good MAC on 512 bit messages.
This is a minimal security requirement that is believed to hold
for both MD5 and SHA.
This scheme is proposed and analyzed in the paper
"Keying Hash Functions for Message Authentication"
by Mihir Bellare, Hugo Krawczyk and myself, available at
http://www-cse.ucsd.edu/users/mihir
http://www.research.ibm.com/security/keyed-md5.html
It is also summarized in the above Internet Draft.
Ran Canetti