1 / 29

Security of Challenge and Response

Impossible Differential Attack on Hash Functions. Security of Challenge and Response. Yu Sasaki 1 , Lei Wang 2 , Kazuo Ohta 2 , Noboru Kunihiro 2. 1:NTT Information Platform Laboratories, NTT Cooperation. 2:The University of Electro-Communications. Contents. Background and our results

erin-scott
Télécharger la présentation

Security of Challenge and Response

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Impossible Differential Attack on Hash Functions Security of Challenge and Response Yu Sasaki1, Lei Wang2, Kazuo Ohta2, Noboru Kunihiro2 1:NTT Information Platform Laboratories, NTT Cooperation 2:The University of Electro-Communications

  2. Contents • Background and our results • How to recover a password? • Basic idea • Overview of our improvement • Details of our attack • Recent results 2

  3. Motivation • Analyze the security of hash-based challenge/response password authentication. (password: P) (password: P) Challenge C Server Client R = Hash (C, P) Response R Compute R by itself. If (=), authenticate. Classical schemes are still used. Are they practically secure ? 3

  4. Classification of Schemes • Suffix approach: R = Hash (C || P) - used in APOP (e-mail fetching protocol) • Prefix approach: R = Hash (P || C) - used in CHAP (challenge handshake protocol) • Hybrid approach: R = Hash (P || C || P) - proposed by Tsudik in 1992 4

  5. Attack Model • We consider the adaptive chosen challenge attack. • This situation can be practically achieved by hijacking rooters, and so on. • An attack with practical number of queries is a critical issue for protocols. (password: P) Attacker Chosen challenge C’ Client R’ = Hash (C’, P) Response R’ Recover the password. 5

  6. Known Results [L07] [SYA07] [SWOK08] 6

  7. Main target of this presentation Our Results [L07] [SYA07] [SWOK08] 7

  8. How to Recover a Password ? Introduction of MD4 Basic idea Previous approach Our approach

  9. CF CF CF CF Introduction of MD4 padding divide Input M M* ( M0, M1, , Mn-1) (100…00Len) Merkle-Damgard Structure 512 M0 M1 Mn-1 IV=H0 H1 H2 Hn-1 Hn 128 128 Our attacks need to know R, and Hn-1 , so |(P||C)| must be 1-block. ( P || C ) IV=Hn-1 R 9

  10. f f <<s <<s m0, m1 P m2, , m12 C m13, m14, m15 Pad MD4 Compression Function IV = (a0, b0, c0, d0 ) Steps 1-16: 1st Round Steps 17-32: 2nd Round (a0, b0, c0, d0 ) Steps 33-48: 3rd Round mp(0) Input message Mi (512-bit) (a1, b1, c1, d1 ) P C Pad (a47, b47, c47, d47 ) ( m0, m1, , m15), |mi|=32 mp(47) If | P | = 8-octet : (a48, b48, c48, d48 ) Hn 10

  11. 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 4 8 12 1 5 9 13 2 6 10 14 3 7 11 15 0 8 4 12 2 10 6 14 1 9 5 13 3 11 7 15 MD4 Message Expansion • m0 to m15 are used in this order. P0-3 P4-7 p(0)p(15) P0-3 P4-7 p(16)p(31) P4-7 P0-3 p(32)p(47) • Each mi is 32-bit, 4-octet. • If | P | = 8-octet : Only m0 and m1 are unknown. m2 to m15 are known to an attacker. 11

  12. Basic Idea (1/2) • Ask C and obtain R. • Ask C’ and obtain R’. DC (IV, (P || C || pad)) (IV, (P || C’ || pad)) 1R 1R Expect two computations follow some differential path. 2R 2R 3R 3R DR R=MD4( P || C ) R’=MD4( P || C’ ) 12

  13. Basic Idea (2/2) • If (P||C) and (P||C’) follow a differential path, the attacker can know information on a part of P. Remaining tasks • How to find a good differential path? • How to detect (P||C) and (P||C’) follow the path? (Only R and R’ can be observed.) 13

  14. Previous work 1 [CY06] DC (IV, (P || C || pad)) (IV, (P || C’ || pad)) 1R 1R A randomly chosen pair collides with probability 2-61. 2R 2R 3R 3R DR = 0 R=MD4( P || C ) R’=MD4( P || C’ ) Detection is easy, just compare R and R’. Additional 245 queries are necessary to recover P. 14

  15. Previous work 2 [WOK08] DC (IV, (P || C || pad)) (IV, (P || C’ || pad)) A randomly chosen pair collides until 2R with prob. 2-37. 1R 1R 2R 2R 3R 3R D2R = 0 DR = random R=MD4( P || C ) R’=MD4( P || C’ ) How to detect 2R-collision? Additional 234 queries are necessary to recover P. 15

  16. 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 4 8 12 1 5 9 13 2 6 10 14 3 7 11 15 0 8 4 12 2 10 6 14 1 9 5 13 3 11 7 15 Previous work 2 (detect 2R-collision) D D D P0-3 P4-7 p(0)p(15) D D D P0-3 P4-7 p(16)p(31) 2R-collision D D D P4-7 P0-3 p(32)p(47) D = 0 Inversely compute! Collision is preserved. • Dm is inserted to m9, m11, and m13. • Remember, m2m15 are known to the attacker. • Inversely compute the last 7 steps, and detect a collision. 16

  17. Our Idea DC (IV, (P || C || pad)) (IV, (P || C’ || pad)) A random pair collides with 2-4. 1R 1R 2R 2R D1R = 0 3R 3R DR = random R=MD4( P || C ) R’=MD4( P || C’ ) Detect an 1R-collision similarly to key recovery approach of Impossible Differential Attack. 17

  18. 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 4 8 12 1 5 9 13 2 6 10 14 3 7 11 15 0 8 4 12 2 10 6 14 1 9 5 13 3 11 7 15 Our Idea (detect 1R-collision) D D P0-3 P4-7 p(0)p(15) 1R-collision D D P0-3 P4-7 p(16)p(31) D = 0 limited D D D P4-7 P0-3 p(32)p(47) Inversely compute Inversely compute Exhaustive guess • Dm is inserted to m7, m11. • During inverse computation, exhaustively guess m1. 18

  19. Overall Procedure IV P0-3 m0 P4-7 m1 1R Dm m7 (Pr = 2-4) Make local collision Dm m11 P0-3 m0 No difference P4-7 m1 2R Possible difference is very limited. Dm m7 Dm m11 Wrong guess reaches impossible difference. m0 P0-3 P4-7 m1 Inverse computation from R, R’ 3R m11 Dm Dm m7 R R’ 19

  20. Details of our attack Recovering password length Constructing differential path Detecting an 1R-collision

  21. CF CF CF Password Length Recovery on MD Structure [WOK08] P || C || Pad1 C IV R1 Attacker R1 Client Guess the password length L. Then, Pad1L is determined. C||Pad1L||x P || C || Pad1L x||Pad2 R2 R1 R2 IV If guess is right, x starts from the initial bit of the 2nd block. Therefore, CF(R1, x||pad2L) = R2. Each guess is confirmed by one query. 21

  22. ai bi ci di f f f f f <<s <<s <<s <<s <<s ai+2 ci+2 di+2 bi+2 ai+3 ci+3 di+3 bi+3 ai+4 ci+4 di+4 bi+4 ai+5 ci+5 di+5 bi+5 ai+6 ci+6 di+6 bi+6 Local collision of MD4 2j • In the 1R of MD4, Dmp(i)=2j and Dmp(i+4)=2j+s form a local collision for any message pair with Pr.=2-4. mp(i) mp(i+1) 2-1 • Choose i so that mp(i) and mp(i+4) appear late steps in the 2R. mp(i+2) 2-1 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 mp(i+3) 0 4 8 12 1 5 9 13 2 6 10 14 3 7 11 15 2-1 0 8 4 12 2 10 6 14 1 9 5 13 3 11 7 15 2j+s mp(i+4) 2-1 22

  23. Detecting an 1R-collision (1/2) D is known • Step function is invertible. known known known ai bi ci di • By inverse computation for step i, followings can be computed. f m0 bi password <<s D = 0 ci = bi-1 di = ci-1 = bi-2 ai+1 bi+1 ci+1 di+1 ai = di-1 = ci-2 = bi-3 known known known known • Moreover, even if a message is password, D of ai =bi-3can be computed. 23

  24. 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 4 8 12 1 5 9 13 2 6 10 14 3 7 11 15 0 8 4 12 2 10 6 14 1 9 5 13 3 11 7 15 Detecting an 1R-collision (2/2) Local collision (2-4) 2j 2j+s p(0)p(15) 2j 2j+s p(16)p(31) Db28=0 Db29=2j+s 2j+s 2j p(32)p(47) Exhaustive guess b31 c31=b30 • Collision is detected by comparing Db29 and Db28. d31=c30=b29 Da31=Dd30=Dc29=Db28 24

  25. Attack Complexity • To obtain a local collision, we need 24 challenge pairs. • For each pair, we exhaustively guess m1, so try 232 values. • For each guess, we inversely compute Steps 38 to 31, 8/48 steps. • Total complexity is 2*24*232*(8/48)≦235 MD4 computations. Remark: If (P||C) and (P||C’) do not collide, they satisfy Db28=0, Db29=2j+s with prob. 2-64, which is very low compared to 235. 25

  26. 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 4 8 12 1 5 9 13 2 6 10 14 3 7 11 15 0 8 4 12 2 10 6 14 1 9 5 13 3 11 7 15 Password Recovery on Prefix, 12-octet D D P0-3 P4-7 P8-11 p(0)p(15) 1R-collision D D P8-11 P0-3 P4-7 p(16)p(31) D = 0 limited D D D P4-7 P8-11 P0-3 p(32)p(47) Inversely compute limited D Exhaustive guess • Possible patterns of D is increased, but still is detected by inverse computation. 26

  27. 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 4 8 12 1 5 9 13 2 6 10 14 3 7 11 15 0 8 4 12 2 10 6 14 1 9 5 13 3 11 7 15 Password Recovery on Hybrid, 8-octet Challenge Padding D D P0-3 P4-7 P0-3 P4-7 p(0)p(15) 1R-collision D D P4-7 P0-3 P0-3 P4-7 p(16)p(31) D = 0 limited D D D P4-7 P4-7 P0-3 P0-3 p(32)p(47) Inversely compute limited D Exhaustive guess (32 bits) 27

  28. Conclusion • We propose practical password recovery attacks on prefix and hybrid using MD4. 28

  29. Recent Results • Number of queries can be reduced. • Use challenge-quartets instead of challenge-pairs. • For example, Prefix, 8-octet can be attacked with only 8 queries. Thank you for your attention !! 29

More Related