Password recovery on challenge and response: impossible differential attack on hash function

Authors:
Yu Sasaki;Lei Wang;Kazuo Ohta;Noboru Kunihiro
Affiliations:
NTT Information Sharing Platform Laboratories, NTT Corporation, Musashino-shi, Tokyo, Japan;The University of Electro-Communications, Chofu-shi, Tokyo, Japan;The University of Electro-Communications, Chofu-shi, Tokyo, Japan;University of Tokyo and The University of Electro-Communications, Chofu-shi, Tokyo, Japan
Venue:
AFRICACRYPT'08 Proceedings of the Cryptology in Africa 1st international conference on Progress in cryptology
Year:
2008

Citing 11
Cited 1

Message authentication with one-way hash functions

ACM SIGCOMM Computer Communication Review
The MD4 Message Digest Algorithm

CRYPTO '90 Proceedings of the 10th Annual International Cryptology Conference on Advances in Cryptology
Password recovery attack on authentication protocol MD4(Password||Challenge)

Proceedings of the 2008 ACM symposium on Information, computer and communications security
On the security of two MAC algorithms

EUROCRYPT'96 Proceedings of the 15th annual international conference on Theory and application of cryptographic techniques
Full key-recovery attacks on HMAC/NMAC-MD4 and NMAC-MD5

CRYPTO'07 Proceedings of the 27th annual international cryptology conference on Advances in cryptology
Forgery and partial key-recovery attacks on HMAC and NMAC using hash collisions

ASIACRYPT'06 Proceedings of the 12th international conference on Theory and Application of Cryptology and Information Security
Efficient collision search attacks on SHA-0

CRYPTO'05 Proceedings of the 25th annual international conference on Advances in Cryptology
Finding collisions in the full SHA-1

CRYPTO'05 Proceedings of the 25th annual international conference on Advances in Cryptology
Cryptanalysis of the hash functions MD4 and RIPEMD

EUROCRYPT'05 Proceedings of the 24th annual international conference on Theory and Applications of Cryptographic Techniques
How to break MD5 and other hash functions

EUROCRYPT'05 Proceedings of the 24th annual international conference on Theory and Applications of Cryptographic Techniques
Message freedom in MD4 and MD5 collisions: application to APOP

FSE'07 Proceedings of the 14th international conference on Fast Software Encryption

Slide Attacks on a Class of Hash Functions

ASIACRYPT '08 Proceedings of the 14th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology

Quantified Score

Hi-index	0.00

Visualization

Abstract

We propose practical password recovery attacks against two challenge-response authentication protocols using MD4. When a response is computed as MD4(Password||Challenge), passwords up to 12 characters are practically recovered. To recover up to 8 characters, we need 16 times the amount of eavesdropping and 16 times the number of queries, and the off-line complexity is less than 235 MD4 computations. To recover up to 12 characters, we need 210 times the amount of eavesdropping and 210 times the number of queries, and the off-line complexity is less than 240 MD4 computations.When a response is computed as MD4(Password||Challenge||Password), passwords up to 8 characters are practically recovered by 28 times the amount of eavesdropping and 28 times the number of queries, and the off-line complexity is less than 239 MD4 computations. Our approach is similar to the "Impossible differential attack", which was originally proposed for recovering the block cipher key. Good impossible differentials for hash functions are achieved by using local collision. This indicates that the presence of one practical local collision can damage the security of protocols.