Message authentication with one-way hash functions
ACM SIGCOMM Computer Communication Review
The MD4 Message Digest Algorithm
CRYPTO '90 Proceedings of the 10th Annual International Cryptology Conference on Advances in Cryptology
Password recovery attack on authentication protocol MD4(Password||Challenge)
Proceedings of the 2008 ACM symposium on Information, computer and communications security
On the security of two MAC algorithms
EUROCRYPT'96 Proceedings of the 15th annual international conference on Theory and application of cryptographic techniques
Full key-recovery attacks on HMAC/NMAC-MD4 and NMAC-MD5
CRYPTO'07 Proceedings of the 27th annual international cryptology conference on Advances in cryptology
Forgery and partial key-recovery attacks on HMAC and NMAC using hash collisions
ASIACRYPT'06 Proceedings of the 12th international conference on Theory and Application of Cryptology and Information Security
Efficient collision search attacks on SHA-0
CRYPTO'05 Proceedings of the 25th annual international conference on Advances in Cryptology
Finding collisions in the full SHA-1
CRYPTO'05 Proceedings of the 25th annual international conference on Advances in Cryptology
Cryptanalysis of the hash functions MD4 and RIPEMD
EUROCRYPT'05 Proceedings of the 24th annual international conference on Theory and Applications of Cryptographic Techniques
How to break MD5 and other hash functions
EUROCRYPT'05 Proceedings of the 24th annual international conference on Theory and Applications of Cryptographic Techniques
Message freedom in MD4 and MD5 collisions: application to APOP
FSE'07 Proceedings of the 14th international conference on Fast Software Encryption
Slide Attacks on a Class of Hash Functions
ASIACRYPT '08 Proceedings of the 14th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
Hi-index | 0.00 |
We propose practical password recovery attacks against two challenge-response authentication protocols using MD4. When a response is computed as MD4(Password||Challenge), passwords up to 12 characters are practically recovered. To recover up to 8 characters, we need 16 times the amount of eavesdropping and 16 times the number of queries, and the off-line complexity is less than 235 MD4 computations. To recover up to 12 characters, we need 210 times the amount of eavesdropping and 210 times the number of queries, and the off-line complexity is less than 240 MD4 computations.When a response is computed as MD4(Password||Challenge||Password), passwords up to 8 characters are practically recovered by 28 times the amount of eavesdropping and 28 times the number of queries, and the off-line complexity is less than 239 MD4 computations. Our approach is similar to the "Impossible differential attack", which was originally proposed for recovering the block cipher key. Good impossible differentials for hash functions are achieved by using local collision. This indicates that the presence of one practical local collision can damage the security of protocols.