WISTP'12 Proceedings of the 6th IFIP WG 11.2 international conference on Information Security Theory and Practice: security, privacy and trust in computing systems and ambient intelligent ecosystems
On the security of PPPoE network
Security and Communication Networks
Fast password recovery attack: application to APOP
Journal of Intelligent Manufacturing
Hi-index | 0.00 |
Digest Access Authentication was originally proposed to provide peer authentication and data encryption in HTTP protocols. It has been widely employed along with the deployment of SASL. In this paper, we implement a password recovery attack to Digest Access Authentication that can recover passwords as long as 48 characters in overall off-line computation about 2^{35} MD5 compressions and 8084 on-line queries. This confirms that the security of Digest Access Authentication is totally broken, and all applications based on that must be re-evaluated seriously. Further, we prove that the security of the hashing scheme H(C| |P), where H is a hash function, C is a challenge and P is a shared password, is totally dependent on the collision resistance of H, instead of the pre-image resistance. Such scheme can't be used in challenge and response protocols to protect the shared password. Finally, we prove that some hashing schemes like H(H(C| |P)) provide no more security than H(C| |P), in the aspect of collision resistance.