Africacrypt 2008

Security of Challenge and Response

Yu Sasaki1, Lei Wang2,Kazuo Ohta2, Noboru Kunihiro2

Impossible Differential Attack on Hash Functions

2:The University of Electro-Communications

1:NTT Information Platform Laboratories, NTT Cooperation

Africacrypt 2008Africacrypt 2008

Contents

Background and our resultsHow to recover a password?

Basic ideaOverview of our improvement

Details of our attackRecent results

2

Africacrypt 2008Africacrypt 2008

Analyze the security of hash-based challenge/response password authentication.

3

ServerClient Challenge C

R = Hash (C, P)

Compute R by itself.If (=), authenticate.

（ password: P ）

（ password: P ）

Response R

Are they practically secure ?

Motivation

Classical schemes are still used.

Africacrypt 2008Africacrypt 2008

4

Classification of Schemes

• Suffix approach: R = Hash (C || P)

- used in APOP (e-mail fetching protocol)

• Prefix approach: R = Hash (P || C)- used in CHAP (challenge handshake protocol)

• Hybrid approach: R = Hash (P || C || P)- proposed by Tsudik in 1992

Africacrypt 2008Africacrypt 2008

5

Client Chosen challenge C’

R’ = Hash (C’, P)

（ password: P ）

Response R’

• We consider the adaptive chosen challenge attack.

Attack Model

Attacker

• This situation can be practically achieved by hijacking rooters, and so on.

• An attack with practical number of queries is a critical issue for protocols.

Recover the password.

Africacrypt 2008Africacrypt 2008

6

Known ResultsPrefix Suffix Hybrid

Theoretical(general hash)

[PO96] [PO96]

Theoretical(MD4 or MD5)

[CY06] 261

[WOK08] 237

[CY06] 261

Practical(MD4 or MD5)

AA

[L07][SYA07]

[SWOK08]

Africacrypt 2008Africacrypt 2008

7

Our ResultsPrefix Suffix Hybrid

Theoretical(general hash)

[PO96] [PO96]

Theoretical(MD4 or MD5)

[CY06] 261

[WOK08] 237

[CY06] 261

Practical(MD4 or MD5)

New !!(8-octet) 24

(12-octet) 210

New !!(8-octet) 28

[L07][SYA07]

[SWOK08]

Main target of this presentation

Africacrypt 2008

How to Recover a Password ?

Introduction of MD4Basic idea

Previous approachOur approach

Africacrypt 2008Africacrypt 2008

Introduction of MD4

IV=H0

M0

H1

Input M

M1

Hn-1

Mn-1

H2 Hn

( M0, M1, , Mn-1)

9

padding M* divide(100…00Len)

CF CF CF

IV=Hn-1

( P || C )

RCF

Our attacks need to know R, and Hn-1 , so |(P||C)| must be 1-block.

512

128 128

Merkle-Damgard Structure

Africacrypt 2008Africacrypt 2008

MD4 Compression FunctionIV = (a0, b0, c0, d0 )

10

(a48, b48, c48, d48 )

Hn

Input message Mi (512-bit)

P C Pad

( m0, m1, , m15), |mi|=32

If | P | = 8-octet :

P m0, m1

C m2, , m12

Pad m13, m14, m15

m(47) <<sf

(a47, b47, c47, d47 )

(a0, b0, c0, d0 )

m(0) <<sf

(a1, b1, c1, d1 )

Steps 1-16: 1st Round

Steps 17-32: 2nd Round

Steps 33-48: 3rd Round

Africacrypt 2008Africacrypt 2008

MD4 Message Expansion

(0) (15)

(16) (31)

(32) (47)

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

0 4 8 12 1 5 9 13 2 6 10 14 3 7 11 15

0 8 4 12 2 10 6 14 1 9 5 13 3 11 7 15

• If | P | = 8-octet : Only m0 and m1 are unknown.

m2 to m15 are known to an attacker.

11

P0-3 P4-7

P0-3

P0-3

P4-7

P4-7

• m0 to m15 are used in this order.

• Each mi is 32-bit, 4-octet.

Africacrypt 2008Africacrypt 2008

12

• Ask C and obtain R.

Basic Idea (1/2)

3R

R=MD4( P || C )

2R

1R

(IV, (P || C || pad)) • Ask C’ and obtain R’.

3R

R’=MD4( P || C’ )

2R

1R

(IV, (P || C’ || pad)) C

R

Expect two computations follow some differential path.

Africacrypt 2008Africacrypt 2008

13

Basic Idea (2/2)

• If (P||C) and (P||C’) follow a differential path, the attacker can know information on a part of P.

Remaining tasks

1. How to find a good differential path?

2. How to detect (P||C) and (P||C’) follow the path?

(Only R and R’ can be observed.)

Africacrypt 2008Africacrypt 2008

Previous work 1 [CY06]

14

3R

R=MD4( P || C )

2R

1R

(IV, (P || C || pad))

3R

R’=MD4( P || C’ )

2R

1R

(IV, (P || C’ || pad)) C

R = 0

A randomly chosen pair collides with probability 2-61.

Detection is easy, just compare R and R’.Additional 245 queries are necessary to recover P.

Africacrypt 2008Africacrypt 2008

Previous work 2 [WOK08]

15

3R

R=MD4( P || C )

2R

1R

(IV, (P || C || pad))

3R

R’=MD4( P || C’ )

2R

1R

(IV, (P || C’ || pad)) C

2R = 0

A randomly chosen pair collides until 2R with prob. 2-37.

How to detect 2R-collision?

R = random

Additional 234 queries are necessary to recover P.

Africacrypt 2008Africacrypt 2008

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

0 4 8 12 1 5 9 13 2 6 10 14 3 7 11 15

0 8 4 12 2 10 6 14 1 9 5 13 3 11 7 15

16

Previous work 2 (detect 2R-collision)

• Remember, m2 m15 are known to the attacker.

• m is inserted to m9, m11, and m13.

2R-collision

= 0 Collision is preserved.

• Inversely compute the last 7 steps, and detect a collision.

Inversely compute!

P0-3 P4-7

P0-3

P0-3

P4-7

P4-7

(0) (15)

(16) (31)

(32) (47)

Africacrypt 2008Africacrypt 2008

Our Idea

17

3R

R=MD4( P || C )

2R

1R

(IV, (P || C || pad))

3R

R’=MD4( P || C’ )

2R

1R

(IV, (P || C’ || pad)) C

1R = 0

A random pair collides with 2-4.

Detect an 1R-collision similarly to key recovery approach of Impossible Differential Attack.

R = random

Africacrypt 2008Africacrypt 2008

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

0 4 8 12 1 5 9 13 2 6 10 14 3 7 11 15

0 8 4 12 2 10 6 14 1 9 5 13 3 11 7 15

18

Our Idea (detect 1R-collision)

• m is inserted to m7, m11.

1R-collision

= 0

• During inverse computation, exhaustively guess m1.

Inversely compute

limited

Exhaustive guessInversely compute

P0-3 P4-7

P0-3

P0-3

P4-7

P4-7

(0) (15)

(16) (31)

(32) (47)

Africacrypt 2008

1R

2R

3R

IV

m

m

m0m1

P0-3

P4-7

m7

m11

m0P0-3

m1P4-7

m m11

m m7

mm11mm7

m1P4-7

m0P0-3

R R’

Make local collision

No difference

Inverse computation from R, R’

(Pr = 2-4)

Possible difference is very limited.

Overall Procedure

19

Wrong guess reaches impossible difference.

Africacrypt 2008

Details of our attack

1. Recovering password length2. Constructing differential path3. Detecting an 1R-collision

Africacrypt 2008Africacrypt 2008

Password Length Recovery on MD Structure [WOK08]

IV

P || C || Pad1

21

CF

IV

P || C || Pad1L

R1

x||Pad2

R2CF CF

R1

If guess is right, x starts from the initial bit of the 2nd block.

ClientAttacker

C

R1

C||Pad1L||x

R2

Guess the password length L. Then, Pad1

L is determined.

Therefore, CF(R1, x||pad2L) = R2.

Each guess is confirmed by one query.

Africacrypt 2008Africacrypt 2008

Local collision of MD4

22

ai bi ci di

bi+2ai+2 ci+2 di+2

bi+3ai+3 ci+3 di+3

bi+4ai+4 ci+4 di+4

bi+5ai+5 ci+5 di+5

bi+6ai+6 ci+6 di+6

m(i) <<sf

m(i+1) <<sf

m(i+2) <<sf

m(i+3) <<sf

m(i+4) <<sf

2-1

2-1

2-1

2-1

2j

2j+s

• In the 1R of MD4, m(i)=2j and m(i+4)=2j+s form a local collision for any message pair with Pr.=2-4.

• Choose i so that m(i) and m(i+4) appear late steps in the 2R.

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

0 4 8 12 1 5 9 13 2 6 10 14 3 7 11 15

0 8 4 12 2 10 6 14 1 9 5 13 3 11 7 15

Africacrypt 2008Africacrypt 2008

Detecting an 1R-collision (1/2)

23

m0

<<s

f

• Step function is invertible.ai bi ci di

ai+1 bi+1 ci+1 di+1known known known known

password

known known known is known

= 0

• Moreover, even if a message is password, of ai = bi-3 can be computed.

• By inverse computation for step i, followings can be computed.

bi

ci = bi-1

di = ci-1 = bi-2

ai = di-1 = ci-2 = bi-3

Africacrypt 2008Africacrypt 2008

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

0 4 8 12 1 5 9 13 2 6 10 14 3 7 11 15

0 8 4 12 2 10 6 14 1 9 5 13 3 11 7 15

24

2j 2j+s

Exhaustive guess

2j 2j+s

2j2j+s

Local collision (2-4)

b28=0b29=2j+s

a31=d30=c29=b28

b31

c31=b30

d31=c30=b29

• Collision is detected by comparing b29 and b28.

(0) (15)

(16) (31)

(32) (47)

Detecting an 1R-collision (2/2)

Africacrypt 2008Africacrypt 2008

Attack Complexity

25

• To obtain a local collision, we need 24 challenge pairs.

• For each pair, we exhaustively guess m1, so try 232 values.

• For each guess, we inversely compute Steps 38 to 31, 8/48 steps.

• Total complexity is 2*24*232*(8/48) 2≦ 35 MD4 computations.

Remark:

If (P||C) and (P||C’) do not collide, they satisfy b28=0, b29=2j+s with prob. 2-64, which is very low compared to 235.

Africacrypt 2008Africacrypt 2008

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

0 4 8 12 1 5 9 13 2 6 10 14 3 7 11 15

0 8 4 12 2 10 6 14 1 9 5 13 3 11 7 15

26

Password Recovery on Prefix, 12-octet

• Possible patterns of is increased, but still is detected by inverse computation.

1R-collision

= 0

Inversely compute

limited

Exhaustive guess

P0-3 P4-7

P0-3

P0-3

P4-7

P4-7

(0) (15)

(16) (31)

(32) (47)

limited

P8-11

P8-11

P8-11

Africacrypt 2008Africacrypt 2008

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

0 4 8 12 1 5 9 13 2 6 10 14 3 7 11 15

0 8 4 12 2 10 6 14 1 9 5 13 3 11 7 15

27

Password Recovery on Hybrid, 8-octet

1R-collision

= 0

Inversely compute

limited

Exhaustive guess (32 bits)

P0-3 P4-7

P0-3

P0-3

P4-7

P4-7

(0) (15)

(16) (31)

(32) (47)

limited

P0-3 P4-7

P0-3 P4-7

P4-7P0-3

PaddingChallenge

Africacrypt 2008Africacrypt 2008

Conclusion We propose practical password recovery

attacks on prefix and hybrid using MD4.

28

Attack target Queries Off-linecomplexity

Prefix 8-octet 24 235

Prefix 12-octet 210 240

Hybrid 8-octet 28 239

Africacrypt 2008Africacrypt 2008

Recent Results

Number of queries can be reduced.Use challenge-quartets instead of

challenge-pairs.For example, Prefix, 8-octet can be

attacked with only 8 queries.

Thank you for your attention !!

29