Security of MD5 Challenge and Response: Extension of APOP Password Recovery Attack

In this paper, we propose an extension of the APOP attack that recovers the first 31 characters of APOP password in practical time, and theoretically recovers 61 characters. We have implemented our attack, and have confirmed that 31 characters can be successfully recovered. Therefore, the security of APOP is completely broken. The core of our new technique is finding collisions for MD5 which are more suitable for the recovery of APOP passwords. These collisions are constructed by employing the collision attack of den Boer and Bosselares and by developing a new technique named "IV Bridge" which is an important step to satisfy the basic requirements of the collision finding phase. We show that the construction of this "IV Bridge" can be done efficiently as well.

[1]  Ronald Cramer,et al.  Advances in Cryptology - EUROCRYPT 2005, 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, May 22-26, 2005, Proceedings , 2005, EUROCRYPT.

[2]  Antoon Bosselaers,et al.  Collisions for the Compressin Function of MD5 , 1994, EUROCRYPT.

[3]  Xuejia Lai,et al.  Improved Collision Attack on Hash Function MD5 , 2007, Journal of Computer Science and Technology.

[4]  Tor Helleseth,et al.  Advances in Cryptology — EUROCRYPT ’93 , 2001, Lecture Notes in Computer Science.

[5]  Lawrence C. Stewart,et al.  HTTP Authentication: Basic and Digest Access Authentication , 1999 .

[6]  Kefei Chen,et al.  Advances in Cryptology - ASIACRYPT 2006, 12th International Conference on the Theory and Application of Cryptology and Information Security, Shanghai, China, December 3-7, 2006, Proceedings , 2006, ASIACRYPT.

[7]  Marc Stevens,et al.  Chosen-Prefix Collisions for MD5 and Colliding X.509 Certificates for Different Identities , 2007, EUROCRYPT.

[8]  Ueli Maurer,et al.  Advances in Cryptology — EUROCRYPT ’96 , 2001, Lecture Notes in Computer Science.

[9]  Gerhard Goos,et al.  Fast Software Encryption , 2001, Lecture Notes in Computer Science.

[10]  Yu Sasaki,et al.  Practical Password Recovery on an MD5 Challenge and Response , 2007, IACR Cryptol. ePrint Arch..

[11]  Moni Naor Advances in Cryptology - EUROCRYPT 2007, 26th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Barcelona, Spain, May 20-24, 2007, Proceedings , 2007, EUROCRYPT.

[12]  Yu Sasaki,et al.  Improved Collision Attack on MD5 , 2005, IACR Cryptol. ePrint Arch..

[13]  Xiaoyun Wang,et al.  How to Break MD5 and Other Hash Functions , 2005, EUROCRYPT.

[14]  Ronald L. Rivest,et al.  The MD5 Message-Digest Algorithm , 1992, RFC.

[15]  Bart Preneel,et al.  On the Security of Two MAC Algorithms , 1996, EUROCRYPT.

[16]  Gaëtan Leurent,et al.  Message Freedom in MD4 and MD5 Collisions: Application to APOP , 2007, FSE.

[17]  Werner Schindler,et al.  A Note on the Practical Value of Single Hash Collisions for Special File Formats , 2006, Sicherheit.

[18]  Information Security and Privacy , 1996, Lecture Notes in Computer Science.

[19]  Vlastimil Klíma,et al.  Tunnels in Hash Functions: MD5 Collisions Within a Minute , 2006, IACR Cryptol. ePrint Arch..

[20]  Marshall T. Rose,et al.  Post Office Protocol - Version 3 , 1988, RFC.

[21]  Scott Contini,et al.  Forgery and Partial Key-Recovery Attacks on HMAC and NMAC Using Hash Collisions , 2006, ASIACRYPT.

[22]  John Black,et al.  A Study of the MD5 Attacks: Insights and Improvements , 2006, FSE.

[23]  Arjen K. Lenstra,et al.  On the Possibility of Constructing Meaningful Hash Collisions for Public Keys , 2005, ACISP.

[24]  Yu Sasaki,et al.  Improved Collision Attacks on MD4 and MD5 , 2007, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..