practical key recovery attack against apop an md5 based
play

Practical key recovery attack against APOP , an MD5 based - PowerPoint PPT Presentation

Oct 24, 2023 •162 likes •953 views

Practical key recovery attack against APOP , an MD5 based challenge response authentication. By Gaetan Leurent Presented by:- Guided By:- Raagi Sukhlecha Prof. Anish Mathuria Lalit Agarwal Outline Introduction APOP What is

  1. Practical key recovery attack against APOP , an MD5 based challenge response authentication. By Gaetan Leurent Presented by:- Guided By:- Raagi Sukhlecha Prof. Anish Mathuria Lalit Agarwal

  2. Outline • Introduction • APOP – What is APOP and how does it work ? • MD-5 hashing algorithm • APOP Attack • Abstract • Wang’s attack on MD -5 • Algorithm by Gaëtan Leurent • APOP Attack complexity • APOP in practice

  3. What is APOP ? • Improvement to POP 3 which supported plain – text password • APOP Provides simple challenges response authentication and avoids passive eavesdropping attack . • It only does client authentication. No server authentication. msg-id msg-id id , MD-5(msg-id || passwd)

  4. Example According to RFC 1939 , 1. The challenge should be enclosed with in <> with exactly one@ in between. 2. The remaining characters should be ASCII. 3. Inside the message-id, all characters are accepted, except:- 1. 0x00 Null 2. Ox3e Greater than Sign (‘>’) 3. Ox0a Line-Feed 4. Ox0d Carriage Return 1 <11776027@pop.mail.com> Server 2 Alice ,MD5 (‘<171.11776027@pop.mail.com>penguin’) 3 Mail box has 1 message

  5. MD-5 – Working • Hashing algorithm; uses Merkle damgard construction • Message blocks of 512 bits and initialization vector IV of 128 bits. • Uses bitwise functions • additions mod 2 32 : + • Boolean functions: f i • Rotations : << s i Consider a message M M padding b 0 | b 1 | b 2 ….| b n where |b i | = 512 bits g - compression function

  6. MD-5 – Working (cont.) b n b 1 b 2 b 0 v 1 v 3 v n v 2 v 0 g g h(m) g g …. IV b i = m 0 | m 1 | m 2 ….|m 15 where |m i | = 32 bits 4 rounds of 16 steps = 64 steps

  7. Round 1 Round 0 Round 3 IV = Q -4 Q -1 Q -2 Q -3 Step Step Step π(48) π(0) π) 0 16 48 Q 0 Q 16 Q 48 Step Step π(63) 15 63 π(15) Q 15 v 1 Where IV is broken into 4 32 bit words Q -4 Q -1 Q -2 Q -3 Q i is the output of each step i (0<= i <=63 )

  8. MD-5 – Working (cont.) - A MD-5 step where • s i and K i as predefined constant • π( i) is permutation applied to Ki input blocks • f i as functions defined as ᴨ (i)

  9. Basic Equation If Q i , Q i+1 , Q i+2 , Q i+3 are known, then we can compute Q i+4 . Here we compute Q 10 from Q 6 , Q 7 , Q 8 , Q 9 and m 10 .

  10. Basic Equation If Q i+1 , Q i+2 , Q i+3 , Q i+4 are known, then we can compute Q i . Here we compute Q 6 from Q 7 , Q 8 , Q 9, Q 10 and m 10 .

  11. Basic Equation If Q i - Q i-4 are known then we can compute m i . Here we compute m 10 from Q 6 and Q 10 .

  12. APOP Attack • Abstract • Wang’s Attack • Wang’s attack on MD -4 and MD-5 • Problem with Wang’s attack • Algorithm by Gaëtan Leurent • Message freedom • APOP Attack Complexity

  13. Abstract of the attack • Goal:- To recover some characters of the client’s password • Attacker impersonates server and sends crafted challenge Server Attacker

  14. Abstract of the attack (cont.) • Attacker sends challenges in such a way that hashed responses will collide if the part of the password was rightly guessed c id , MD-5(c || passwd) Attacker c ’ id , MD- 5(c’|| passwd)

  15. Attack Block 2 Block 1 Challenge C = <?????...??> M = <?????????...........@ ………..????????????> x C’ = </////...//> M’ = …………..………../////////> x <///////……………@ H(M) = H(M’) R = MD-5 ( ) <?????????...........@ ………..????????????> p 0 p 1 p 2 p 3……………….… pad R’ = MD -5 ( <///////……………@ …………..………../////////> p 0 p 1 p 2 p 3……………….… pad ) R and R’ are equal if p 0 = x To test the first password character, the attacker will construct pairs to test each of the 256 ASCII values . Note:- The collision is unlikely if p 0 != x ?

  16. Attack (cont.) Block 2 Block 1 Challenge M = <?????????...........@ C = <???....?> ………..???????????>p0 y C’ = <///...//> M’ = …………..………..//////>p0 y <///////……………@ H(M) = H(M’) R = MD-5 ( ) p 1 p 2 p 3……………….… pad <?????????...........@ ………..????????????>p0 R’ = MD -5 ( …………..………..//////>p0 p 2 p 3……………….… pad <///////……………@ p 1 ) Both hashes collide if p 1 = y To test the second password character, pairs to test 256 ASCII values have to be constructed

  17. Questions ????? • How can we fix the last message word ? • Does that mean that we can recover the entire message ? If not how many characters can we recover . • What will be the time complexity of it ? • Can APOP be still used ? • APOP being an offline protocol , is this attack meaningful ?

  18. Wang’s Attack • In 2004, Xiaoyun Wang published a MD5 collision. Did not reveal anything about the attack. • Determined two 1024-bit messages M  = (M  0 , M  1 ) and M = (M 0 , M 1 ) where M 0 ’, M 1 ’, M 0 , M 1 are each 512-bit blocks. So that MD5 hashes of the two messages are the same • Reverse engineering – revealed many aspects of attack; improvements in attack

  19. Wang’s Attack Modular Difference,  y Consider bytes y  = 00010101 and y = 00000101 z  = 00100101 and z = 00010101 Note that y   y = z   z = 00010000 = 24 Then wrt modular subtraction, these pairs are indistinguishable. Signed difference,  y=y’ -y Denote y  i =1, y i =0 as “+” Denote y  i =0, y i =1 as “  ” Denote y  i =y i as “.” Consider bytes z  = 10100101 and z = 10010101 Then  z is “..+ - ....” It is more restrictive than modular subtraction.

  20. Wang’s Attack • Step 1: Specify Input Differential Pattern  Applies to input M and M’.  Uses Modular Difference.  M 0 = M  0  M 0 = (0,0,0,0,2 31 ,0,0,0,0,0,0,2 15 ,0,0,2 31 ,0)  M 1 = M  1  M 1 = (0,0,0,0,2 31 ,0,0,0,0,0,0,  2 15 ,0,0,2 31 ,0) • Note: M  0 and M 0 differ only in words 4, 11 and 14 • Note: M  1 and M 1 differ only in words 4, 11 and 14  Now, we only need to find M. Then M  can be determined by the differential. M’ 0 = M 0 + Δ M 0 and M’ 1 = M 1 + Δ M 1

  21. Wang’s Attack Identical MD5 value: 79054025255fb1a26e4bc422aef54eb4

  22. Wang’s Attack • Step 2: Specify Output Differential Pattern  Applies to intermediate values, Q  i and Q i  Uses signed difference. Hence very restrictive.  Most mysterious part of the attack. • j determines the step number • Q i are outputs for M 0 •  W j are input (modular) differences •  Output is output modular difference •  Output is output signed (“precise”) difference

  23. Wang’s Attack • Step 3: Derive a set of sufficient conditions

  24. Wang’s Attack • Step 4: Find a set of messages which satisfy all the conditions in step3.  Generate random 512-bit M 0  Modify the message so that all the conditions hold.  Follow similar procedure to find M 1 Compute M  0 and M  1 using  M’ 0 = M 0 + Δ M 0 and M’ 1 = M 1 + Δ M 1 Now H(M) = H(M’)

  25. Wang’s Approach to satisfy conditions in the first round Message Modification • Select a message m i • Compute the corresponding Q i • Modify Q i to satisfy the conditions. Recompute m i

  26. Wang’s Approach to satisfy conditions in the first round Message Modification • Select a message m i • Compute the corresponding Q i • Modify Q i to satisfy the conditions. Recompute m i

  27. Wang’s Approach to satisfy conditions in the first round Message Modification • Select a message m i • Compute the corresponding Q i • Modify Q i to satisfy the conditions. Recompute m i

  28. Wang’s Approach to satisfy conditions in the first round Message Modification • Select a message m i • Compute the corresponding Q i • Modify Q i to satisfy the conditions. Recompute m i

  29. Wang’s Approach to satisfy conditions in the first round Message Modification • Select a message m i • Compute the corresponding Q i • Modify Q i to satisfy the conditions. Recompute m i

  30. Wang’s Approach to satisfy conditions in the first round Message Modification • Select a message m i • Compute the corresponding Q i • Modify Q i to satisfy the conditions. Recompute m i

  31. Wang’s Approach to satisfy conditions in the second round Multi Message Modification • Compute Q i . • Modify Q i and recompute m i • Recompute Q i ’s and m i ’s in the first round.

  32. Wang’s Approach to satisfy conditions in the second round Multi Message Modification • Compute Q i . • Modify Q i and recompute m i • Recompute Q i ’s and m i ’s in the first round.

  33. Wang’s Approach to satisfy conditions in the second round Multi Message Modification • Compute Q i . • Modify Q i and recompute m i • Recompute Q i ’s and m i ’s in the first round.

  34. Wang’s Approach to satisfy conditions in the second round Multi Message Modification • Compute Q i . • Modify Q i and recompute m i • Recompute Q i ’s and m i ’s in the first round.

  35. Wang’s Approach to satisfy conditions in the second round Multi Message Modification • Compute Q i . • Modify Q i and recompute m i • Recompute Q i ’s and m i ’s in the first round .

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Again Guideline of IPA Again Guideline of IPA We respect the IPAs policy so that we reported

Again Guideline of IPA Again Guideline of IPA We respect the IPAs policy so that we reported

Extended APOP Password Extended APOP Password Recovery Attack Recovery Attack Yu Sasaki, Lei Wang, Kazuo Ohta and Noboru Kunihiro (The University of Electro-Communications) 31 characters can be recovered. Remark: This research was done only

117 views • 7 slides
Practical Password Recovery on an Practical Password Recovery on an MD5 Challenge/Response such

Practical Password Recovery on an Practical Password Recovery on an MD5 Challenge/Response such

Practical Password Recovery on an Practical Password Recovery on an MD5 Challenge/Response such as MD5 Challenge/Response such as APOP * APOP * Yu Sasaki ( The University of Electro-Communications ) Go Yamamoto (NTT) Kazumaro Aoki (NTT)

436 views • 8 slides
Block-based partial packet recovery corrupt packet Maranello Practical Partial Packet Recovery

Block-based partial packet recovery corrupt packet Maranello Practical Partial Packet Recovery

Maranello : Practical Partial Packet Recovery for 802.11 Bo Han Aaron Schulman Lusheng Ji Neil Spring Francesco Gringoli Seungjoon Lee Bobby Bhattacharjee Lorenzo Nava Robert Miller University of Maryland University of Brescia AT&amp;T

894 views • 43 slides
Practical Key Recovery for Discrete-Logarithm Based Authentication Schemes from Random Nonce Bits

Practical Key Recovery for Discrete-Logarithm Based Authentication Schemes from Random Nonce Bits

Practical Key Recovery for Discrete-Logarithm Based Authentication Schemes from Random Nonce Bits Damien Vergnaud cole normale suprieure CHES September, 15th 2015 (with Aurlie Bauer) Damien Vergnaud (ENS) Key Recovery from Random

766 views • 48 slides
A Practical Congestion Attack on Tor Using Long Paths Towards De-anonymizing Tor Nathan S. Evans

A Practical Congestion Attack on Tor Using Long Paths Towards De-anonymizing Tor Nathan S. Evans

A Practical Congestion Attack on Tor Using Long Paths Towards De-anonymizing Tor Nathan S. Evans 1 Christian Grothoff 1 Roger Dingledine 2 1 University of Denver, Denver CO 2 The Tor Project August, 12 2009 A Practical Congestion Attack on Tor

2.41k views • 56 slides
A Tale of Three Signatures: Practical Attack of ECDSA with wNAF Gabrielle De Micheli Joint work

A Tale of Three Signatures: Practical Attack of ECDSA with wNAF Gabrielle De Micheli Joint work

A Tale of Three Signatures: Practical Attack of ECDSA with wNAF Gabrielle De Micheli Joint work with R emi Piau and C ecile Pierrot Universit e de Lorraine, Inria Nancy, France Africacrypt 2020 Cairo, Egypt 1/32 How to attack ECDSA

646 views • 32 slides
BinRec: Attack Surface Reduction Through Dynamic Binary Recovery Taddeus Kroes, Anil Altinay,

BinRec: Attack Surface Reduction Through Dynamic Binary Recovery Taddeus Kroes, Anil Altinay,

BinRec: Attack Surface Reduction Through Dynamic Binary Recovery Taddeus Kroes, Anil Altinay, Joseph Nash, Yeoul Na, Stijn Volckaert, Herbert Bos, Michael Franz, Cristiano Giuffrida October 19, 2018 Attack Surface Reduction x =

2.55k views • 62 slides
Mars Attacks! Revisited. Differential Attack 12 Rounds of the MARS Core and Defeating the Complex

Mars Attacks! Revisited. Differential Attack 12 Rounds of the MARS Core and Defeating the Complex

MARS Distinguisher and Subkey Recovery Recovery of the secret key Attack Analysis Conclusion Mars Attacks! Revisited. Differential Attack 12 Rounds of the MARS Core and Defeating the Complex MARS Key Schedule INDOCRYPT11 Michael Gorski,

1.16k views • 48 slides
1 11/05/2016 18:35 Strong recovery in Q4 post cyber attack Lowest ever churn Flat net

1 11/05/2016 18:35 Strong recovery in Q4 post cyber attack Lowest ever churn Flat net

1 11/05/2016 18:35 Strong recovery in Q4 post cyber attack Lowest ever churn Flat net adds Strongest quarter of RGU growth +148k FY EBITDA 260m in line with guidance; material step up in H2 margin to 18.4% Reiterating FY17

651 views • 43 slides
A key-recovery timing attack on post-quantum primitives using the Fujisaki-Okamoto transformation

A key-recovery timing attack on post-quantum primitives using the Fujisaki-Okamoto transformation

A key-recovery timing attack on post-quantum primitives using the Fujisaki-Okamoto transformation and its application on FrodoKEM Qian Guo, Thomas Johansson, Alexander Nilsson August 10, 2020 Preliminaries Implementing Crypto Is Hard

994 views • 80 slides
Attack- based Domain Transition Analysis Susan Hinrichs shinrich@ uiuc.edu Prasad Naldurg

Attack- based Domain Transition Analysis Susan Hinrichs shinrich@ uiuc.edu Prasad Naldurg

Attack- based Domain Transition Analysis Susan Hinrichs shinrich@ uiuc.edu Prasad Naldurg prasadn@ microsoft.com SE Linux Symposium Attack- based DTA 1 06 Outline Motivation Review of type enforcement transitions Attack

471 views • 18 slides
A Practical Attack on KeeLoq Sebastiaan Indesteege 1 Nathan Keller 2 Orr Dunkelman 1 Eli Biham 3

A Practical Attack on KeeLoq Sebastiaan Indesteege 1 Nathan Keller 2 Orr Dunkelman 1 Eli Biham 3

Introduction Our Attacks Practice Conclusions A Practical Attack on KeeLoq Sebastiaan Indesteege 1 Nathan Keller 2 Orr Dunkelman 1 Eli Biham 3 Bart Preneel 1 1 Dept. ESAT/SCD-COSIC, K.U.Leuven, Belgium. 2 Einstein Institute of Mathematics,

806 views • 38 slides
NetCAT : Practical Cache Attacks from the Network Michael Kurth , Ben Gras, Dennis Andriesse,

NetCAT : Practical Cache Attacks from the Network Michael Kurth , Ben Gras, Dennis Andriesse,

NetCAT : Practical Cache Attacks from the Network Michael Kurth , Ben Gras, Dennis Andriesse, Cristiano Giuffrida, Herbert Bos, Kaveh Razavi Cache Attack from the Network Client Server Remote Cache Attack SSH 2 Network Cache Attack 3

794 views • 32 slides
A Key Recovery Attack on QC-MDPC Using Decoding Errors Qian Guo Selmer Center, University of

A Key Recovery Attack on QC-MDPC Using Decoding Errors Qian Guo Selmer Center, University of

A Key Recovery Attack on QC-MDPC Using Decoding Errors Qian Guo Selmer Center, University of Bergen. This is a joint work with Thomas Johansson and Paul Stankovski. Finse winter school 2018 May 11th, 2018 Outline 1 Motivation 2 Background on

813 views • 38 slides
A Key Recovery Attack on MDPC with CCA Security Using Decoding Errors Qian Guo Thomas Johansson

A Key Recovery Attack on MDPC with CCA Security Using Decoding Errors Qian Guo Thomas Johansson

A Key Recovery Attack on MDPC with CCA Security Using Decoding Errors Qian Guo Thomas Johansson Paul Stankovski Dept. of Electrical and Information Technology, Lund University ASIACRYPT 2016 Dec 8th, 2016 Outline 1 Motivation 2 Background on

381 views • 36 slides
Key Recovery Attack for ZHFE Daniel Cabarcas 1 Daniel Smith-Tone 2 , 3 Javier A. Verbel 1 1

Key Recovery Attack for ZHFE Daniel Cabarcas 1 Daniel Smith-Tone 2 , 3 Javier A. Verbel 1 1

Key Recovery Attack for ZHFE Daniel Cabarcas 1 Daniel Smith-Tone 2 , 3 Javier A. Verbel 1 1 Universidad Nacional de Colombia, Sede Medell n, Colombia 2 University of Louisville, USA 3 National Institute of Standards and Technology, USA

817 views • 33 slides
Outdoor Pools Report Reference Park Board Committee Meeting July 25, 2016 Purpose of

Outdoor Pools Report Reference Park Board Committee Meeting July 25, 2016 Purpose of

Expediting New Outdoor Pools Report Reference Park Board Committee Meeting July 25, 2016 Purpose of Presentation The purpose of this presentation is to provide an update on the Expediting New Outdoor Pools motion that was passed by the

429 views • 26 slides
Application How-To Webinar Using Data to Inform High School Transitions May 2020 Christina Beal

Application How-To Webinar Using Data to Inform High School Transitions May 2020 Christina Beal

High School Transition Qlik Application How-To Webinar Using Data to Inform High School Transitions May 2020 Christina Beal Janae Eason Amy Dudas Agenda Bridge to High School Data Exchange Overview Key Data for High School

363 views • 33 slides
New New Retiree Pres Retiree Presentation entation April pril 20 2016 16 1 Overview of

New New Retiree Pres Retiree Presentation entation April pril 20 2016 16 1 Overview of

New New Ham Hampshire pshire Retirement Retirement System System New New Retiree Pres Retiree Presentation entation April pril 20 2016 16 1 Overview of Program NHRS Facts Survivorship Options Age 65 Reduction

251 views • 21 slides
Click&amp;Talk The perfect connection with the users of your website We speak the new language

Click&amp;Talk The perfect connection with the users of your website We speak the new language

Click&amp;Talk The perfect connection with the users of your website We speak the new language of business communications What is Click&amp;Talk? Serving the users of your website has never Our response been easier. Click, and talk. With the

331 views • 7 slides
Benchmarking a Variant of CMAES-APOP on the BBOB Noiseless Testbed Duc Manh Nguyen 1 , 2 1 Hanoi

Benchmarking a Variant of CMAES-APOP on the BBOB Noiseless Testbed Duc Manh Nguyen 1 , 2 1 Hanoi

Benchmarking a Variant of CMAES-APOP on the BBOB Noiseless Testbed Duc Manh Nguyen 1 , 2 1 Hanoi National University of Education, Vietnam 2 Sorbonne Universit e, IRD, JEAI WARM, Unit e de Mod elisation Math ematiques et Informatique

320 views • 21 slides
DOMAIN COMMUNITY REFERENCE GROUP Meeting #13 Wednesday 20 March 2019, Seasons Botanic Gardens 1

DOMAIN COMMUNITY REFERENCE GROUP Meeting #13 Wednesday 20 March 2019, Seasons Botanic Gardens 1

DOMAIN COMMUNITY REFERENCE GROUP Meeting #13 Wednesday 20 March 2019, Seasons Botanic Gardens 1 ROAMNI APP 2 3 ROAMNI APP Roamni is an app that allows users to create, share and listen to guided tours around areas of Melbourne. A

583 views • 44 slides
Goddard College Presentation Good morning. My name is Joyce Gustafson and I am the Director of

Goddard College Presentation Good morning. My name is Joyce Gustafson and I am the Director of

Goddard College Presentation Good morning. My name is Joyce Gustafson and I am the Director of Operations for Goddard College in Port Townsend. Im joined here today by my colleague Jessica Plumb. I want to begin by thanking the PDA Board

99 views • 6 slides
APPLY TEXAS 101 Dual2Degree Department IN YOUR WEB BROWSER TYPE : WWW.APPLYTEXAS.ORG CLICK

APPLY TEXAS 101 Dual2Degree Department IN YOUR WEB BROWSER TYPE : WWW.APPLYTEXAS.ORG CLICK

APPLY TEXAS 101 Dual2Degree Department IN YOUR WEB BROWSER TYPE : WWW.APPLYTEXAS.ORG CLICK CREATE YOUR ACCOUNT NOW MY PROFILE Check Box Suffix means if your name (for males) ends with Jr., III, etc. Under place of birth, select a

788 views • 40 slides

More recommend