practical key recovery attack against apop an md5 based
play

Practical key recovery attack against APOP , an MD5 based - PowerPoint PPT Presentation

Oct 24, 2023 •162 likes •953 views

Practical key recovery attack against APOP , an MD5 based challenge response authentication. By Gaetan Leurent Presented by:- Guided By:- Raagi Sukhlecha Prof. Anish Mathuria Lalit Agarwal Outline Introduction APOP What is

  1. Practical key recovery attack against APOP , an MD5 based challenge response authentication. By Gaetan Leurent Presented by:- Guided By:- Raagi Sukhlecha Prof. Anish Mathuria Lalit Agarwal

  2. Outline • Introduction • APOP – What is APOP and how does it work ? • MD-5 hashing algorithm • APOP Attack • Abstract • Wang’s attack on MD -5 • Algorithm by Gaëtan Leurent • APOP Attack complexity • APOP in practice

  3. What is APOP ? • Improvement to POP 3 which supported plain – text password • APOP Provides simple challenges response authentication and avoids passive eavesdropping attack . • It only does client authentication. No server authentication. msg-id msg-id id , MD-5(msg-id || passwd)

  4. Example According to RFC 1939 , 1. The challenge should be enclosed with in <> with exactly one@ in between. 2. The remaining characters should be ASCII. 3. Inside the message-id, all characters are accepted, except:- 1. 0x00 Null 2. Ox3e Greater than Sign (‘>’) 3. Ox0a Line-Feed 4. Ox0d Carriage Return 1 <11776027@pop.mail.com> Server 2 Alice ,MD5 (‘<171.11776027@pop.mail.com>penguin’) 3 Mail box has 1 message

  5. MD-5 – Working • Hashing algorithm; uses Merkle damgard construction • Message blocks of 512 bits and initialization vector IV of 128 bits. • Uses bitwise functions • additions mod 2 32 : + • Boolean functions: f i • Rotations : << s i Consider a message M M padding b 0 | b 1 | b 2 ….| b n where |b i | = 512 bits g - compression function

  6. MD-5 – Working (cont.) b n b 1 b 2 b 0 v 1 v 3 v n v 2 v 0 g g h(m) g g …. IV b i = m 0 | m 1 | m 2 ….|m 15 where |m i | = 32 bits 4 rounds of 16 steps = 64 steps

  7. Round 1 Round 0 Round 3 IV = Q -4 Q -1 Q -2 Q -3 Step Step Step π(48) π(0) π) 0 16 48 Q 0 Q 16 Q 48 Step Step π(63) 15 63 π(15) Q 15 v 1 Where IV is broken into 4 32 bit words Q -4 Q -1 Q -2 Q -3 Q i is the output of each step i (0<= i <=63 )

  8. MD-5 – Working (cont.) - A MD-5 step where • s i and K i as predefined constant • π( i) is permutation applied to Ki input blocks • f i as functions defined as ᴨ (i)

  9. Basic Equation If Q i , Q i+1 , Q i+2 , Q i+3 are known, then we can compute Q i+4 . Here we compute Q 10 from Q 6 , Q 7 , Q 8 , Q 9 and m 10 .

  10. Basic Equation If Q i+1 , Q i+2 , Q i+3 , Q i+4 are known, then we can compute Q i . Here we compute Q 6 from Q 7 , Q 8 , Q 9, Q 10 and m 10 .

  11. Basic Equation If Q i - Q i-4 are known then we can compute m i . Here we compute m 10 from Q 6 and Q 10 .

  12. APOP Attack • Abstract • Wang’s Attack • Wang’s attack on MD -4 and MD-5 • Problem with Wang’s attack • Algorithm by Gaëtan Leurent • Message freedom • APOP Attack Complexity

  13. Abstract of the attack • Goal:- To recover some characters of the client’s password • Attacker impersonates server and sends crafted challenge Server Attacker

  14. Abstract of the attack (cont.) • Attacker sends challenges in such a way that hashed responses will collide if the part of the password was rightly guessed c id , MD-5(c || passwd) Attacker c ’ id , MD- 5(c’|| passwd)

  15. Attack Block 2 Block 1 Challenge C = <?????...??> M = <?????????...........@ ………..????????????> x C’ = </////...//> M’ = …………..………../////////> x <///////……………@ H(M) = H(M’) R = MD-5 ( ) <?????????...........@ ………..????????????> p 0 p 1 p 2 p 3……………….… pad R’ = MD -5 ( <///////……………@ …………..………../////////> p 0 p 1 p 2 p 3……………….… pad ) R and R’ are equal if p 0 = x To test the first password character, the attacker will construct pairs to test each of the 256 ASCII values . Note:- The collision is unlikely if p 0 != x ?

  16. Attack (cont.) Block 2 Block 1 Challenge M = <?????????...........@ C = <???....?> ………..???????????>p0 y C’ = <///...//> M’ = …………..………..//////>p0 y <///////……………@ H(M) = H(M’) R = MD-5 ( ) p 1 p 2 p 3……………….… pad <?????????...........@ ………..????????????>p0 R’ = MD -5 ( …………..………..//////>p0 p 2 p 3……………….… pad <///////……………@ p 1 ) Both hashes collide if p 1 = y To test the second password character, pairs to test 256 ASCII values have to be constructed

  17. Questions ????? • How can we fix the last message word ? • Does that mean that we can recover the entire message ? If not how many characters can we recover . • What will be the time complexity of it ? • Can APOP be still used ? • APOP being an offline protocol , is this attack meaningful ?

  18. Wang’s Attack • In 2004, Xiaoyun Wang published a MD5 collision. Did not reveal anything about the attack. • Determined two 1024-bit messages M  = (M  0 , M  1 ) and M = (M 0 , M 1 ) where M 0 ’, M 1 ’, M 0 , M 1 are each 512-bit blocks. So that MD5 hashes of the two messages are the same • Reverse engineering – revealed many aspects of attack; improvements in attack

  19. Wang’s Attack Modular Difference,  y Consider bytes y  = 00010101 and y = 00000101 z  = 00100101 and z = 00010101 Note that y   y = z   z = 00010000 = 24 Then wrt modular subtraction, these pairs are indistinguishable. Signed difference,  y=y’ -y Denote y  i =1, y i =0 as “+” Denote y  i =0, y i =1 as “  ” Denote y  i =y i as “.” Consider bytes z  = 10100101 and z = 10010101 Then  z is “..+ - ....” It is more restrictive than modular subtraction.

  20. Wang’s Attack • Step 1: Specify Input Differential Pattern  Applies to input M and M’.  Uses Modular Difference.  M 0 = M  0  M 0 = (0,0,0,0,2 31 ,0,0,0,0,0,0,2 15 ,0,0,2 31 ,0)  M 1 = M  1  M 1 = (0,0,0,0,2 31 ,0,0,0,0,0,0,  2 15 ,0,0,2 31 ,0) • Note: M  0 and M 0 differ only in words 4, 11 and 14 • Note: M  1 and M 1 differ only in words 4, 11 and 14  Now, we only need to find M. Then M  can be determined by the differential. M’ 0 = M 0 + Δ M 0 and M’ 1 = M 1 + Δ M 1

  21. Wang’s Attack Identical MD5 value: 79054025255fb1a26e4bc422aef54eb4

  22. Wang’s Attack • Step 2: Specify Output Differential Pattern  Applies to intermediate values, Q  i and Q i  Uses signed difference. Hence very restrictive.  Most mysterious part of the attack. • j determines the step number • Q i are outputs for M 0 •  W j are input (modular) differences •  Output is output modular difference •  Output is output signed (“precise”) difference

  23. Wang’s Attack • Step 3: Derive a set of sufficient conditions

  24. Wang’s Attack • Step 4: Find a set of messages which satisfy all the conditions in step3.  Generate random 512-bit M 0  Modify the message so that all the conditions hold.  Follow similar procedure to find M 1 Compute M  0 and M  1 using  M’ 0 = M 0 + Δ M 0 and M’ 1 = M 1 + Δ M 1 Now H(M) = H(M’)

  25. Wang’s Approach to satisfy conditions in the first round Message Modification • Select a message m i • Compute the corresponding Q i • Modify Q i to satisfy the conditions. Recompute m i

  26. Wang’s Approach to satisfy conditions in the first round Message Modification • Select a message m i • Compute the corresponding Q i • Modify Q i to satisfy the conditions. Recompute m i

  27. Wang’s Approach to satisfy conditions in the first round Message Modification • Select a message m i • Compute the corresponding Q i • Modify Q i to satisfy the conditions. Recompute m i

  28. Wang’s Approach to satisfy conditions in the first round Message Modification • Select a message m i • Compute the corresponding Q i • Modify Q i to satisfy the conditions. Recompute m i

  29. Wang’s Approach to satisfy conditions in the first round Message Modification • Select a message m i • Compute the corresponding Q i • Modify Q i to satisfy the conditions. Recompute m i

  30. Wang’s Approach to satisfy conditions in the first round Message Modification • Select a message m i • Compute the corresponding Q i • Modify Q i to satisfy the conditions. Recompute m i

  31. Wang’s Approach to satisfy conditions in the second round Multi Message Modification • Compute Q i . • Modify Q i and recompute m i • Recompute Q i ’s and m i ’s in the first round.

  32. Wang’s Approach to satisfy conditions in the second round Multi Message Modification • Compute Q i . • Modify Q i and recompute m i • Recompute Q i ’s and m i ’s in the first round.

  33. Wang’s Approach to satisfy conditions in the second round Multi Message Modification • Compute Q i . • Modify Q i and recompute m i • Recompute Q i ’s and m i ’s in the first round.

  34. Wang’s Approach to satisfy conditions in the second round Multi Message Modification • Compute Q i . • Modify Q i and recompute m i • Recompute Q i ’s and m i ’s in the first round.

  35. Wang’s Approach to satisfy conditions in the second round Multi Message Modification • Compute Q i . • Modify Q i and recompute m i • Recompute Q i ’s and m i ’s in the first round .

Recommend

Again Guideline of IPA Again Guideline of IPA We respect the IPAs policy so that we reported

Again Guideline of IPA Again Guideline of IPA We respect the IPAs policy so that we reported

Extended APOP Password Extended APOP Password Recovery Attack Recovery Attack Yu Sasaki, Lei Wang, Kazuo Ohta and Noboru Kunihiro (The University of Electro-Communications) 31 characters can be recovered. Remark: This research was done only

117 views • 7 slides
Practical Password Recovery on an Practical Password Recovery on an MD5 Challenge/Response such

Practical Password Recovery on an Practical Password Recovery on an MD5 Challenge/Response such

Practical Password Recovery on an Practical Password Recovery on an MD5 Challenge/Response such as MD5 Challenge/Response such as APOP * APOP * Yu Sasaki ( The University of Electro-Communications ) Go Yamamoto (NTT) Kazumaro Aoki (NTT)

436 views • 8 slides
Block-based partial packet recovery corrupt packet Maranello Practical Partial Packet Recovery

Block-based partial packet recovery corrupt packet Maranello Practical Partial Packet Recovery

Maranello : Practical Partial Packet Recovery for 802.11 Bo Han Aaron Schulman Lusheng Ji Neil Spring Francesco Gringoli Seungjoon Lee Bobby Bhattacharjee Lorenzo Nava Robert Miller University of Maryland University of Brescia AT&amp;T

894 views • 43 slides
Practical Key Recovery for Discrete-Logarithm Based Authentication Schemes from Random Nonce Bits

Practical Key Recovery for Discrete-Logarithm Based Authentication Schemes from Random Nonce Bits

Practical Key Recovery for Discrete-Logarithm Based Authentication Schemes from Random Nonce Bits Damien Vergnaud cole normale suprieure CHES September, 15th 2015 (with Aurlie Bauer) Damien Vergnaud (ENS) Key Recovery from Random

766 views • 48 slides
A Practical Congestion Attack on Tor Using Long Paths Towards De-anonymizing Tor Nathan S. Evans

A Practical Congestion Attack on Tor Using Long Paths Towards De-anonymizing Tor Nathan S. Evans

A Practical Congestion Attack on Tor Using Long Paths Towards De-anonymizing Tor Nathan S. Evans 1 Christian Grothoff 1 Roger Dingledine 2 1 University of Denver, Denver CO 2 The Tor Project August, 12 2009 A Practical Congestion Attack on Tor

2.41k views • 56 slides
A Tale of Three Signatures: Practical Attack of ECDSA with wNAF Gabrielle De Micheli Joint work

A Tale of Three Signatures: Practical Attack of ECDSA with wNAF Gabrielle De Micheli Joint work

A Tale of Three Signatures: Practical Attack of ECDSA with wNAF Gabrielle De Micheli Joint work with R emi Piau and C ecile Pierrot Universit e de Lorraine, Inria Nancy, France Africacrypt 2020 Cairo, Egypt 1/32 How to attack ECDSA

646 views • 32 slides
BinRec: Attack Surface Reduction Through Dynamic Binary Recovery Taddeus Kroes, Anil Altinay,

BinRec: Attack Surface Reduction Through Dynamic Binary Recovery Taddeus Kroes, Anil Altinay,

BinRec: Attack Surface Reduction Through Dynamic Binary Recovery Taddeus Kroes, Anil Altinay, Joseph Nash, Yeoul Na, Stijn Volckaert, Herbert Bos, Michael Franz, Cristiano Giuffrida October 19, 2018 Attack Surface Reduction x =

2.55k views • 62 slides
Mars Attacks! Revisited. Differential Attack 12 Rounds of the MARS Core and Defeating the Complex

Mars Attacks! Revisited. Differential Attack 12 Rounds of the MARS Core and Defeating the Complex

MARS Distinguisher and Subkey Recovery Recovery of the secret key Attack Analysis Conclusion Mars Attacks! Revisited. Differential Attack 12 Rounds of the MARS Core and Defeating the Complex MARS Key Schedule INDOCRYPT11 Michael Gorski,

1.16k views • 48 slides
1 11/05/2016 18:35 Strong recovery in Q4 post cyber attack Lowest ever churn Flat net

1 11/05/2016 18:35 Strong recovery in Q4 post cyber attack Lowest ever churn Flat net

1 11/05/2016 18:35 Strong recovery in Q4 post cyber attack Lowest ever churn Flat net adds Strongest quarter of RGU growth +148k FY EBITDA 260m in line with guidance; material step up in H2 margin to 18.4% Reiterating FY17

651 views • 43 slides
A key-recovery timing attack on post-quantum primitives using the Fujisaki-Okamoto transformation

A key-recovery timing attack on post-quantum primitives using the Fujisaki-Okamoto transformation

A key-recovery timing attack on post-quantum primitives using the Fujisaki-Okamoto transformation and its application on FrodoKEM Qian Guo, Thomas Johansson, Alexander Nilsson August 10, 2020 Preliminaries Implementing Crypto Is Hard

994 views • 80 slides
Attack- based Domain Transition Analysis Susan Hinrichs shinrich@ uiuc.edu Prasad Naldurg

Attack- based Domain Transition Analysis Susan Hinrichs shinrich@ uiuc.edu Prasad Naldurg

Attack- based Domain Transition Analysis Susan Hinrichs shinrich@ uiuc.edu Prasad Naldurg prasadn@ microsoft.com SE Linux Symposium Attack- based DTA 1 06 Outline Motivation Review of type enforcement transitions Attack

471 views • 18 slides
A Practical Attack on KeeLoq Sebastiaan Indesteege 1 Nathan Keller 2 Orr Dunkelman 1 Eli Biham 3

A Practical Attack on KeeLoq Sebastiaan Indesteege 1 Nathan Keller 2 Orr Dunkelman 1 Eli Biham 3

Introduction Our Attacks Practice Conclusions A Practical Attack on KeeLoq Sebastiaan Indesteege 1 Nathan Keller 2 Orr Dunkelman 1 Eli Biham 3 Bart Preneel 1 1 Dept. ESAT/SCD-COSIC, K.U.Leuven, Belgium. 2 Einstein Institute of Mathematics,

806 views • 38 slides
NetCAT : Practical Cache Attacks from the Network Michael Kurth , Ben Gras, Dennis Andriesse,

NetCAT : Practical Cache Attacks from the Network Michael Kurth , Ben Gras, Dennis Andriesse,

NetCAT : Practical Cache Attacks from the Network Michael Kurth , Ben Gras, Dennis Andriesse, Cristiano Giuffrida, Herbert Bos, Kaveh Razavi Cache Attack from the Network Client Server Remote Cache Attack SSH 2 Network Cache Attack 3

794 views • 32 slides
A Key Recovery Attack on QC-MDPC Using Decoding Errors Qian Guo Selmer Center, University of

A Key Recovery Attack on QC-MDPC Using Decoding Errors Qian Guo Selmer Center, University of

A Key Recovery Attack on QC-MDPC Using Decoding Errors Qian Guo Selmer Center, University of Bergen. This is a joint work with Thomas Johansson and Paul Stankovski. Finse winter school 2018 May 11th, 2018 Outline 1 Motivation 2 Background on

813 views • 38 slides
A Key Recovery Attack on MDPC with CCA Security Using Decoding Errors Qian Guo Thomas Johansson

A Key Recovery Attack on MDPC with CCA Security Using Decoding Errors Qian Guo Thomas Johansson

A Key Recovery Attack on MDPC with CCA Security Using Decoding Errors Qian Guo Thomas Johansson Paul Stankovski Dept. of Electrical and Information Technology, Lund University ASIACRYPT 2016 Dec 8th, 2016 Outline 1 Motivation 2 Background on

381 views • 36 slides
Key Recovery Attack for ZHFE Daniel Cabarcas 1 Daniel Smith-Tone 2 , 3 Javier A. Verbel 1 1

Key Recovery Attack for ZHFE Daniel Cabarcas 1 Daniel Smith-Tone 2 , 3 Javier A. Verbel 1 1

Key Recovery Attack for ZHFE Daniel Cabarcas 1 Daniel Smith-Tone 2 , 3 Javier A. Verbel 1 1 Universidad Nacional de Colombia, Sede Medell n, Colombia 2 University of Louisville, USA 3 National Institute of Standards and Technology, USA

817 views • 33 slides
Benchmarking a Variant of CMAES-APOP on the BBOB Noiseless Testbed Duc Manh Nguyen 1 , 2 1 Hanoi

Benchmarking a Variant of CMAES-APOP on the BBOB Noiseless Testbed Duc Manh Nguyen 1 , 2 1 Hanoi

Benchmarking a Variant of CMAES-APOP on the BBOB Noiseless Testbed Duc Manh Nguyen 1 , 2 1 Hanoi National University of Education, Vietnam 2 Sorbonne Universit e, IRD, JEAI WARM, Unit e de Mod elisation Math ematiques et Informatique

320 views • 21 slides
Practical Attack on 8 Rounds of the Lightweight Block Cipher KLEIN Jean-Philippe Aumasson NAGRA,

Practical Attack on 8 Rounds of the Lightweight Block Cipher KLEIN Jean-Philippe Aumasson NAGRA,

Practical Attack on 8 Rounds of the Lightweight Block Cipher KLEIN Jean-Philippe Aumasson NAGRA, Switzerland - Mara Naya-Plasencia FHNW, Windisch, Switzerland and University of Versailles, France - Markku-Juhani O. Saarinen Revere

263 views • 15 slides
NFC-enabled Attack on Cyber Physical Systems: A Practical Case Study Fan Dang 1 , Pengfei Zhou 1,

NFC-enabled Attack on Cyber Physical Systems: A Practical Case Study Fan Dang 1 , Pengfei Zhou 1,

1 NFC-enabled Attack on Cyber Physical Systems: A Practical Case Study Fan Dang 1 , Pengfei Zhou 1, 2 , Zhenhua Li 1 , Yunhao Liu 1 1 School of Software, Tsinghua University, China 2 Beijing Feifanshi Technology Co., Ltd., China 2 Outline

1.01k views • 21 slides
Reading Recovery in SD61 What is Reading Recovery? Research-based early intervention for

Reading Recovery in SD61 What is Reading Recovery? Research-based early intervention for

Reading Recovery in SD61 What is Reading Recovery? Research-based early intervention for Grade 1 students having difficulty learning to read and write standards and guidelines set and regulated by a non-profit Short-term (12-20

126 views • 9 slides
A Key-recovery Attack on 855-Round Trivium Ximing Fu, Xiaoyun Wang, Xiaoyang Dong , Willi Meier

A Key-recovery Attack on 855-Round Trivium Ximing Fu, Xiaoyun Wang, Xiaoyang Dong , Willi Meier

A Key-recovery Attack on 855-Round Trivium Ximing Fu, Xiaoyun Wang, Xiaoyang Dong , Willi Meier Tsinghua University, Beijing, China FHNW, Windisch, Switzerland June 6,2018 Introduction to Trivium Outline Introduction to Trivium 1 Related

382 views • 24 slides
Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and

Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and

Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and Memory Complexities Orr Dunkelman Achiya Bar-On Eyal Ronen Nathan Keller Adi Shamir AES AES is the best known and most widely used secret

863 views • 58 slides
Attack on Traffic Systems These attack examples have happened in the past. We will take an

Attack on Traffic Systems These attack examples have happened in the past. We will take an

From start to finish how a cyber attack would be performed on traffic system, we will go over first day &gt;&gt; exploitation of the device &gt;&gt; the real-world aftermath. Mission Secure, Inc. Attack on Traffic Systems These attack examples

556 views • 18 slides
Chapter 15: Recovery System Failure Classification Storage Structure Recovery and

Chapter 15: Recovery System Failure Classification Storage Structure Recovery and

' $ Chapter 15: Recovery System Failure Classification Storage Structure Recovery and Atomicity Log-Based Recovery Shadow Paging Recovery With Concurrent Transactions Buffer Management Failure with Loss of

375 views • 21 slides

More recommend