Re: Insecure Hash Algorithms (MD5) and NTLMv2

From: Steve Friedl (steve@unixwiz.net)
Date: Wed Nov 02 2005 - 01:54:49 EST

• Next message: Cedric Blancher: "Re: Sniffing on a switch"
• Previous message: Frank: "Overpaying? :("
• In reply to: Daniel Miessler: "Re: Insecure Hash Algorithms (MD5) and NTLMv2"
• Next in thread: Daniel Miessler: "Re: Insecure Hash Algorithms (MD5) and NTLMv2"
• Reply: Daniel Miessler: "Re: Insecure Hash Algorithms (MD5) and NTLMv2"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On Wed, Nov 02, 2005 at 12:43:13AM -0500, Daniel Miessler wrote:
> Hmm, yes, there are plenty of examples like the ones you've
> highlighted, but they all have something in common -- the input AND
> the output are known (chosen plaintext?)

There are three aspects at play here:

1) Collision resistance; How hard is it to create two inputs which
   produce the same hash?

   This is the lowest bar to achieve: if you control both inputs, you can
   dicker with one or the other or both until they both converge.

   Exploit: create two similar documents, get me to sign one, then trade
   it for the other one. Now I "agreed" to one I haven't read.

   Counter: make a trivial, cosmetic change to any document you sign.

2) Preimage resistance; produce an input which produces a particular
   hash when you have no access to the original input.

   Exploit: given a password hash, find a word which produces it.

3) Second preimage resistance; how hard is it create an input document
   which produces a given hash when you have access to the original input
   which created that hash.

   Exploit: create a bogus software package which matches the hash of
   the legitimate package.

The only weakness that's really in the air is Collision Resistance,
where we can produce two inputs with the same hash. This is of only
minor concern in a practical sense, though it certainly does mean that
blood is in the water and sharks are circling.

Much more detail here, with pretty pictures:

        An Illustrated Guide to Cryptographic Hashes
        http://www.unixwiz.net/techtips/iguide-crypto-hashes.html#crdetail

Steve

---
Stephen J Friedl | Security Consultant | UNIX Wizard | +1 714 544-6561
www.unixwiz.net | Tustin, Calif. USA | Microsoft MVP | steve@unixwiz.net

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

• Next message: Cedric Blancher: "Re: Sniffing on a switch"
• Previous message: Frank: "Overpaying? :("
• In reply to: Daniel Miessler: "Re: Insecure Hash Algorithms (MD5) and NTLMv2"
• Next in thread: Daniel Miessler: "Re: Insecure Hash Algorithms (MD5) and NTLMv2"
• Reply: Daniel Miessler: "Re: Insecure Hash Algorithms (MD5) and NTLMv2"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:07 EDT