Menu
▾
▴
Re: [fetchmail-devel] Security vulnerability in APOP authentication
|
From: Matthias A. <mat...@gm...> - 2007-03-18 00:05:40
|
Gaëtan LEURENT schrieb am 2007-03-14: > I found a security vulnerability in the APOP authentication. It is > related to recent collision attacks by Wang and al. against MD5. The > basic idea is to craft a pair of message-ids that will collide in the > APOP hash if the password begins in a specified way. So the attacker > would impersonate a POP server, and send these msg-id; the client will > return the hash, and the attacker can learn some password characters. Thanks for the heads-up. The problem with APOP is that it specifies MD5, and that isn't going to change, and with some clueless upstreams, APOP is the best you can get... > This attack is really a practical one: it needs about an hour of > computation and a few hundred authentications from the client, and can > recover three password characters. I tested it against fetchmail, and > it does work. How does this work in detail? Recover character by character? Are specially-crafted challenges required to provoke weak messages in MD5, if there are any? What's the state of the MD5 cracking art WRT unknown plaintext, how big is the effort to brute force the 85^5 space from the 1,000 hashes thus collected? I don't know details beyond that someone has a way to produce two messages with colliding hash with reasonably little effort. > However, using the current techniques available to attack MD5, the > msg-ids sent by the server can easily be distinguished from genuine ones > as they will not respect the RFC specification. How long until these colliding messages ASCII and RFC-822 message-id format > In particular, they > will contain non-ASCII characters. Therefore, as a security > countermeasure, I think fetchmail should reject msg-ids that does not > conform to the RFC. That is certainly feasible to implement, I wonder though if that helps us out for long. > The details of the attack and the new results against MD5 needed to > build it will be presented in the Fast Software Encryption conference on > March 28. I can send you some more details if needed. That would certainly be interesting - who will present the attack at the conference? Is the paper available for download or will it be after the conference? > Meanwhile, feel free to alert any one that you believe is concerned. > I am already sending this mail to the maintainers of Thunderbird, > Evolution, fetchmail, and mutt. KMail already seems to do enough checks > on the msg-id to avoid the attack. I think I'll be easy on this one until after I've seen the details. Best regards, -- Matthias Andree |
