Menu
▾
▴
Re: [fetchmail-devel] Security vulnerability in APOP authentication
|
From: <gae...@en...> - 2007-03-18 01:29:50
|
Matthias Andree wrote on 18 Mar 2007 00:03:55 +0100: > How does this work in detail? Recover character by character? Are > specially-crafted challenges required to provoke weak messages in MD5, > if there are any? Yes, it uses specially-crafted challenges to recover the password character by character. It is not really a matter of weak messages, but of pair of colliding messages. The idea of this attack is to create a collision, and replace a part of the collision with an unknown password character; therefore, if it still collides the chances are that the password character is the same than the one in the original collision. > What's the state of the MD5 cracking art WRT unknown plaintext, how big > is the effort to brute force the 85^5 space from the 1,000 hashes thus > collected? Well OpenSSL does something like 2^31 MD5 per hour, and 85^5 is about 2^32. So you should be able to bruteforce 5 characters in 2 hours... >> However, using the current techniques available to attack MD5, the >> msg-ids sent by the server can easily be distinguished from genuine ones >> as they will not respect the RFC specification. > > How long until these colliding messages ASCII and RFC-822 message-id format I have no idea... I think APOP should already be considered insecure, but as you said it is sometimes the best authentication available, so it's better to try to make it as resistant as possible... Anyway, restricting the space of possible message-ids will at least make the attack somewhat harder if it becomes possible. >> In particular, they >> will contain non-ASCII characters. Therefore, as a security >> countermeasure, I think fetchmail should reject msg-ids that does not >> conform to the RFC. > > That is certainly feasible to implement, I wonder though if that helps > us out for long. Well I don't know. That's up to you to choose if it's worth... >> The details of the attack and the new results against MD5 needed to >> build it will be presented in the Fast Software Encryption conference on >> March 28. I can send you some more details if needed. > > That would certainly be interesting - who will present the attack at the > conference? Is the paper available for download or will it be after the > conference? I will present it :-) I send you a copy of the paper. -- Gaëtan LEURENT |
