This document discusses message authentication with MD5. It provides an overview of how MD5 works as a hash function and describes how it can be used to generate a message authentication code (MAC). It notes that MD5 was an attempt to reduce overhead compared to DES-based MACs. However, it also describes an extension attack that allows modifying messages while reusing the original MAC. The document considers replacing MD5 with AES to address this issue and provides thoughts on using MD5 for per-message authentication despite its age.

1. Message
Authentication
with MD5
組員：張安邦、楊志璿

2. Outline
1. MD5
2. MAC
3. Author recommendations
4. Extension attack
5. Our idea

3. Note
● All sudo code in Lua
○ .. means concat
○ Because Lua needs more love

4. MD5
● How MD5 works?
● reference : https://www.slideshare.net/sahilkureel/md5-algorithm

5. MD5
● message-digest 5
● A hash function
● 128 bit

6. MD5
1. Pad the message so #msg%56 == 0
a. A 1 bit is first appended, then 0s

7. MD5
2. Append the B value (4 bytes) to the end. So the the message is now a multiple
of 64 bytes

8. MD5
3. The a, b, c, d parameters are initalized to the following values

9. MD5
4. Do some computing

10. MD5
5. The a, b, c, d variables ended up is the hash value

11. TL;DR
● Attempts to reduce overhead of MAC based on DES
○ DES is designed for hardware
○ Slow on software
● Use fast software hash functions
○ MD5

12. MAC - Message Authentication Code
● Given a message, it is difficult to compute the auth code without the secret
key.
● Both sender and resever have key K.
● A message is send to the reseiver along with the MAC
● Receiver computes the MAC himself and check is they are the same
○ Checksum for messages keys

13. MAC - Message Authentication Code
src: wiki

14. MAC - Message Authentication Code

15. K1 and K2 are two indipendent 128-bit values
Paper perposal

16. Paper perposal
Where p is a 348-bit padding and k is a 128-bit key

17. Paper perposal
Where k is a 128-bit key

18. Extension attack
For Hash(m1), we know m1.length() and Hash(m1)
We can calculate Hash(m1 ‖ m2) for any attacker-controlled m2
without needing to know the content of m1

19. Extension attack
Original Data: count=10&lat=37.351&user_id=1&long=-119.827&waffle=eggo
Original Signature: 6d5f807e23db210bc254a28be2d6759a0f5f5d99
Key length is 14 bytes
Desired New Data: count=10&lat=37.351&user_id=1&long=-
119.827&waffle=eggo&waffle=liege

20. Extension attack
Desired New Data: count=10&lat=37.351&user_id=1&long=-
119.827&waffle=eggo&waffle=liege
New Data: count=10&lat=37.351&user_id=1&long=-
119.827&waffle=eggox80x00x00x00x00x00x00x00x00x00x00x00x0
0x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00
x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x0
0x00x00x00x00x00x00x00x00x02x28&waffle=liege
New Signature: 0e41270260895979317fff3898ab85668953aaa2

21. Extension attack
Because MD5 is an iterative function

22. Authors thoughts
● AES can be used intead of MD5
● More secure with the same procedure

23. Our thoughts
● Anthough MD5 is old and shouldn’t be used
● Brute forcing a 128bit key still takes forever
○ A single RTX 2080Ti can do 21.6 GH/s
○ 35794002499.47684 times the age of univers to solve
○ Numbers from hashcat
● No too bad for per message auth

24. Our thoughts
● Attempts to reduce overhead of MAC based on DES
○ DES is not that slow
● Use fast software hash functions
○ Modern x86/ARM have AES instructions
○ Faster hash rate than MD5
○ Use AES when possible