This document discusses message authentication with MD5. It provides an overview of how MD5 works as a hash function and describes how it can be used to generate a message authentication code (MAC). It notes that MD5 was an attempt to reduce overhead compared to DES-based MACs. However, it also describes an extension attack that allows modifying messages while reusing the original MAC. The document considers replacing MD5 with AES to address this issue and provides thoughts on using MD5 for per-message authentication despite its age.
10. MD5
5. The a, b, c, d variables ended up is the hash value
11. TL;DR
● Attempts to reduce overhead of MAC based on DES
○ DES is designed for hardware
○ Slow on software
● Use fast software hash functions
○ MD5
12. MAC - Message Authentication Code
● Given a message, it is difficult to compute the auth code without the secret
key.
● Both sender and resever have key K.
● A message is send to the reseiver along with the MAC
● Receiver computes the MAC himself and check is they are the same
○ Checksum for messages keys
18. Extension attack
For Hash(m1), we know m1.length() and Hash(m1)
We can calculate Hash(m1 ‖ m2) for any attacker-controlled m2
without needing to know the content of m1
19. Extension attack
Original Data: count=10&lat=37.351&user_id=1&long=-119.827&waffle=eggo
Original Signature: 6d5f807e23db210bc254a28be2d6759a0f5f5d99
Key length is 14 bytes
Desired New Data: count=10&lat=37.351&user_id=1&long=-
119.827&waffle=eggo&waffle=liege
20. Extension attack
Desired New Data: count=10&lat=37.351&user_id=1&long=-
119.827&waffle=eggo&waffle=liege
New Data: count=10&lat=37.351&user_id=1&long=-
119.827&waffle=eggox80x00x00x00x00x00x00x00x00x00x00x00x0
0x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00
x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x0
0x00x00x00x00x00x00x00x00x02x28&waffle=liege
New Signature: 0e41270260895979317fff3898ab85668953aaa2
23. Our thoughts
● Anthough MD5 is old and shouldn’t be used
● Brute forcing a 128bit key still takes forever
○ A single RTX 2080Ti can do 21.6 GH/s
○ 35794002499.47684 times the age of univers to solve
○ Numbers from hashcat
● No too bad for per message auth
24. Our thoughts
● Attempts to reduce overhead of MAC based on DES
○ DES is not that slow
● Use fast software hash functions
○ Modern x86/ARM have AES instructions
○ Faster hash rate than MD5
○ Use AES when possible