Password Recovery on Challenge and Response: Impossible Differential Attack on Hash Function

  • Yu Sasaki
  • Lei Wang
  • Kazuo Ohta
  • Noboru Kunihiro
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5023)


We propose practical password recovery attacks against two challenge-response authentication protocols using MD4. When a res- ponse is computed as MD4(Password||Challenge), passwords up to 12 characters are practically recovered. To recover up to 8 characters, we need 16 times the amount of eavesdropping and 16 times the number of queries, and the off-line complexity is less than 235 MD4 computations. To recover up to 12 characters, we need 210 times the amount of eavesdropping and 210 times the number of queries, and the off-line complexity is less than 240 MD4 computations. When a response is computed as MD4(Password||Challenge||Password), passwords up to 8 characters are practically recovered by 28 times the amount of eavesdropping and 28 times the number of queries, and the off-line complexity is less than 239 MD4 computations. Our approach is similar to the “Impossible differential attack”, which was originally proposed for recovering the block cipher key. Good impossible differentials for hash functions are achieved by using local collision. This indicates that the presence of one practical local collision can damage the security of protocols.


Challenge and Response Prefix Hybrid Impossible Differential Attack Local Collision Hash Function MD4 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Biham, E., Biryukov, A., Dunkelman, O., Richardson, E., Shamir, A.: Initial Observations on Skipjack: Cryptanalysis of Skipjack-3XOR. In: Tavares, S., Meijer, H. (eds.) SAC 1998. LNCS, vol. 1556, pp. 362–376. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  2. 2.
    Biham, E., Biryukov, A., Shamir, A.: Cryptanalysis of Skipjack Reduced to 31 Rounds using Impossible Differentials, Technical Report CS0947, Technion - Computer Science Department (1998),
  3. 3.
    Contini, S., Yin, Y.L.: Forgery and partial key-recovery attacks on HMAC and NMAC using hash collisions. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 37–53. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  4. 4.
    Fouque, P.-A., Leurent, G., Nguyen, P.: Full Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 15–30. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  5. 5.
    Kaliski Jr., B.S., Robshaw, M.J.B.: Message authentication with MD5. CryptoBytes 1(1), 5–8 (1995)Google Scholar
  6. 6.
    Leurent, G.: Message Freedom in MD4 and MD5 Collisions: Application to APOP. In: Biryukov, A. (ed.) FSE 2007. LNCS, vol. 4593, pp. 309–328. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  7. 7.
    Rivest, R.L.: The MD4 Message-Digest Algorithm, RFC 1320 (April 1992),
  8. 8.
    Rivest, R.L.: The MD4 Message Digest Algorithm. In: Menezes, A., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 303–311. Springer, Heidelberg (1991)Google Scholar
  9. 9.
    Myers, J., Rose, M.: Post Office Protocol - Version 3, RFC 1939, (Standard). Updated by RFCs 1957, 2449. (May 1996),
  10. 10.
    Preneel, B., van Oorschot, P.C.: On the Security of Two MAC Algorithms. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 19–32. Springer, Heidelberg (1996)Google Scholar
  11. 11.
    Rechberger, C., Rijmen, V.: On Authentication with HMAC and Non-Random Properties, Cryptology ePrint Archive, Report 2006/290,
  12. 12.
    Sasaki, Y., Yamamoto, G., Aoki, K.: Practical Password Recovery on an MD5 Challenge and Response. Cryptology ePrint Archive, Report 2007/101,
  13. 13.
    Simpson, W.: PPP Challenge Handshake Authentication Protocol (CHAP), RFC 1994, Updated by RFC 2484, (August 1996),
  14. 14.
    Tsudik, G.: Message Authentication with One-Way Hash Functions. ACM Computer Communication Review 22(5), 29–38 (1992)CrossRefGoogle Scholar
  15. 15.
    Wang, L., Ohta, K., Kunihiro, N.: Password Recovery Attack on Authentication Protocol MD4(Password||Challenge). In: ASIACCS 2008 (to appear, 2008)Google Scholar
  16. 16.
    Wang, X., Lai, X., Feng, D., Chen, H., Yu, X.: Cryptanalysis of the Hash Functions MD4 and RIPEMD. In: Cramer, R.J.F. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 1–18. Springer, Heidelberg (2005)Google Scholar
  17. 17.
    Wang, X., Yu, H.: How to Break MD5 and Other Hash Functions. In: Cramer, R.J.F. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19–25. Springer, Heidelberg (2005)Google Scholar
  18. 18.
    Wang, X., Yu, H., Yin, Y.L.: Efficient Collision Search Attacks on SHA-0. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 1–16. Springer, Heidelberg (2005)Google Scholar
  19. 19.
    Wang, X., Yin, Y.L., Yu, H.: Finding Collisions in the Full SHA-1. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 17–36. Springer, Heidelberg (2005)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Yu Sasaki
    • 1
  • Lei Wang
    • 2
  • Kazuo Ohta
    • 2
  • Noboru Kunihiro
    • 2
  1. 1.NTT Information Sharing Platform LaboratoriesNTT CorporationTokyoJapan
  2. 2.The University of Electro-CommunicationsTokyoJapan

Personalised recommendations