Security of MD5 Challenge and Response: Extension of APOP Password Recovery Attack

  • Yu Sasaki
  • Lei Wang
  • Kazuo Ohta
  • Noboru Kunihiro
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4964)


In this paper, we propose an extension of the APOP attack that recovers the first 31 characters of APOP password in practical time, and theoretically recovers 61 characters. We have implemented our attack, and have confirmed that 31 characters can be successfully recovered. Therefore, the security of APOP is completely broken. The core of our new technique is finding collisions for MD5 which are more suitable for the recovery of APOP passwords. These collisions are constructed by employing the collision attack of den Boer and Bosselares and by developing a new technique named ”IV Bridge” which is an important step to satisfy the basic requirements of the collision finding phase. We show that the construction of this ”IV Bridge” can be done efficiently as well.


APOP Challenge and Response Password Recovery Hash Function MD5 Collision Attack Message Difference 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Black, J., Cochran, M., Highland, T.: A Study of the MD5 Attacks: Insights and Improvements. In: Robshaw, M.J.B. (ed.) FSE 2006. LNCS, vol. 4047, pp. 262–277. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  2. 2.
    den Boer, B., Bosselaers, A.: Collisions for the Compression Function of MD5. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 293–304. Springer, Heidelberg (1994)Google Scholar
  3. 3.
    Contini, S., Yin, Y.L.: Forgery and partial key-recovery attacks on HMAC and NMAC using hash collisions. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 37–53. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  4. 4.
    Daum, M., Lucks, S.: Hash Collisions (The Poisoned Message Attack) The Story of Alice and her Boss. In: Eurocrypt 2005 (2005),
  5. 5.
    Dobbertin, H.: Cryptanalysis of MD5 compress. In: Eyrocrypt 1996 (1996)Google Scholar
  6. 6.
    Dobbertin, H.: The Status of MD5 After a Recent Attack. In: CryptoBytes The technical newsletter of RSA Laboratories, a division of RSA Data Security, Inc., SUMMER 1996, vol. 2(2) (1996)Google Scholar
  7. 7.
    Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., Leach, P., Luotonen, A., Stewart, L.: HTTP Authentication: Basic and Digest Access Authentication, RFC 2617, June 1999 (1999),
  8. 8.
    Gebhardt, M., Illies, G., Schindler, W.: A note on the practical value of single hash collisions for special file formats. In: Dittmann, J. (ed.) Sicherheit, GI. LNI, vol. 77, pp. 333–344 (2006)Google Scholar
  9. 9.
    Klima, V.: Tunnels in Hash Functions: MD5 Collisions Within a Minute. Cryptology ePrint Archive, Report, /105. (2006),
  10. 10.
    Lenstra, A.K., de Weger, B.: On the possibility of constructing meaningful hash collisions for public keys. In: Boyd, C., González Nieto, J.M. (eds.) ACISP 2005. LNCS, vol. 3574, pp. 267–279. Springer, Heidelberg (2005)Google Scholar
  11. 11.
    Leurent, G.: Message Freedom in MD4 and MD5 Collisions: Application to APOP. In: Biryukov, A. (ed.) FSE 2007. LNCS, vol. 4593, pp. 309–328. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  12. 12.
    Liang, J., Lai, X.: Improved Collision Attack on Hash Function MD5. Journal of Computer Science and Technology 22(1), 79–87 (2007)CrossRefGoogle Scholar
  13. 13.
    Rivest, R.L.: The MD5 Message Digest Algorithm. RFC 1321 (April, 1992),
  14. 14.
    Myers, J., Rose, M.: Post Office Protocol - Version 3. RFC 1939 (Standard), May 1996. Updated by RFCs 1957, 2449,
  15. 15.
    Preneel, B., van Oorschot, P.C.: On the Security of Two MAC Algorithms. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 19–32. Springer, Heidelberg (1996)Google Scholar
  16. 16.
    Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M., Schooler, E.: SIP: Session Initiation Protocol, RFC 3261, June 2002 (2002),
  17. 17.
    Sasaki, Y., Naito, Y., Kunihiro, N., Ohta, K.: Improved, collision attack on MD5. Cryptology ePrint Archive, Report 2005/400,
  18. 18.
    Sasaki, Y., Naito, Y., Kunihiro, N., Ohta, K.: Improved Collision Attacks on MD4 and MD5. IEICE TRANSACTIONS on Fundamentals of Electronics, Communications and Computer Sciences (Japan), E90-A(1), 36–47 (2007) (The initial result was announced as [17])Google Scholar
  19. 19.
    Sasaki, Y., Yamamoto, G., Aoki, K.: Practical Password Recovery on an MD5 Challenge and Response. Cryptology ePrint Archive, Report 2007/101Google Scholar
  20. 20.
    Stevens, M., Lenstra, A., der Weger, B.: Chosen-prefix Collisions for MD5 and Colliding X.509 Certificates for Different Identities. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 1–12. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  21. 21.
    Wang, X., Yu, H.: How to Break MD5 and Other Hash Functions. In: Cramer, R.J.F. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19–35. Springer, Heidelberg (2005)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Yu Sasaki
    • 1
  • Lei Wang
    • 2
  • Kazuo Ohta
    • 2
  • Noboru Kunihiro
    • 2
  1. 1.NTT Information Sharing Platform LaboratoriesNTT CorporationTokyoJapan
  2. 2.The University of Electro-CommunicationsTokyoJapan

Personalised recommendations