Penetration Testing mailing list archives
RE: Insecure Hash Algorithms (MD5) and NTLMv2
From: "Ben Nagy" <ben () iagu net>
Date: Wed, 2 Nov 2005 20:33:55 +0700
-----Original Message----- From: Thierry Zoller [mailto:Thierry () sniff-em com] Sent: Tuesday, November 01, 2005 6:47 PM To: Daniel Miessler Cc: pen-test () securityfocus com Subject: Re: Insecure Hash Algorithms (MD5) and NTLMv2 Dear Daniel, DM> Just because MD5 has become "relatively" weak in recent months DM> doesn't mean that it's trivial to create/find collisions using it. http://www.doxpara.com/t1.html http://www.doxpara.com/t2.html Same md5 http://www.cits.rub.de/imperia/md/content/magnus/letter_of_rec.ps http://www.cits.rub.de/imperia/md/content/magnus/order.ps Same md5
[...] Hi Thierry, Although I often find these kind of link-paste responses amusing, in this case I think it's rather specious. You give a lot of examples of new work undermining the collision resistance of MD5. That work says, in layman's terms, that it's much easier than it should be to create two messages that hash to the same thing. This is not the same as "preimage resistance", which is finding the right m1 so that h(m1)=h1 - which is what you want to attack NTLMv2. Basically, people are wondering if you can suddenly invert HMAC-MD5 - well you can't. The collision resistance above doesn't really affect HMAC-MD5 at all. Kaminsky pointed out in http://www.doxpara.com/md5_someday.pdf that "It's definitely possible, given the key, to create two datasets with the same HMAC.". This is at once quite true and entirely useless with respect to the current discussion. Attacks exist against NTLMv2 which basically come down to password guessing, provided you have good sniffing access to the local wire. These are no harder or easier than they were before the bottom fell out of the MD5 futures market. I didn't really read the whole thread, but you were responding, I believe, to Daniel, who said: DM> As such, the solution *IS* significantly stronger despite its use of MD5. Assuming he means stronger than NTLMv1, or LM then that is absolutely true. Stronger than kerberos, meh probably not, but you can still guess passwords for kerberos. In fact, to summarise as succinctly as possible: HMAC-MD5 is NOT the same as MD5. Recent MD5 collision resistance work does not materially affect NTLMv2 or Kerberos. Weak passwords, on the other hand, do (and always have done), and they are much more common than crypt0h4x0rZ. Cheers, ben ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Re: Insecure Hash Algorithms (MD5) and NTLMv2 Thierry Zoller (Nov 01)
- Re: Insecure Hash Algorithms (MD5) and NTLMv2 Daniel Miessler (Nov 01)
- Re: Insecure Hash Algorithms (MD5) and NTLMv2 Steve Friedl (Nov 03)
- Re: Insecure Hash Algorithms (MD5) and NTLMv2 Daniel Miessler (Nov 04)
- Re: Insecure Hash Algorithms (MD5) and NTLMv2 Steve Friedl (Nov 03)
- RE: Insecure Hash Algorithms (MD5) and NTLMv2 Ben Nagy (Nov 03)
- Re: Insecure Hash Algorithms (MD5) and NTLMv2 Thor (Hammer of God) (Nov 04)
- <Possible follow-ups>
- RE: Insecure Hash Algorithms (MD5) and NTLMv2 Miguel Dilaj (Nov 01)
- Re: Insecure Hash Algorithms (MD5) and NTLMv2 Jack Lloyd (Nov 03)
- Re: Insecure Hash Algorithms (MD5) and NTLMv2 Daniel Miessler (Nov 01)