RE: Insecure Hash Algorithms (MD5) and NTLMv2

["Ben Nagy" <ben () iagu net>]

> -----Original Message-----
> From: Thierry Zoller [mailto:Thierry () sniff-em com] 
> Sent: Tuesday, November 01, 2005 6:47 PM
> To: Daniel Miessler
> Cc: pen-test () securityfocus com
> Subject: Re: Insecure Hash Algorithms (MD5) and NTLMv2
>
> Dear Daniel,
>
> DM> Just because MD5 has become "relatively" weak in recent months  
> DM> doesn't mean that it's trivial to create/find collisions using it.
>
> http://www.doxpara.com/t1.html
> http://www.doxpara.com/t2.html
> Same md5
>
> http://www.cits.rub.de/imperia/md/content/magnus/letter_of_rec.ps
> http://www.cits.rub.de/imperia/md/content/magnus/order.ps
> Same md5
[...]

Hi Thierry, 

Although I often find these kind of link-paste responses amusing, in this
case I think it's rather specious.

You give a lot of examples of new work undermining the collision resistance
of MD5. That work says, in layman's terms, that it's much easier than it
should be to create two messages that hash to the same thing.

This is not the same as "preimage resistance", which is finding the right m1
so that h(m1)=h1 - which is what you want to attack NTLMv2. Basically,
people are wondering if you can suddenly invert HMAC-MD5 - well you can't. 

The collision resistance above doesn't really affect HMAC-MD5 at all.
Kaminsky pointed out in http://www.doxpara.com/md5_someday.pdf that "It's
definitely possible, given the key, to create two datasets with the same
HMAC.". This is at once quite true and entirely useless with respect to the
current discussion.

Attacks exist against NTLMv2 which basically come down to password guessing,
provided you have good sniffing access to the local wire. These are no
harder or easier than they were before the bottom fell out of the MD5
futures market.

I didn't really read the whole thread, but you were responding, I believe,
to Daniel, who said:

DM> As such, the solution *IS* significantly stronger despite its use of
MD5.

Assuming he means stronger than NTLMv1, or LM then that is absolutely true.
Stronger than kerberos, meh probably not, but you can still guess passwords
for kerberos.

In fact, to summarise as succinctly as possible:

HMAC-MD5 is NOT the same as MD5. Recent MD5 collision resistance work does
not materially affect NTLMv2 or Kerberos. Weak passwords, on the other hand,
do (and always have done), and they are much more common than crypt0h4x0rZ.

Cheers,

ben




------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------