Fast Password Recovery Attack: Application to APOP

In this paper, we propose a fast password recovery attack to APOP application in local which can recover a password with 11 characters in less than one minute, recover a password with 31 characters extremely fast, about 4 minutes, and for 43 characters in practical time. These attacks truly simulate the practical password recovery attacks launched by $malware$ in real life, and further confirm that the security of APOP is totally broken. To achieve these dramatical improvements, we propose a group satisfaction scheme, apply the divide-and-conquer strategy and a new suitable MD5 collision attack to greatly reduce the computational complexity in collision searching with high number of chosen bits. The average time of generating an ``\textit{IV Bridge} is optimized to 0.17 second on ordinary PC, the average time of generating collision pairs for recovering passwords up to 11 characters is about 0.08 second, for 31 characters is about 0.15 second, for 39 characters is about 4.13 seconds, for 43 characters is about 20 seconds, and collisions for recovering passwords as long as 67 characters can be theoretically generated. These techniques can be further applied to reduce the complexity of producing a 1-bit-free collisions for recovering the first 11 characters, whose main target is that to reduce the number of challenges generated in APOP attack, to about $2^{36}$ MD5 compressions

Partitioning Oracle Attacks

In this paper we introduce partitioning oracles, a new class of decryption error oracles which, conceptually, take a ciphertext as input and output whether the decryption key belongs to some known subset of keys. We introduce the first partitioning oracles which arise when encryption schemes are not committing with respect to their keys. We detail novel adaptive chosen ciphertext attacks that exploit partitioning oracles to efficiently recover passwords and de-anonymize anonymous communications. The attacks utilize efficient key multi-collision algorithms --- a cryptanalytic goal that we define --- against widely used authenticated encryption with associated data (AEAD) schemes, including AES-GCM, XSalsa20/Poly1305, and ChaCha20/Poly1305. We build a practical partitioning oracle attack that quickly recovers passwords from Shadowsocks proxy servers. We also survey early implementations of the OPAQUE protocol for password-based key exchange, and show how many could be vulnerable to partitioning oracle attacks due to incorrectly using non-committing AEAD. Our results suggest that the community should standardize and make widely available committing AEAD to avoid such vulnerabilities

D.STVL.9 - Ongoing Research Areas in Symmetric Cryptography

This report gives a brief summary of some of the research trends in symmetric cryptography at the time of writing (2008). The following aspects of symmetric cryptography are investigated in this report: • the status of work with regards to different types of symmetric algorithms, including block ciphers, stream ciphers, hash functions and MAC algorithms (Section 1); • the algebraic attacks on symmetric primitives (Section 2); • the design criteria for symmetric ciphers (Section 3); • the provable properties of symmetric primitives (Section 4); • the major industrial needs in the area of symmetric cryptography (Section 5)