0

I read that Windows (probably not new OSs but say, Windows Server 2008) stores passwords using Hashes using NTLMv2 protocol which uses MD5 hash function. My questions: MD5 is known to be insecure because it is not collision resistant. How is it used in Windows 2008 server?

user2192774
  • 305
  • 4
  • 8

1 Answers1

3

Collisions are irrelevant to most usages of hash functions in conjunction with passwords. For password hashing, preimage resistance is important, not collision resistance. MD5's resistance to preimages is (almost) as good as new.

MD5 for password storage would be a poor choice "alone", though, because password hashing requires salts and slowness, both characteristics that MD5 does not offer. See this answer for a primer on password hashing.

NTLMv2 does not use MD5 to store passwords. What is stored is a "password-equivalent" value called "NT-hash", which is the hash of the password with MD4, not MD5. No, this is not weak; for that specific usage, MD4 is still fine. As for MD5, it is used within HMAC as part of the challenge-response protocol, but not for anything that is stored.

There is no known attack against HMAC/MD5. The known MD5 weaknesses void the "warranty": the security proof which guarantees (mathematically) that HMAC is secure relies on the compression function of the underlying hash function: that compression function must be a PRF. The known collision attacks on MD5 demonstrate that MD5's compression function is not a PRF; however, this does not break HMAC/MD5. This just breaks the security proof. HMAC/MD5 cannot be "proven strong". It just fell into the wider category of "we don't know how to break that".

Tom Leek
  • 170,038
  • 29
  • 342
  • 480