Vlastimil Klima1) Independent cryptologist

Slides:



Advertisements
Similar presentations
Which Hash Functions will survive?
Advertisements

Finding MD5 Collisions on a Notebook PC Using Multi-message Modifications Vlastimil Klima 1) Independent cryptologist
Your Security in the IT Market Beyond the MD5 Collisions Daniel Joščák, S.ICZ a.s. & MFF UK 04/05/2007, SPI Brno.
1 Cryptanalysis on Hash Functions Xiaoyun Wang 10/28/2005.
Side Channel Attacks on CBC Encrypted Messages in the PKCS#7 Format
SECURE HASHING ALGORITHM By: Ruth Betcher. Purpose: Authentication Not Encryption Authentication Requirements:  Masquerade – Insertion of message from.
SHA-1 collision found Lukáš Miňo, Richard Bartuš.
About a new generation of block ciphers and hash functions - DN and HDN Vlastimil Klíma Independent consultant
MD Collision Sought Marian Ščerbák University of Pavol Jozef Šafárik Košice.
Cryptography and Network Security Chapter 12 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
“Chinese” Attacks on Hashes March 11, 2006, Bing Wu Topic 1.Background 2.“Chinese” collision attacks 3.Results for MD4 and MD5.
BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.
Cryptography and Network Security Chapter 12
Cryptography and Network Security (CS435) Part Ten (Hash and MAC algorithms)
Foundations of Network and Computer Security J J ohn Black Lecture #8 Sep 15 th 2005 CSCI 6268/TLEN 5831, Fall 2005.
Module 4 Hash Functions Highline Community College Seattle University University of Washington in conjunction with the National Science Foundation.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
1 CS 255 Lecture 6 Hash Functions Brent Waters. 2 Recap-Notions of Security What attacker can do Random plaintext attack Chosen plaintext attack Chosen.
MD4 1 MD4. MD4 2 MD4  Message Digest 4  Invented by Rivest, ca 1990  Weaknesses found by 1992 o Rivest proposed improved version (MD5), 1992  Dobbertin.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Whole School Attendance Whole School Attendance 94.64% Overall School Absence 5.36%
Attacking MD5: Tunneling & Multi- Message Modification Team Short Bus: Daniel Liu John Floren Tim Sperr.
Team Grey Skies – Pete Biancaniello and Anton Schraut January 18 th, 2012.
Message Authentication  message authentication is concerned with: protecting the integrity of a message protecting the integrity of a message validating.
Message Authentication Code July Message Authentication Problem  Message Authentication is concerned with:  protecting the integrity of a message.
Lect : Hash Functions and MAC. 2 1.Introduction - Hash Function vs. MAC 2.Hash Functions  Security Requirements  Finding collisions – birthday.
Lecture 3 Feistel based algorithms. Today 1.Block ciphers - basis 2.Feistel cipher 3.DES 4.DES variations 5.IDEA 5.NEWDES.
Africacrypt 2008 Security of Challenge and Response Yu Sasaki 1, Lei Wang 2, Kazuo Ohta 2, Noboru Kunihiro 2 Impossible Differential Attack on Hash Functions.
1 Hash Functions. 2 A hash function h takes as input a message of arbitrary length and produces as output a message digest of fixed length
Hash and Mac Algorithms. Contents Hash Functions Secure Hash Algorithm HMAC.
How Are Cryptographic Algorithms Broken??? Presented By Bhavana Tapde June 19, 2006.
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 2.3 Hash Functions.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
ECE 111 SHA-2 Algorithms.
Hash Algorithms Ch 12 of Cryptography and Network Security - Third Edition by William Stallings Modified from lecture slides by Lawrie Brown CIM3681 :
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
CS480 Cryptography and Information Security Huiping Guo Department of Computer Science California State University, Los Angeles 13.Message Authentication.
Consumer Behaviour Bangor Transfer Abroad Programme Consumer Research and the Research Process.
Study on The Secure Key-Evolving Protocols Kim Joong Man
IN THIS Slide show YOU WILL LEARN ABOUT ALL VERSIONS OF "MS OFFICE"
Chapter 12 – Hash Algorithms
Type your project title here Your name Mueller Park Junior High
MD5 A Hash Algorithm….
Conclusion Bibliography Abstract
Chapter 8 Using secondary data
Advanced Technical Writing
Network Security.
MD5 A Hash Algorithm….
Efficient CRT-Based RSA Cryptosystems
How to Break MD5 and Other Hash Functions
CARP: Compression Aware Replacement Policies
Lesson 5. Lesson 5 Extraneous variables Extraneous variable (EV) is a general term for any variable, other than the IV, that might affect the results.
CAS CS 538 Cryptography.
SSH: SECURE LOGIN CONNECTIONS OVER THE INTERNET
Chapter 11 – Message Authentication and Hash Functions
Security in Network Communications
Enhancements to Mesh Discovery
CS/ECE 478 Introduction to Network Security Dr. Attila Altay Yavuz
Enhancement to Mesh Discovery
Network Security.
Update on “Channel Models for 60 GHz WLAN Systems” Document
CIS 4930/6930 – Privacy-Preserving and Trustworthy Cyber-Systems Dr
Mitsuhiro HATTORI, Shoichi HIROSE, and Susumu YOSHIDA
SHA: Secure Hash Algorithm
Message Modification for Step on SHA-0
Finding MD5 Collisions – a Toy For a Notebook
The Secure Hash Function (SHA)
Keywords: MD5, collisions, multi-message modification.
Presentation transcript:

Finding MD5 Collisions on a Notebook PC Using Multi-message Modifications Vlastimil Klima1) Independent cryptologist v.klima@volny.cz, http://cryptography.hyperlink.cz 1)This research was sponsored by LEC s.r.o., Prague, http://www.lec.cz Security and Protection of Information 2005, 3rd Int. Conference, Brno, Czech Republic, May 3 - 5, 2005

Hash functions One-way and collision-free Message… ……text..... .... text .... end padding One-way and collision-free … they are very robust and complex it is always exciting when a collision is found m(1) m(2) m(3) m(i) ............ m(n) f f f f IV H(i-1) H(i) H(n) compression function f

Hash functions One of the most important cryptanalytic articles of the last year was precisely the work of the Chinese team [1]: X. Wang, D. Feng, X. Lai, H. Yu, "Collisions for Hash Functions MD4, MD5, HAVAL-128 and RIPEMD", rump session, CRYPTO 2004, Cryptology ePrint Archive, Report 2004/199, http://eprint.iacr.org/2004/199 They presented MD5 collisions, but … no algorithm nor explanation in [1] as to how to find the collisions (we will further focus on MD5 only)

What we knew at the beginning from [1] M = x[0…15], M* = x*[0…15] x*[i] = x[i], except x*[4] = x[4] +231, x*[11] = x[11] +215, x*[14] = x[14] +231 N = y[0…15], N* =y*[0…15], y*[i] = y[i], except y*[4] = y[4] -231, y*[11] = y[11] -215, y*[14] = y[14] –231 H1* - H1 = (0, +231+225, +231+225, +231+225) , it took 1 hour on super comp. IBM P690 H2* - H2 = (0,0,0,0), it took 15s-5min. M N f f H 1 H IV 2 H * f 1 f M* N*

At the beginning… We were motivated by published data Our goal: to unveil the method and generate our collisions

Our results after three months we independently discovered a method of finding MD5 collisions our method is quicker finding the first block and slower in the second block our method seemed quite different from the unpublished Chinese method, because of different time behaviour It took the Chinese team about one hour using an IBM P690 supercomputer. Because the supercomputer is about 25 - 50 times faster, it would take 25-50 hours on a notebook. Our method takes approximately 8 hours on a notebook PC (Intel Pentium 1.6 GHz) Overall, our method is about 3 - 6 times faster

Comparing both methods Accidentally (do not find any purpose...): We published our preliminary version of our paper at eprint archive on March 5, 2005 Wang´s et al. paper was put on the web on March 6, 2005 When the Chinese method was published, we compared the original and our method we concluded that the methods are different in the technique and the same in consequences The method is called multi-message modification method We proposed several multi-message modification methods, the Chinese team presented only one example.

Differential scheme A change in one word x[i] leads to four changes, what leads to many changes in the next steps… Presetting values of some bits of Q[…] enables to control the changes through the scheme – we call it stationary conditions

Stationary conditions Hawkes et al. (in their great work [2] from October 2004) did not obtain collisions, but they very well described the sufficient stationary conditions Stationary conditions together with the differences in message words lead to the predefined differences in intermediate values Q in the first block and in the second block The predefined differences are called the differential path Stationary conditions with the differential path constitute the differential scheme We used the differential path from [1] and the stationary conditions from [2] [2] Philip Hawkes, Michael Paddon, Gregory G. Rose: Musings on the Wang et al. MD5 Collision, Cryptology ePrint Archive, Report 2004/264, 13 October 2004, http://eprint.iacr.org/2004/264.pdf

Stationary conditions in the first block Q[ 1]=Q[0 ]+RL(F(Q[0 ],Q[-1],Q[-2])+Q[-3]+x[0 ]+0xd76aa478, 7); 0 conds Q[ 2]=Q[1 ]+RL(F(Q[1 ],Q[0 ],Q[-1])+Q[-2]+x[1 ]+0xe8c7b756,12); 0 conds Q[ 3]=Q[2 ]+RL(F(Q[2 ],Q[1 ],Q[0 ])+Q[-1]+x[2 ]+0x242070db,17); 3 conds Q[ 4]=Q[3 ]+RL(F(Q[3 ],Q[2 ],Q[1 ])+Q[0 ]+x[3 ]+0xc1bdceee,22); 5 conds Q[ 5]=Q[4 ]+RL(F(Q[4 ],Q[3 ],Q[2 ])+Q[1 ]+x[4 ]+0xf57c0faf, 7); 24 conds Q[ 6]=Q[5 ]+RL(F(Q[5 ],Q[4 ],Q[3 ])+Q[2 ]+x[5 ]+0x4787c62a,12); 24 conds Q[ 7]=Q[6 ]+RL(F(Q[6 ],Q[5 ],Q[4 ])+Q[3 ]+x[6 ]+0xa8304613,17); 32 conds Q[ 8]=Q[7 ]+RL(F(Q[7 ],Q[6 ],Q[5 ])+Q[4 ]+x[7 ]+0xfd469501,22); 28 conds 240 conds Q[ 9]=Q[8 ]+RL(F(Q[8 ],Q[7 ],Q[6 ])+Q[5 ]+x[8 ]+0x698098d8, 7); 25 conds Q[10]=Q[9 ]+RL(F(Q[9 ],Q[8 ],Q[7 ])+Q[6 ]+x[9 ]+0x8b44f7af,12); 17 conds Q[11]=Q[10]+RL(F(Q[10],Q[9 ],Q[8 ])+Q[7 ]+x[10]+0xffff5bb1,17); 15 conds Q[12]=Q[11]+RL(F(Q[11],Q[10],Q[9 ])+Q[8 ]+x[11]+0x895cd7be,22); 12 conds Q[13]=Q[12]+RL(F(Q[12],Q[11],Q[10])+Q[9 ]+x[12]+0x6b901122, 7); 14 conds Q[14]=Q[13]+RL(F(Q[13],Q[12],Q[11])+Q[10]+x[13]+0xfd987193,12); 14 conds Q[15]=Q[14]+RL(F(Q[14],Q[13],Q[12])+Q[11]+x[14]+0xa679438e,17); 6 conds Q[16]=Q[15]+RL(F(Q[15],Q[14],Q[13])+Q[12]+x[15]+0x49b40821,22); 2 conds  ……….. Q[17]=Q[16]+RL(G(Q[16],Q[15],Q[14])+Q[13]+x[1 ]+0xf61e2562, 5); 4 conds Q[18]=Q[17]+RL(G(Q[17],Q[16],Q[15])+Q[14]+x[6 ]+0xc040b340, 9); 3 conds Q[19]=Q[18]+RL(G(Q[18],Q[17],Q[16])+Q[15]+x[11]+0x265e5a51,14); 2 conds Q[20]=Q[19]+RL(G(Q[19],Q[18],Q[17])+Q[16]+x[0 ]+0xe9b6c7aa,20); 1 cond 43 conds ….. Q[17] - Q[64]: 43 conds

Our Multi-message modification method in the first block Q[ 1]=Q[0 ]+RL(F(Q[0 ],Q[-1],Q[-2])+Q[-3]+x[0 ]+0xd76aa478, 7); 0 conds Q[ 2]=Q[1 ]+RL(F(Q[1 ],Q[0 ],Q[-1])+Q[-2]+x[1 ]+0xe8c7b756,12); 0 conds Q[ 3]=Q[2 ]+RL(F(Q[2 ],Q[1 ],Q[0 ])+Q[-1]+x[2 ]+0x242070db,17); 3 conds Q[ 4]=Q[3 ]+RL(F(Q[3 ],Q[2 ],Q[1 ])+Q[0 ]+x[3 ]+0xc1bdceee,22); 5 conds Q[ 5]=Q[4 ]+RL(F(Q[4 ],Q[3 ],Q[2 ])+Q[1 ]+x[4 ]+0xf57c0faf, 7); 24 conds Q[ 6]=Q[5 ]+RL(F(Q[5 ],Q[4 ],Q[3 ])+Q[2 ]+x[5 ]+0x4787c62a,12); 24 conds Q[ 7]=Q[6 ]+RL(F(Q[6 ],Q[5 ],Q[4 ])+Q[3 ]+x[6 ]+0xa8304613,17); 32 conds Q[ 8]=Q[7 ]+RL(F(Q[7 ],Q[6 ],Q[5 ])+Q[4 ]+x[7 ]+0xfd469501,22); 28 conds 240 conds Q[ 9]=Q[8 ]+RL(F(Q[8 ],Q[7 ],Q[6 ])+Q[5 ]+x[8 ]+0x698098d8, 7); 25 conds Q[10]=Q[9 ]+RL(F(Q[9 ],Q[8 ],Q[7 ])+Q[6 ]+x[9 ]+0x8b44f7af,12); 17 conds Q[11]=Q[10]+RL(F(Q[10],Q[9 ],Q[8 ])+Q[7 ]+x[10]+0xffff5bb1,17); 15 conds Q[12]=Q[11]+RL(F(Q[11],Q[10],Q[9 ])+Q[8 ]+x[11]+0x895cd7be,22); 12 conds Q[13]=Q[12]+RL(F(Q[12],Q[11],Q[10])+Q[9 ]+x[12]+0x6b901122, 7); 14 conds Q[14]=Q[13]+RL(F(Q[13],Q[12],Q[11])+Q[10]+x[13]+0xfd987193,12); 14 conds Q[15]=Q[14]+RL(F(Q[14],Q[13],Q[12])+Q[11]+x[14]+0xa679438e,17); 6 conds Q[16]=Q[15]+RL(F(Q[15],Q[14],Q[13])+Q[12]+x[15]+0x49b40821,22); 2 conds  ……….. Q[17]=Q[16]+RL(G(Q[16],Q[15],Q[14])+Q[13]+x[1 ]+0xf61e2562, 5); 4 conds Q[18]=Q[17]+RL(G(Q[17],Q[16],Q[15])+Q[14]+x[6 ]+0xc040b340, 9); 3 conds Q[19]=Q[18]+RL(G(Q[18],Q[17],Q[16])+Q[15]+x[11]+0x265e5a51,14); 2 conds Q[20]=Q[19]+RL(G(Q[19],Q[18],Q[17])+Q[16]+x[0 ]+0xe9b6c7aa,20); 1 cond 43 conds ….. Q[17] - Q[64]: 43 conds, in our method 33 conds remain (Wang et al. 37 conds) 1st step: Q[3-16] 2nd step 3rd step

One of our proposals of Multi-message modification method in the second block Q[ 1]=Q[0 ]+RL(F(Q[0 ],Q[-1],Q[-2])+Q[-3]+x[0 ]+0xd76aa478, 7); 7 conds Q[ 2]=Q[1 ]+RL(F(Q[1 ],Q[0 ],Q[-1])+Q[-2]+x[1 ]+0xe8c7b756,12); 20 conds Q[ 3]=Q[2 ]+RL(F(Q[2 ],Q[1 ],Q[0 ])+Q[-1]+x[2 ]+0x242070db,17); 23 conds Q[ 4]=Q[3 ]+RL(F(Q[3 ],Q[2 ],Q[1 ])+Q[0 ]+x[3 ]+0xc1bdceee,22); 26 conds Q[ 5]=Q[4 ]+RL(F(Q[4 ],Q[3 ],Q[2 ])+Q[1 ]+x[4 ]+0xf57c0faf, 7); 25 conds Q[ 6]=Q[5 ]+RL(F(Q[5 ],Q[4 ],Q[3 ])+Q[2 ]+x[5 ]+0x4787c62a,12); 24 conds Q[ 7]=Q[6 ]+RL(F(Q[6 ],Q[5 ],Q[4 ])+Q[3 ]+x[6 ]+0xa8304613,17); 20 conds Q[ 8]=Q[7 ]+RL(F(Q[7 ],Q[6 ],Q[5 ])+Q[4 ]+x[7 ]+0xfd469501,22); 18 conds 284 conds Q[ 9]=Q[8 ]+RL(F(Q[8 ],Q[7 ],Q[6 ])+Q[5 ]+x[8 ]+0x698098d8, 7); 17 conds Q[10]=Q[9 ]+RL(F(Q[9 ],Q[8 ],Q[7 ])+Q[6 ]+x[9 ]+0x8b44f7af,12); 18 conds Q[11]=Q[10]+RL(F(Q[10],Q[9 ],Q[8 ])+Q[7 ]+x[10]+0xffff5bb1,17); 15 conds Q[12]=Q[11]+RL(F(Q[11],Q[10],Q[9 ])+Q[8 ]+x[11]+0x895cd7be,22); 17 conds Q[13]=Q[12]+RL(F(Q[12],Q[11],Q[10])+Q[9 ]+x[12]+0x6b901122, 7); 17 conds Q[14]=Q[13]+RL(F(Q[13],Q[12],Q[11])+Q[10]+x[13]+0xfd987193,12); 17 conds Q[15]=Q[14]+RL(F(Q[14],Q[13],Q[12])+Q[11]+x[14]+0xa679438e,17); 9 conds Q[16]=Q[15]+RL(F(Q[15],Q[14],Q[13])+Q[12]+x[15]+0x49b40821,22); 2 conds  ……….. Q[17]=Q[16]+RL(G(Q[16],Q[15],Q[14])+Q[13]+x[1 ]+0xf61e2562, 5); 4 conds Q[18]=Q[17]+RL(G(Q[17],Q[16],Q[15])+Q[14]+x[6 ]+0xc040b340, 9); 3 conds Q[19]=Q[18]+RL(G(Q[18],Q[17],Q[16])+Q[15]+x[11]+0x265e5a51,14); 2 conds Q[20]=Q[19]+RL(G(Q[19],Q[18],Q[17])+Q[16]+x[0 ]+0xe9b6c7aa,20); 1 cond 36 conds ….. Q[17] - Q[64]: 36 conds, in our method 27 conds remain (Wang et al. 30 conds) 1st step 2nd step 3rd step

At the end… We experimentally verified our findings… First message: 0xA6,0x64,0xEA,0xB8,0x89,0x04,0xC2,0xAC, 0x48,0x43,0x41,0x0E,0x0A,0x63,0x42,0x54, 0x16,0x60,0x6C,0x81,0x44,0x2D,0xD6,0x8D, 0x40,0x04,0x58,0x3E,0xB8,0xFB,0x7F,0x89, 0x55,0xAD,0x34,0x06,0x09,0xF4,0xB3,0x02, 0x83,0xE4,0x88,0x83,0x25,0x71,0x41,0x5A, 0x08,0x51,0x25,0xE8,0xF7,0xCD,0xC9,0x9F, 0xD9,0x1D,0xBD,0xF2,0x80,0x37,0x3C,0x5B, 0x97,0x9E,0xBD,0xB4,0x0E,0x2A,0x6E,0x17, 0xA6,0x23,0x57,0x24,0xD1,0xDF,0x41,0xB4, 0x46,0x73,0xF9,0x96,0xF1,0x62,0x4A,0xDD, 0x10,0x29,0x31,0x67,0xD0,0x09,0xB1,0x8F, 0x75,0xA7,0x7F,0x79,0x30,0xD9,0x5C,0xEB, 0x02,0xE8,0xAD,0xBA,0x7A,0xC8,0x55,0x5C, 0xED,0x74,0xCA,0xDD,0x5F,0xC9,0x93,0x6D, 0xB1,0x9B,0x4A,0xD8,0x35,0xCC,0x67,0xE3. Second message: 0xA6,0x64,0xEA,0xB8,0x89,0x04,0xC2,0xAC, 0x48,0x43,0x41,0x0E,0x0A,0x63,0x42,0x54, 0x16,0x60,0x6C,0x01,0x44,0x2D,0xD6,0x8D, 0x40,0x04,0x58,0x3E,0xB8,0xFB,0x7F,0x89, 0x55,0xAD,0x34,0x06,0x09,0xF4,0xB3,0x02, 0x83,0xE4,0x88,0x83,0x25,0xF1,0x41,0x5A, 0x08,0x51,0x25,0xE8,0xF7,0xCD,0xC9,0x9F, 0xD9,0x1D,0xBD,0x72,0x80,0x37,0x3C,0x5B, 0x97,0x9E,0xBD,0xB4,0x0E,0x2A,0x6E,0x17, 0xA6,0x23,0x57,0x24,0xD1,0xDF,0x41,0xB4, 0x46,0x73,0xF9,0x16,0xF1,0x62,0x4A,0xDD, 0x10,0x29,0x31,0x67,0xD0,0x09,0xB1,0x8F, 0x75,0xA7,0x7F,0x79,0x30,0xD9,0x5C,0xEB, 0x02,0xE8,0xAD,0xBA,0x7A,0x48,0x55,0x5C, 0xED,0x74,0xCA,0xDD,0x5F,0xC9,0x93,0x6D, 0xB1,0x9B,0x4A,0x58,0x35,0xCC,0x67,0xE3.   Common MD5 hash: 0x2B,0xA3,0xBE,0x5A,0xA5,0x41,0x00,0x6B, 0x62,0x37,0x01,0x11,0x28,0x2D,0x19,0xF5.

Conclusions We proposed new method for MD5 collisions finding, independently on a description of the method by Wang et al. Our method is quicker It enables us to find collisions on a standard notebook PC in several hours

References [1] Xiaoyun Wang, Dengguo Feng, Xuejia Lai, Hongbo Yu: Collisions for Hash Functions MD4, MD5, HAVAL-128 and RIPEMD, rump session, CRYPTO 2004, Cryptology ePrint Archive, Report 2004/199, first version (August 16, 2004), second version (August 17, 2004), http://eprint.iacr.org/2004/199.pdf [2] Philip Hawkes, Michael Paddon, Gregory G. Rose: Musings on the Wang et al. MD5 Collision, Cryptology ePrint Archive, Report 2004/264, 13 October 2004, http://eprint.iacr.org/2004/264.pdf [3] Vlastimil Klima: Finding MD5 Collisions – a Toy For a Notebook, Cryptology ePrint Archive, Report 2005/075, http://eprint.iacr.org/2005/075.pdf, March 5, 2005 [4] Vlastimil Klima: Finding MD5 Collisions on a Notebook PC Using Multi-message Modifications, March 31, 2005, IACR ePrint archive, Report 2005/102, http://eprint.iacr.org/2005/102 / - preliminary version of this contribution [5] Xiaoyun Wang, Hongbo Yu: How to Break MD5 and Other Hash Functions, http://www.infosec.sdu.edu.cn/paper/md5-attack.pdf, published on the web on March 6, 2005

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.