Your Security in the IT Market Beyond the MD5 Collisions Daniel Joščák, S.ICZ a.s. & MFF UK 04/05/2007, SPI Brno

Your Security in the IT Market Chewing functions

Your Security in the IT Market Chewing functions

Your Security in the IT Market Iterated hash functions ►We would like to have a hash function h h : {0,1}* → {0,1} n ►We have so-called compression function f f : {0,1} b → {0,1} n ►Pad a message m to be a multiple of b bits long ►Iterate the compression function f

Your Security in the IT Market Collisions in MD5 ►Messages (M0||M1) ≠ (N0||N1), h (M0||M1) = h (N0||N1) ►We have real collisions producing algorithms and methods ●Wang et al. 04 ●Klíma 05 ●Liang and Lai 05 ●Stevens 05 and 06 (new target collisions) ●…

Your Security in the IT Market Attempts to improve MD5 ►3C, 3C+, … constructions by Gauravaram, Millan, Dawson, and Viswanathan 06 ►Ring Iterative Structures by Su, Yang, Yang, Zhang 06. ►Keep the compression function f and change Merkle-Damgård construction to obtain “better” function

Your Security in the IT Market Attempts to improve MD5 3C 3C+ Single Feedback Multiple Feedback

Your Security in the IT Market Properties of the collisions ►Messages (M0||M1) ≠ (N0||N1), h (M0||M1) = h (N0||N1) ►Fixed message and chaining differences: ●Δ0 = M0 − N0 = (0, 0, 0, 0, 2^31, 0, 0, 0, 0, 0, 0, +2^15, 0, 0, 2^31, 0) ●Δ1 = M1 − N1 = (0, 0, 0, 0, 2^31, 0, 0, 0, 0, 0, 0, −2^15, 0, 0, 2^31, 0) ●δ = IV1 − IV’1 = f(IV, M0) − f(IV, N0) = (2^31, 2^31 + 2^25, 2^31 + 2^25, 2^31 + 2^25)

Your Security in the IT Market 4-block collisions for 3C ►Algorithms work for any IV and have the fixed chaining differences ►We can find (M1||M2||M3||M4) ≠ (N1||N2||N3||N4) s.t. ●h 3C (M1||M2||M3||M4) = h 3C (N1||N2||N3||N4) ►Find 2 pairs of MD5 collisions such that: ●h(IV 0,M1||M2) = h(IV 0,N1||N2) = IV 2, ●h(IV 2,M3||M4) = h(IV 2,N3||N4).

Your Security in the IT Market 5-block collisions for 3C+ ►(M1||M2||M3||M4||M5) ≠ (N1||N2||N3||N4||N5) such that ●h 3C+ (M1||M2||M3||M4||M5) = h 3C+ (N1||N2||N3||N4||N5) ►Find 2 pairs of MD5 collisions such that: ●M1 = N1 ●h(IV 1,M2||M3) = h(IV 1,N2||N3) = IV 2, ●h(IV 3,M4||M5) = h(IV 3,N4||N5).

Your Security in the IT Market 4-block collisions for simple feedback ring iterative struct. ►We can find (M1||M2||M3||M4) ≠ (N1||N2||N3||N4) s.t. ●h sf (M1||M2||M3||M4) = h sf (N1||N2||N3||N4) ►Find just one pair of MD5 collisions: ●M1 = N1 ●h(IV 1,M2||M3) = h(IV 1,N2||N3), ●M4 = N4.

Your Security in the IT Market Conclusions ►Be aware of quick “secure” changes in algorithms ►Time for Advanced Hash Standard ●Competition Organized by NIST ●Submission deadline 3Q 2008 ►Problems are gift (Bruno Buchberger)

Your Security in the IT Market Thank you for your attention. Daniel Joščák S.ICZ a.s. MFF UK, Dept. of Algebra