md collision sought marian Ščerbák university of pavol jozef Šafárik košice
TRANSCRIPT
![Page 1: MD Collision Sought Marian Ščerbák University of Pavol Jozef Šafárik Košice](https://reader035.vdocuments.mx/reader035/viewer/2022072005/56649cc95503460f94990992/html5/thumbnails/1.jpg)
MD Collision SoughtMD Collision Sought
Marian ŠčerbákMarian ŠčerbákUniversity of Pavol Jozef ŠafárikUniversity of Pavol Jozef Šafárik
KošiceKošice
![Page 2: MD Collision Sought Marian Ščerbák University of Pavol Jozef Šafárik Košice](https://reader035.vdocuments.mx/reader035/viewer/2022072005/56649cc95503460f94990992/html5/thumbnails/2.jpg)
MD5 algorithmMD5 algorithm
MD means “Message digest” algorithmMD means “Message digest” algorithm MD family has MD1, MD2, MD3, MD4, MD5 MD family has MD1, MD2, MD3, MD4, MD5
algorithms; MD5 is most secured from this algorithms; MD5 is most secured from this family family MD1 and MD3 was never publishedMD1 and MD3 was never published Input is file Input is file Output is 128 bits hash (message digest)Output is 128 bits hash (message digest) It works only “One-Way”It works only “One-Way”
![Page 3: MD Collision Sought Marian Ščerbák University of Pavol Jozef Šafárik Košice](https://reader035.vdocuments.mx/reader035/viewer/2022072005/56649cc95503460f94990992/html5/thumbnails/3.jpg)
Usage MD5Usage MD5
● Verifying file integrity (digital fingerprint)Verifying file integrity (digital fingerprint)
MD5 became an web standardMD5 became an web standard
http://www.w3.org/TR/1998/REC-DSig-label/MD5-http://www.w3.org/TR/1998/REC-DSig-label/MD5-1_01_0
● Hashing passwordsHashing passwords
very imported function (system, digital signs)very imported function (system, digital signs)
● Digitally signed documentDigitally signed document
● Databases on two remote places (Australia, Databases on two remote places (Australia, Norway)Norway)
![Page 4: MD Collision Sought Marian Ščerbák University of Pavol Jozef Šafárik Košice](https://reader035.vdocuments.mx/reader035/viewer/2022072005/56649cc95503460f94990992/html5/thumbnails/4.jpg)
History MD5History MD5
● MD5 was designed by Ronald “Ron” Lorin MD5 was designed by Ronald “Ron” Lorin Rivest in 1991 to be a most secure successor of Rivest in 1991 to be a most secure successor of MD4 algorithmMD4 algorithm
● 1993- announced pseudo-collision in compress 1993- announced pseudo-collision in compress function function
● 2004- Wang's collisions attack, it take 1 hour on 2004- Wang's collisions attack, it take 1 hour on IBM clusterIBM cluster
● Klima's collisions attack: on notebook in 17 sec. Klima's collisions attack: on notebook in 17 sec.
● Still using MD5? :-) Still using MD5? :-)
![Page 5: MD Collision Sought Marian Ščerbák University of Pavol Jozef Šafárik Košice](https://reader035.vdocuments.mx/reader035/viewer/2022072005/56649cc95503460f94990992/html5/thumbnails/5.jpg)
How it worksHow it works
● Append Padding BitsAppend Padding Bits
The length of message (The length of message (MM) must be congruent to 448 ) must be congruent to 448 modulo 512modulo 512
Add bit "1" on the end of Add bit "1" on the end of MM
Add bits "0" to fill block to the requested lengthAdd bits "0" to fill block to the requested length
● Append lengthAppend length
Add on the end of message length of Add on the end of message length of M (in 64 bits M (in 64 bits representation)representation)
![Page 6: MD Collision Sought Marian Ščerbák University of Pavol Jozef Šafárik Košice](https://reader035.vdocuments.mx/reader035/viewer/2022072005/56649cc95503460f94990992/html5/thumbnails/6.jpg)
Initialize Message Digest bufferInitialize Message Digest buffer
Using four 32 bits registry (Using four 32 bits registry (A, B, C, DA, B, C, D) )
A:= 01 23 45 67A:= 01 23 45 67
B:= 89 ab cd efB:= 89 ab cd ef
C:= fe dc ba 98C:= fe dc ba 98
D:= 76 54 32 10D:= 76 54 32 10
hexadecimal numberhexadecimal number
![Page 7: MD Collision Sought Marian Ščerbák University of Pavol Jozef Šafárik Košice](https://reader035.vdocuments.mx/reader035/viewer/2022072005/56649cc95503460f94990992/html5/thumbnails/7.jpg)
● Process message in 16 words blocksProcess message in 16 words blocks
4 rounds each every with 16 operations4 rounds each every with 16 operations
![Page 8: MD Collision Sought Marian Ščerbák University of Pavol Jozef Šafárik Košice](https://reader035.vdocuments.mx/reader035/viewer/2022072005/56649cc95503460f94990992/html5/thumbnails/8.jpg)
● F:F: function function
● Mi:Mi: message message
● K:K: constant constant
● A, B, C, D:A, B, C, D:
● register register
● <<< <<< s:s:
left rotateleft rotate
bit functionbit function
![Page 9: MD Collision Sought Marian Ščerbák University of Pavol Jozef Šafárik Košice](https://reader035.vdocuments.mx/reader035/viewer/2022072005/56649cc95503460f94990992/html5/thumbnails/9.jpg)
OutputOutput
● Output is in four registers Output is in four registers A, B, C, DA, B, C, D
● Hash:Hash: A || B || C || DA || B || C || D
● Example: Example:
Message 1: “Žltý kôň”Message 1: “Žltý kôň”
MD5: MD5: ecc35622b6252f75ae444420c78eaf2becc35622b6252f75ae444420c78eaf2b
Message 2: “Zltý kôň”Message 2: “Zltý kôň”
MD5:MD5: 4002f8e5cec5e389c4f189f28c86d1c54002f8e5cec5e389c4f189f28c86d1c5
![Page 10: MD Collision Sought Marian Ščerbák University of Pavol Jozef Šafárik Košice](https://reader035.vdocuments.mx/reader035/viewer/2022072005/56649cc95503460f94990992/html5/thumbnails/10.jpg)
AttacksAttacks● 3 main methods: Wang's (differential path), 3 main methods: Wang's (differential path),
Message Modifications and Tunneling Message Modifications and Tunneling ● First successful attack announced WangFirst successful attack announced Wang● Take 1 hour on IBM clusterTake 1 hour on IBM cluster● Method:Method:
We must find two 1024 bit messages (We must find two 1024 bit messages (M,M*M,M*) with ) with same hash, but difference (same hash, but difference (DD) is constant) is constant
M = (M1,N1)=> 1024M = (M1,N1)=> 1024 bitsbits
M2 = M1+D => N2 = N1+D => M*= (M2,N2) M2 = M1+D => N2 = N1+D => M*= (M2,N2) =>1024 bits=>1024 bits
![Page 11: MD Collision Sought Marian Ščerbák University of Pavol Jozef Šafárik Košice](https://reader035.vdocuments.mx/reader035/viewer/2022072005/56649cc95503460f94990992/html5/thumbnails/11.jpg)
Now we must tracking the differences in steps during Now we must tracking the differences in steps during computation computation MM and and M*M*
QQ-3, -3, QQ-2, -2, QQ-1, -1, QQ00 and Q' and Q'-3-3, Q', Q'-2-2, Q', Q'-1-1,Q',Q'0 0 is start valuesis start values
QQ11-Q-Q6464 and Q' and Q'11- Q'- Q'64 64 denote the output in the i-th denote the output in the i-th round during computation MD5(round during computation MD5(MM) and MD5() and MD5(M*M*) )
Then is supplied 128 values Then is supplied 128 values aai (64 for both blocks)i (64 for both blocks)
for M must be such that MD5(M)=MD5(M*) => for M must be such that MD5(M)=MD5(M*) => Q'Q'ii- Q- Qii==aai i during computationduring computation MD5(M) & MD5(M) &
MD5(M*)MD5(M*)
and Q'and Q'I I - Q- Qii==aai i during computationduring computation MD5(M MD5(M11) & ) & MD5(MMD5(M11*)*)
D= Q'D= Q'ii- Q- Qi i
but I don't know, from where is but I don't know, from where is aa
![Page 12: MD Collision Sought Marian Ščerbák University of Pavol Jozef Šafárik Košice](https://reader035.vdocuments.mx/reader035/viewer/2022072005/56649cc95503460f94990992/html5/thumbnails/12.jpg)
Message modificationMessage modification● sufficient conditions (defined by Wang)sufficient conditions (defined by Wang)
● commonly are that methods able to find collisions commonly are that methods able to find collisions after computing the message, which satisfied the after computing the message, which satisfied the POV (Point Of Verification) mostly in QPOV (Point Of Verification) mostly in Q24 24 and and later. So this is hard to compute this.later. So this is hard to compute this.
● POV is point during computing hash, where are POV is point during computing hash, where are the values verified in function (there is a lot of the values verified in function (there is a lot of them, at about 300)them, at about 300)
● We must compute 2 power 29 POV to find the We must compute 2 power 29 POV to find the collision, so this methods are slowcollision, so this methods are slow
![Page 13: MD Collision Sought Marian Ščerbák University of Pavol Jozef Šafárik Košice](https://reader035.vdocuments.mx/reader035/viewer/2022072005/56649cc95503460f94990992/html5/thumbnails/13.jpg)
TunnelingTunneling
● was announced by V. Klima in 2005 and was announced by V. Klima in 2005 and improved in 2006improved in 2006
● similar to others methodsimilar to others method● we must not computing POV, just trying it we must not computing POV, just trying it
random for first POV (Birthday paradox)random for first POV (Birthday paradox)● if we find first POV (Qif we find first POV (Q2424), we can compute ), we can compute
others POV by sufficient condition using the others POV by sufficient condition using the differential pathdifferential path
● from one POV we can get 2 power 29 POVfrom one POV we can get 2 power 29 POV
![Page 14: MD Collision Sought Marian Ščerbák University of Pavol Jozef Šafárik Košice](https://reader035.vdocuments.mx/reader035/viewer/2022072005/56649cc95503460f94990992/html5/thumbnails/14.jpg)
● extra conditionsextra conditions are similar are similar sufficient conditionssufficient conditions
but not necessary for the given of differential but not necessary for the given of differential pathpath
● several types of tunnelsseveral types of tunnels
● this methods can compute POV without changing this methods can compute POV without changing some others bits in othersome others bits in other Q Qii
● Klima' s method can be used no just for MD5 Klima' s method can be used no just for MD5 hash algorithm, but in the others hash algorithms hash algorithm, but in the others hash algorithms too (SHA-*, HAVAL etc.)too (SHA-*, HAVAL etc.)
● will be SHA-2* collision attack next?will be SHA-2* collision attack next?