MD Collision SoughtMD Collision Sought

Marian ŠčerbákMarian ŠčerbákUniversity of Pavol Jozef ŠafárikUniversity of Pavol Jozef Šafárik

KošiceKošice

MD5 algorithmMD5 algorithm

MD means “Message digest” algorithmMD means “Message digest” algorithm MD family has MD1, MD2, MD3, MD4, MD5 MD family has MD1, MD2, MD3, MD4, MD5

algorithms; MD5 is most secured from this algorithms; MD5 is most secured from this family family MD1 and MD3 was never publishedMD1 and MD3 was never published Input is file Input is file Output is 128 bits hash (message digest)Output is 128 bits hash (message digest) It works only “One-Way”It works only “One-Way”

Usage MD5Usage MD5

● Verifying file integrity (digital fingerprint)Verifying file integrity (digital fingerprint)

MD5 became an web standardMD5 became an web standard

http://www.w3.org/TR/1998/REC-DSig-label/MD5-http://www.w3.org/TR/1998/REC-DSig-label/MD5-1_01_0

● Hashing passwordsHashing passwords

very imported function (system, digital signs)very imported function (system, digital signs)

● Digitally signed documentDigitally signed document

● Databases on two remote places (Australia, Databases on two remote places (Australia, Norway)Norway)

History MD5History MD5

● MD5 was designed by Ronald “Ron” Lorin MD5 was designed by Ronald “Ron” Lorin Rivest in 1991 to be a most secure successor of Rivest in 1991 to be a most secure successor of MD4 algorithmMD4 algorithm

● 1993- announced pseudo-collision in compress 1993- announced pseudo-collision in compress function function

● 2004- Wang's collisions attack, it take 1 hour on 2004- Wang's collisions attack, it take 1 hour on IBM clusterIBM cluster

● Klima's collisions attack: on notebook in 17 sec. Klima's collisions attack: on notebook in 17 sec.

● Still using MD5? :-) Still using MD5? :-)

How it worksHow it works

● Append Padding BitsAppend Padding Bits

The length of message (The length of message (MM) must be congruent to 448 ) must be congruent to 448 modulo 512modulo 512

Add bit "1" on the end of Add bit "1" on the end of MM

Add bits "0" to fill block to the requested lengthAdd bits "0" to fill block to the requested length

● Append lengthAppend length

Add on the end of message length of Add on the end of message length of M (in 64 bits M (in 64 bits representation)representation)

Initialize Message Digest bufferInitialize Message Digest buffer

Using four 32 bits registry (Using four 32 bits registry (A, B, C, DA, B, C, D) )

A:= 01 23 45 67A:= 01 23 45 67

B:= 89 ab cd efB:= 89 ab cd ef

C:= fe dc ba 98C:= fe dc ba 98

D:= 76 54 32 10D:= 76 54 32 10

hexadecimal numberhexadecimal number

● Process message in 16 words blocksProcess message in 16 words blocks

4 rounds each every with 16 operations4 rounds each every with 16 operations

● F:F: function function

● Mi:Mi: message message

● K:K: constant constant

● A, B, C, D:A, B, C, D:

● register register

● <<< <<< s:s:

left rotateleft rotate

bit functionbit function

OutputOutput

● Output is in four registers Output is in four registers A, B, C, DA, B, C, D

● Hash:Hash: A || B || C || DA || B || C || D

● Example: Example:

Message 1: “Žltý kôň”Message 1: “Žltý kôň”

MD5: MD5: ecc35622b6252f75ae444420c78eaf2becc35622b6252f75ae444420c78eaf2b

Message 2: “Zltý kôň”Message 2: “Zltý kôň”

MD5:MD5: 4002f8e5cec5e389c4f189f28c86d1c54002f8e5cec5e389c4f189f28c86d1c5

AttacksAttacks● 3 main methods: Wang's (differential path), 3 main methods: Wang's (differential path),

Message Modifications and Tunneling Message Modifications and Tunneling ● First successful attack announced WangFirst successful attack announced Wang● Take 1 hour on IBM clusterTake 1 hour on IBM cluster● Method:Method:

We must find two 1024 bit messages (We must find two 1024 bit messages (M,M*M,M*) with ) with same hash, but difference (same hash, but difference (DD) is constant) is constant

M = (M1,N1)=> 1024M = (M1,N1)=> 1024 bitsbits

M2 = M1+D => N2 = N1+D => M*= (M2,N2) M2 = M1+D => N2 = N1+D => M*= (M2,N2) =>1024 bits=>1024 bits

Now we must tracking the differences in steps during Now we must tracking the differences in steps during computation computation MM and and M*M*

QQ-3, -3, QQ-2, -2, QQ-1, -1, QQ00 and Q' and Q'-3-3, Q', Q'-2-2, Q', Q'-1-1,Q',Q'0 0 is start valuesis start values

QQ11-Q-Q6464 and Q' and Q'11- Q'- Q'64 64 denote the output in the i-th denote the output in the i-th round during computation MD5(round during computation MD5(MM) and MD5() and MD5(M*M*) )

Then is supplied 128 values Then is supplied 128 values aai (64 for both blocks)i (64 for both blocks)

for M must be such that MD5(M)=MD5(M*) => for M must be such that MD5(M)=MD5(M*) => Q'Q'ii- Q- Qii==aai i during computationduring computation MD5(M) & MD5(M) &

MD5(M*)MD5(M*)

and Q'and Q'I I - Q- Qii==aai i during computationduring computation MD5(M MD5(M11) & ) & MD5(MMD5(M11*)*)

D= Q'D= Q'ii- Q- Qi i

but I don't know, from where is but I don't know, from where is aa

Message modificationMessage modification● sufficient conditions (defined by Wang)sufficient conditions (defined by Wang)

● commonly are that methods able to find collisions commonly are that methods able to find collisions after computing the message, which satisfied the after computing the message, which satisfied the POV (Point Of Verification) mostly in QPOV (Point Of Verification) mostly in Q24 24 and and later. So this is hard to compute this.later. So this is hard to compute this.

● POV is point during computing hash, where are POV is point during computing hash, where are the values verified in function (there is a lot of the values verified in function (there is a lot of them, at about 300)them, at about 300)

● We must compute 2 power 29 POV to find the We must compute 2 power 29 POV to find the collision, so this methods are slowcollision, so this methods are slow

TunnelingTunneling

● was announced by V. Klima in 2005 and was announced by V. Klima in 2005 and improved in 2006improved in 2006

● similar to others methodsimilar to others method● we must not computing POV, just trying it we must not computing POV, just trying it

random for first POV (Birthday paradox)random for first POV (Birthday paradox)● if we find first POV (Qif we find first POV (Q2424), we can compute ), we can compute

others POV by sufficient condition using the others POV by sufficient condition using the differential pathdifferential path

● from one POV we can get 2 power 29 POVfrom one POV we can get 2 power 29 POV

● extra conditionsextra conditions are similar are similar sufficient conditionssufficient conditions

but not necessary for the given of differential but not necessary for the given of differential pathpath

● several types of tunnelsseveral types of tunnels

● this methods can compute POV without changing this methods can compute POV without changing some others bits in othersome others bits in other Q Qii

● Klima' s method can be used no just for MD5 Klima' s method can be used no just for MD5 hash algorithm, but in the others hash algorithms hash algorithm, but in the others hash algorithms too (SHA-*, HAVAL etc.)too (SHA-*, HAVAL etc.)

● will be SHA-2* collision attack next?will be SHA-2* collision attack next?