1 / 23

Hash Function Collisions: Overview, Attacks, and Demonstrations

This article provides a brief summary and demonstration of hash function collisions, focusing on attacks on MD5, SHA-0, and SHA-1. It covers the current state of hash collision situations and highlights existing algorithms and methods for finding collisions. The text is in English.

latoyab
Download Presentation

Hash Function Collisions: Overview, Attacks, and Demonstrations

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. A Brief Summary and Demonstration of Hash functions Collisions July 2011

  2. Topics • Overview of attacks • MD5, SHA-0 and SHA-1 attack • Attack Demo

  3. Hash Collision at present • Hash collision situations • MD5 and SHA-0 already broken • SHA-1 insecure • Real existing collisions algorithms and methods

  4. The meaning of “Broken” • Hash function is cryptographically strong if no methods better than brute force are known (and n is big enough) • Hash function is cryptographically broken if a better • method has been found • MD5 has n= 128, brute force cost for : • Second preimage : 2n =2128 =3x1038 • Collision : 2n/2 = 264 =2x1019

  5. Bruce-force Attack Complexity

  6. What is regarded as secure? • 264 hash computations is at the edge of feasibility • with realistic investments in equipment and time • 128 bit hash not safe anymore against brute force collision attack • 280 hash computations is still infeasible • unless with major investments in equipment and time • 160 bit hash still safe against brute force collision attack

  7. Today’s Cryptanalysis • (second) preimages: • not known for MD5 (?), SHA-1, SHA-2 • Collisions: • MD5: easy • SHA-1: doable with lot of effort, no collision has been found yet • SHA-2: no attack known

  8. Topics • Overview of attacks • MD5, SHA-0 and SHA-1 attack • Attack Demo

  9. MD5 Attack • 2004 • First collision for MD5 presented • Two 128 byte messages with same MD5 hash value • Identical prefix collision attack • 15 minutes up to an hour on a IBM P690 with about 239 • 2005 • Attack method released • 2006 • Chosen-prefix collision (CPC) attack • Choose two arbitrary files (same length) • Make them collide by appending 716 ‘random’ bytes

  10. COLLISION IMPROVEMENTS • Rogue CA construction (<2048 bits) • Cluster of 215 PlayStation3s • Performing like 8600 pc cores • Complexity 250 using 30GB: • 1 day on cluster • Complexity 248.2 using a few TBs: • 1 day on 20 PS3s and 1 pc • 1 day on 8 NVIDIA GeForce GTX280s • 1 day on Amazon EC2 at the cost of $2,000 • Normal CPC • Complexity approx. 239 (<1 day on quadcore pc)

  11. MD5 Breakers • Xiaoyun Wang (China) • collisions for MD5 in 2004 • in a few hours on a big computer • Marc Stevens (Amsterdam) • MSc thesis 2007, TU/e • improved method, fully automated • collisions can now be found in about 1 second on a standard laptop

  12. Wang’s Collisions : Identical Prefix • identical prefix P • different collision blocks C, C’ • identical suffix S

  13. Steven’s Collisions : Chosen Prefix • Different prefixes P, P’ • different collision blocks NC, NC’ • identical suffix S

  14. SHA-0 Attack • 1998 • Possible collisions attack with 261 operations • 2004 • Full collisions found with 251 operations • 80,000 CPU hours with Itanium2 • 2004 • Collisions with 240 operations for SHA-0, MD5 and other • 2005 • Collisions with 239 operations

  15. SHA-1 Attack • 2005 • Collisons found in 280 operatons of reduced version of SHA-1--53 out of 80 rounds • 2006 • SHA-1-64 with 235 operations • 2010 • SHA-1-73 with 235 operations • Project HashClash : claim fully near collision attack with estimated complexity of 257.5

  16. Progress of Collision Attacks Attack complexities for MD5, SHA-1 and SHA-2

  17. Topics • Overview of attacks • MD5, SHA-0 and SHA-1 attack • Attack Demo

  18. SHA-0 Vectors • $ openssl sha s1 s2 • result : c9f160777d4086fe8095fba58b7e20c228a4006b a766a602 b65cffe7 73bcf258 26b322b3 d01b1a97 2684ef53 3e3b4b7f 53fe3762 24c08e47 e959b2bc 3b519880 b9286568 247d110f 70f5c5e2 b4590ca3 f55f52fe effd4c8f e68de835 329e603c c51e7f02 545410d1 671d108d f5a4000d cf20a439 4949d72c d14fbb03 45cf3a29 5dcda89f 998f8755 2c9a58b1 bdc38483 5e477185 f96e68be bb0025d2 d2b69edf 21724198 f688b41d eb9b4913 fbe696b5 457ab399 21e1d759 1f89de84 57e8613c 6c9e3b24 2879d4d8 783b2d9c a9935ea5 26a729c0 6edfc501 37e69330 be976012 cc5dfe1c 14c4c68b d1db3ecb 24438a59 a09b5db4 35563e0d 8bdf572f 77b53065 cef31f32 dc9dbaa0 4146261e 9994bd5c d0758e3d a766a602 b65cffe7 73bcf258 26b322b1 d01b1ad7 2684ef51 be3b4b7f d3fe3762 a4c08e45 e959b2fc 3b519880 39286528 a47d110d 70f5c5e0 34590ce3 755f52fc 6ffd4c8d 668de875 329e603e 451e7f02 d45410d1 e71d108d f5a4000d cf20a439 4949d72c d14fbb01 45cf3a69 5dcda89d 198f8755 ac9a58b1 3dc38481 5e4771c5 796e68fe bb0025d0 52b69edd a17241d8 7688b41f 6b9b4911 7be696f5 c57ab399 a1e1d719 9f89de86 57e8613c ec9e3b26 a879d498 783b2d9e 29935ea7 a6a72980 6edfc503 37e69330 3e976010 4c5dfe5c 14c4c689 51db3ecb a4438a59 209b5db4 35563e0d 8bdf572f 77b53065 cef31f30 dc9dbae0 4146261c 1994bd5c 50758e3d

  19. MD5 vectors • d1 31 dd 02 c5 e6 ee c4 69 3d 9a 06 98 af f9 5c 2f ca b5 87 12 46 7e ab 40 04 58 3e b8 fb 7f 89 55 ad 34 06 09 f4 b3 02 83 e4 88 83 25 71 41 5a 08 51 25 e8 f7 cd c9 9f d9 1d bd f2 80 37 3c 5b d8 82 3e 31 56 34 8f 5b ae 6d ac d4 36 c9 19 c6 dd 53 e2 b4 87 da 03 fd 02 39 63 06 d2 48 cd a0 e9 9f 33 42 0f 57 7e e8 ce 54 b6 70 80 a8 0d 1e c6 98 21 bc b6 a8 83 93 96 f9 65 2b 6f f7 2a 70 • d1 31 dd 02 c5 e6 ee c4 69 3d 9a 06 98 af f9 5c 2f ca b5 07 12 46 7e ab 40 04 58 3e b8 fb 7f 89 55 ad 34 06 09 f4 b3 02 83 e4 88 83 25 f1 41 5a 08 51 25 e8 f7 cd c9 9f d9 1d bd 72 80 37 3c 5b d8 82 3e 31 56 34 8f 5b ae 6d ac d4 36 c9 19 c6 dd 53 e2 34 87 da 03 fd 02 39 63 06 d2 48 cd a0 e9 9f 33 42 0f 57 7e e8 ce 54 b6 70 80 28 0d 1e c6 98 21 bc b6 a8 83 93 96 f9 65 ab 6f f7 2a 70 • Each of these blocks has MD5 hash 79054025255fb1a26e4bc422aef54eb4

  20. MD5 Collision demo $ ls -al total 16 drwxr-xr-x 4 admin staff 136 Jul 16 17:05 . drwxr-xr-x 9 admin staff 306 Jul 16 16:40 .. -rwxr--r-- 1 admin staff 128 Jul 14 11:34 v1 -rwxr--r-- 1 admin staff 128 Jul 14 11:35 v2 $ md5 v*; openssl dgst -sha1 v* MD5 (v1) = 79054025255fb1a26e4bc422aef54eb4 MD5 (v2) = 79054025255fb1a26e4bc422aef54eb4 SHA1(v1)= a34473cf767c6108a5751a20971f1fdfba97690a SHA1(v2)= 4283dd2d70af1ad3c2d5fdc917330bf502035658

  21. Concat File Equivalence $ ls >f1 $ cat v1 f1 >w1 $ cat v2 f1 >w2 $ ls -al total 40 drwxr-xr-x 7 admin staff 238 Jul 16 17:07 . drwxr-xr-x 9 admin staff 306 Jul 16 16:40 .. -rw-r--r-- 1 admin staff 9 Jul 16 17:06 f1 -rwxr--r-- 1 admin staff 128 Jul 14 11:34 v1 -rwxr--r-- 1 admin staff 128 Jul 14 11:35 v2 -rw-r--r-- 1 admin staff 137 Jul 16 17:07 w1 -rw-r--r-- 1 admin staff 137 Jul 16 17:07 w2 $ md5 w*; openssl dgst -sha1 w* MD5 (w1) = e9dc7f025001005370d9140168895489 MD5 (w2) = e9dc7f025001005370d9140168895489 SHA1(w1)= d867ab657437652d1cd9df9b4c89d9810f35fc24 SHA1(w2)= 2e05a71ff6c16f57d6ca935a47360de6aefcfad5

  22. But how’s about $ md5 -s windows MD5 ("windows") = 0f4137ed1502b5045d6083aa258b5c42 http://md5.rednoize.com/

  23. Conclusions • The Internet is not completely broken • The affected CAs are switching to SHA-1

More Related