60 likes | 185 Views
“Chinese” Attacks on Hashes. Topic Background “Chinese” collision attacks Results for MD4 and MD5 attacks What does it mean and what to do about it? Conclusion. March 11, 2006, Bing Wu (bwu@cs.washington.edu). “Chinese” Attacks on Hashes. Background
E N D
“Chinese” Attacks on Hashes Topic • Background • “Chinese” collision attacks • Results for MD4 and MD5 attacks • What does it mean and what to do about it? • Conclusion March 11, 2006, Bing Wu (bwu@cs.washington.edu)
“Chinese” Attacks on Hashes Background • Two sides of a coin: developing new hash functions and breaking them. • MD4 (1990) family hash functions and attacks on them. • Breakthroughs by “Chinese” attacks in 2004 and 2005: MD4, MD5, HAVAL, RIPEMD, SHA-0, SHA-1. • Best results: MD4: 2^8 MD4 operations. MD5: 2^39 MD5 operations for first blocks and 2^32 for second blocks. SHA-1: 2^63 SHA-1 operations. March 11, 2006, Bing Wu (bwu@cs.washington.edu)
“Chinese” Attacks on Hashes “Chinese” collision attacks • Find a “low-Hamming-weight differential” Δ (a vector of almost all zeros) such that for messages M, the probability that h(MΔ) = h(M) is larger than it should be. • Basically, the attacks are involved with three steps: • Find a collision differential for which M and M’ probably produce a collision. • Derive a set of sufficient conditions which ensure the collision differential to hold. • Make some modification to M such that almost all the sufficient conditions hold. This is done by two types of message modification techniques, which are termed as “single-step modification” and “multi-step modification”. This greatly improves the probability that M and M’ may produce a collision. March 11, 2006, Bing Wu (bwu@cs.washington.edu)
“Chinese” Attacks on Hashes Results for MD4 and MD5 attacks • Computational resource: My PC, Pentium4, 3.40G, WinXP. • C programs on Unix/Linux (Cygwin on Windows). • Results for “Chinese” attacks on MD4 and MD5. • MD4: about 5 seconds to produce a collision. • MD5: about 1 hour to produce a collision. March 11, 2006, Bing Wu (bwu@cs.washington.edu)
“Chinese” Attacks on Hashes What does it mean and what to do about it? • Hash functions such as MD5 are no longer useful as digital signature hashes. • No panic. Attacks are collision resistance attacks, not pre-image attacks. Applications that use hashes, such as HMAC-MD5 protocols are still fine. • Don’t use MD4, MD5, HAVAL, RIPEMD, SHA-0, and avoid SHA-1 if possible. • Upgrade to stronger ones, such as SHA-2. • VSH is about the best generally published hash function, but needs more review. • Alternative approaches: 1) Protocols without requiring that the hash function be collision resistant, such as adding randomness to hash functions. 2) Message pre-processing to convert plaintext messages into a form that makes all existing collision attacks inapplicable. March 11, 2006, Bing Wu (bwu@cs.washington.edu)
“Chinese” Attacks on Hashes Conclusion • “Chinese” attacks on hashes are remarkable in the cryptographic area. • Makes people upgrade their systems to employ better hash functions as well as develop new and more collision-resistant hash functions. • Greatly help us achieve a more secure digital world. March 11, 2006, Bing Wu (bwu@cs.washington.edu)