1 / 14

MD Collision Sought

Marian Ščerbák University of Pavol Jozef Šafárik Košice. MD Collision Sought. MD5 algorithm. MD means “Message digest” algorithm MD family has MD1, MD2, MD3, MD4, MD5 algorithms; MD5 is most secured from this family MD1 and MD3 was never published Input is file

maya
Download Presentation

MD Collision Sought

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Marian Ščerbák University of Pavol Jozef Šafárik Košice MD Collision Sought

  2. MD5 algorithm • MD means “Message digest” algorithm • MD family has MD1, MD2, MD3, MD4, MD5 algorithms; MD5 is most secured from this family • MD1 and MD3 was never published • Input is file • Output is 128 bits hash (message digest) • It works only “One-Way”

  3. Usage MD5 • Verifying file integrity (digital fingerprint) • MD5 became an web standard • http://www.w3.org/TR/1998/REC-DSig-label/MD5-1_0 • Hashing passwords • very imported function (system, digital signs) • Digitally signed document • Databases on two remote places (Australia, Norway)

  4. History MD5 • MD5 was designed by Ronald “Ron” Lorin Rivest in 1991 to be a most secure successor of MD4 algorithm • 1993- announced pseudo-collision in compress function • 2004- Wang's collisions attack, it take 1 hour on IBM cluster • Klima's collisions attack: on notebook in 17 sec. • Still using MD5? :-)

  5. How it works • Append Padding Bits • The length of message (M) must be congruent to 448 modulo 512 • Add bit "1" on the end of M • Add bits "0" to fill block to the requested length • Append length • Add on the end of message length of M (in 64 bits representation)

  6. Initialize Message Digest buffer • Using four 32 bits registry (A, B, C, D) • A:= 01 23 45 67 • B:= 89 ab cd ef • C:= fe dc ba 98 • D:= 76 54 32 10 • hexadecimal number

  7. Process message in 16 words blocks • 4 rounds each every with 16 operations

  8. F: function • Mi: message • K: constant • A, B, C, D: • register • <<< s: left rotate bit function

  9. Output • Output is in four registers A, B, C, D • Hash: A || B || C || D • Example: • Message 1: “Žltý kôň” • MD5: ecc35622b6252f75ae444420c78eaf2b • Message 2: “Zltý kôň” • MD5: 4002f8e5cec5e389c4f189f28c86d1c5

  10. Attacks • 3 main methods: Wang's (differential path), Message Modifications and Tunneling • First successful attack announced Wang • Take 1 hour on IBM cluster • Method: • We must find two 1024 bit messages (M,M*) with same hash, but difference (D) is constant • M = (M1,N1)=> 1024bits • M2 = M1+D => N2 = N1+D => M*= (M2,N2) =>1024 bits

  11. Now we must tracking the differences in steps during computation M and M* • Q-3, Q-2, Q-1, Q0 and Q'-3, Q'-2, Q'-1,Q'0 is start values • Q1-Q64 and Q'1- Q'64 denote the output in the i-th round during computation MD5(M) and MD5(M*) • Then is supplied 128 values ai (64 for both blocks) • for M must be such that MD5(M)=MD5(M*) => Q'i- Qi=ai during computation MD5(M) & MD5(M*) • and Q'I - Qi=ai during computation MD5(M1) & MD5(M1*) • D= Q'i- Qi • but I don't know, from where is a

  12. Message modification • sufficient conditions (defined by Wang) • commonly are that methods able to find collisions after computing the message, which satisfied the POV (Point Of Verification) mostly in Q24 and later. So this is hard to compute this. • POV is point during computing hash, where are the values verified in function (there is a lot of them, at about 300) • We must compute 2 power 29 POV to find the collision, so this methods are slow

  13. Tunneling • was announced by V. Klima in 2005 and improved in 2006 • similar to others method • we must not computing POV, just trying it random for first POV (Birthday paradox) • if we find first POV (Q24), we can compute others POV by sufficient condition using the differential path • from one POV we can get 2 power 29 POV

  14. extra conditions are similar sufficient conditions but not necessary for the given of differential path • several types of tunnels • this methods can compute POV without changing some others bits in other Qi • Klima' s method can be used no just for MD5 hash algorithm, but in the others hash algorithms too (SHA-*, HAVAL etc.) • will be SHA-2* collision attack next?

More Related