Introduction Description of MD5. Message Modification Generate Messages Summary

Similar documents
Beyond the MD5 Collisions

A Study of the MD5 Attacks: Insights and Improvements

Improved Collision Attack on MD5

Attacks on hash functions. Birthday attacks and Multicollisions

CPSC 467: Cryptography and Computer Security

Hash Functions. A hash function h takes as input a message of arbitrary length and produces as output a message digest of fixed length.

Week 12: Hash Functions and MAC

Weaknesses in the HAS-V Compression Function

CPSC 467: Cryptography and Computer Security

ENEE 457: Computer Systems Security 09/19/16. Lecture 6 Message Authentication Codes and Hash Functions

Cryptanalysis on HMAC/NMAC-MD5 and MD5-MAC

Problem 1. k zero bits. n bits. Block Cipher. Block Cipher. Block Cipher. Block Cipher. removed

Attacks on hash functions: Cat 5 storm or a drizzle?

Finding good differential patterns for attacks on SHA-1

CPSC 467: Cryptography and Computer Security

SMASH - A Cryptographic Hash Function

Improved Collision Search for SHA-0

Full-Round Differential Attack on the Original Version of the Hash Function Proposed at PKC 98

Cryptanalysis of the Hash Functions MD4 and RIPEMD

How to Find the Sufficient Collision Conditions for Haval-128 Pass 3 by Backward Analysis

Public-key Cryptography: Theory and Practice

Cryptographic Hash Functions Part II

Foundations of Network and Computer Security

Linearization and Message Modification Techniques for Hash Function Cryptanalysis

Introduction to Information Security

Analysis of SHA-1 in Encryption Mode

Efficient Collision Search Attacks on SHA-0

SMASH - A Cryptographic Hash Function

A Composition Theorem for Universal One-Way Hash Functions

Notes for Lecture 9. 1 Combining Encryption and Authentication

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl. Chapter 11 Hash Functions ver.

Foundations of Network and Computer Security

Lecture 14: Cryptographic Hash Functions

ENEE 459-C Computer Security. Message authentication (continue from previous lecture)

2: Iterated Cryptographic Hash Functions

New Attacks on the Concatenation and XOR Hash Combiners

A New Paradigm for Collision-free Hashing: Incrementality at Reduced Cost

Martin Cochran. August 24, 2008

Preimage Attacks on 3, 4, and 5-pass HAVAL

Preimage and Pseudo-Collision Attacks on Step-Reduced SM3 Hash Function

Introduction to Cybersecurity Cryptography (Part 4)

The Hash Function JH 1

Hash Function Balance and its Impact on Birthday Attacks

Cryptographic Hashes. Yan Huang. Credits: David Evans, CS588

The Impact of Carries on the Complexity of Collision Attacks on SHA-1

Introduction to Cybersecurity Cryptography (Part 4)

Preimage Attacks on 3, 4, and 5-Pass HAVAL

A (Second) Preimage Attack on the GOST Hash Function

Preimages for Step-Reduced SHA-2

The SHA Family of Hash Functions: Recent Results

Symmetric Ciphers. Mahalingam Ramkumar (Sections 3.2, 3.3, 3.7 and 6.5)

Avoiding collisions Cryptographic hash functions. Table of contents

Preimage Attacks on Reduced Tiger and SHA-2

Introduction to Cryptography k. Lecture 5. Benny Pinkas k. Requirements. Data Integrity, Message Authentication

Full Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5

Cryptographic Hash Functions

The Hash Function Fugue

Evaluation Report. Security Level of Cryptography SHA-384 and SHA- 512

H Definition - hash function. Cryptographic Hash Functions - Introduction. Cryptographic hash functions. Lars R. Knudsen.

Crypto Engineering (GBX9SY03) Hash functions

Why not SHA-3? A glimpse at the heart of hash functions.

Distinguishing Attacks on MAC/HMAC Based on A New Dedicated Compression Function Framework

Cryptanalysis of FORK-256

Gröbner Basis Based Cryptanalysis of SHA-1

Provable Seconde Preimage Resistance Revisited

Finding MD5 Collisions a Toy For a Notebook

Breaking H 2 -MAC Using Birthday Paradox

TheImpactofCarriesontheComplexityof Collision Attacks on SHA-1

Full Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5

Second Preimages for Iterated Hash Functions and their Implications on MACs

Practical Free-Start Collision Attacks on 76-step SHA-1

Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks

Distinguishers for the Compression Function and Output Transformation of Hamsi-256

STEP Support Programme. Hints and Partial Solutions for Assignment 17

General Distinguishing Attacks on NMAC and HMAC with Birthday Attack Complexity

A block cipher enciphers each block with the same key.

Forgery and Partial Key-Recovery Attacks on HMAC and NMAC Using Hash Collisions

Nanyang Technological University, Singapore École normale supérieure de Rennes, France

New attacks on Keccak-224 and Keccak-256

Pseudo-cryptanalysis of the Original Blue Midnight Wish

Impact of Rotations in SHA-1 and Related Hash Functions

Chapter 5. Hash Functions. 5.1 The hash function SHA1

5199/IOC5063 Theory of Cryptology, 2014 Fall

Avoiding collisions Cryptographic hash functions. Table of contents

Practical Free-Start Collision Attacks on full SHA-1

REU 2015: Complexity Across Disciplines. Introduction to Cryptography

Full Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5

Functional Graph Revisited: Updates on (Second) Preimage Attacks on Hash Combiners

Known and Chosen Key Differential Distinguishers for Block Ciphers

Cryptographic Hashing

Hashes and Message Digests Alex X. Liu & Haipeng Dai

CHAPTER 9: ANALYSIS OF THE SHA AND SHA-l HASH ALGORITHMS

Higher Order Universal One-Way Hash Functions

Finding MD5 Collisions on a Notebook PC Using Multi-message Modifications

1 Cryptographic hash functions

Lecture 10 - MAC s continued, hash & MAC

New Preimage Attacks Against Reduced SHA-1

Abelian Square-Free Dithering and Recoding for Iterated Hash Functions

Further progress in hashing cryptanalysis

Foundations of Network and Computer Security

Transcription:

How to Break MD5 and other hash functions Xiaoyun Wang and Hongbo Yu (China) Presented by: Saar Benodiz May 2012

Outline Introduction Description of MD5 Differential Attack for Hash Functions Message Modification Generate Messages Summary

Introduction MD5 was designed in 1992 as an improvement of MD4. In this lecture we present a new powerful attack on MD5 which allows us to find collisions efficiently. We used this attack to find collision of MD5 in about 15 minutes up to an hour computation time.

Introduction The attack is a differential attack, which unlike most differential attack, does not use the exclusive-or as a measure of difference, but instead uses also modular integer subtraction as the measure. An application of this attack to MD4 can find collision in less than a fraction of a second. This attack is also applicable to other hash functions, such as RIPEMD and HAVAL.

Description of MD5 Take messages of size up to 2 64 and outputs 128 bit. A message is padded so the length is a multiple of 512. Each 512 bit block is compressed individually (Merkle-Damgard) IV is 4 word each 32-bit a,b,c,d. The output of each f is a,b,c,d for next level.

Description of MD5 Let h i-1 =(a 0, b 0, c 0, d 0 ) Let M i message block be M i =(w 0,w 1,, w 15 ) For i=0 to 63 a i+1 =d i d i+1 =c i c i+1 =b i b i+1 =b i +(a i+ F i (b i,c i,d i )+w g(i) +k i )<<<s i All additions are modulo 2 32

Description of MD5 For each f there are 4 rounds and each round has 16 steps For fixed i, 4 consecutive steps will yield a i+4 =b i +((a i +F i (b i,c i,d i )+w g(i) +k i )<<<s i ) d i+4 =a i +((d i +F i+1 (a i,b i,c i )+w g(i+1) +k i+1 )<<<s i+1 ) c i+4 =d i +((c i +F i+2 (d i,a i,b i )+w g(i+2) +k i+2 )<<<s i+2 ) b i+4 =c i +((b i +F i+3 (c i,d i,a i )+w g(i+3) +k i+3 )<<<s i+3 )

Description of MD5 Each round, a different message word is used, a different round constant is used, and a different function and rotations, this provides non-linearity. F i (X,Y,Z)=(X^Y)ν(~X^Z) 0 i 15 F i (X,Y,Z)=(X^Z) ν(y^~z) 16 i 31 F i (X,Y,Z)=X Y Z 32 i 47 F i (X,Y,Z)=Y (X ν ~Z) 48 i 63 Ki is constant that based on sin

Finding Collisions on MD5 MD5 has a 128 bit hash so a brute force attack to find a collision requires at most 2 128 applications of MD5 and 2 64 by the birthday paradox In 1993, B. den Boer and A. Bosselaers found collision of the same message with two different sets of initial values. In 1996 H. Dobbertin presented collision of two different block with chosen IV

Finding Collisions on MD5 Xiaoyun Wang and Hongbo Yu show an attack that requires 2 39 + 2 32 MD5 operations This attack takes at most an hour and 5 minutes on a IBM P690 (supercomputer) we want to find a pair (M0, M1) and (M0, M1 ) such that:

Differential Attack for Hash Functions The attack uses two types of differentials XOR differential: X=X X Modular differential: X= X -X mod 2 32 (2 31-2 31 ) The combination of both kinds of differences give us more information than each of them keep by itself.

Differential Attack for Hash Functions For example When X -X= 2 6 the xor diffrents can have many possibilities. 1.One-bit difference in bit 7, i.e., 0x00000040. In this case means that bit 7 in X is 1 and bit 7 in X is 0. X is 0. X = 0100 0000 X = 0000 0000 2.Two-bit difference, in which a different carry is transferred from bit 7 to bit 8, i.e., 0x000000C0. X = 1000 0000 X = 0100 0000

Differential Attack for Hash Functions Xor difference is marked by the list of active bits with their relative sign,for example, the difference -2 6 [7,8,9,...22,-23] All bits of X from bit 7 to bit 22 are 0, and bit 23 is 1, while all bits of X` from bit 7 to bit 22 are 1, and bit 23 is 0. For M=(m 0,,m n-1 ) and M =(m 0, m n-1 ) the full hash differential is: H 0 -> H 1 -> -> H n= H If M and M are a collision pair H=0

Round Differential Provided that the hash function as 4 rounds and each round as 16 step we can represent each function as: H i -> H i+1 : P 1 P 2 P 3 P 4 H i --> R i+1,1 --> R i+1,2 --> R i+1,3 --> R i+1,4= H i+1 And each round as: P j,1 P j,2 P j,16 R j-1 --> x 1 -->. --> x 16= R j The probability P of H i -> H i+1 is:

Round Differential Each of these differentials has a probabilistic relationship with the next. Ideally, we d like to be able to set up 2 messages where we can guarantee with probability 1 that H=0 This can be assured by modifying M so the first round differential will be what you want More modifications will improve the probability for the second, third and fourth round differentials M 0 has been picked to improve this as well

Differential Attack on MD5 Find M=(M 0,M 1 ) and M =(M 0,M 1 ) M 0 =M 0 -M 0 =(0,0,0,0,2 31,0,0,0,0,0,0,2 15,0,0,2 31,0) M 1 =M 1 -M 1 =(0,0,0,0,2 31,0,0,0,0,0,0,-2 15,0,0,2 31,0) H 1 =(2 31,2 31 +2 25,2 31 +2 25,2 31 +2 25 ) M 0 has been picked to improve the probability that the M 0 has been picked to improve the probability that the round differentials will hold( H 1 ). M 0 differ in the 5 th, 12 th and 15 th words only Same for M 1 and M 1. M 1 has been selected not only to ensure both 3-4 round differentials will hold, but also to produce output difference that can be cancelled with the output difference H 1

Sufficient Conditions Step Chaining Variable for M0 Message Word for M0 Shift Rotation Message Word Difference Chaining Variable Difference Chaining Variable for M0

Sufficient Conditions Derive a set of sufficient conditions that guarantee the differential characteristic in Step 8 of MD5 (Table 3) to hold: The differential characteristic in Step 8 of MD5 is: Each chaining variable satisfies one of the following equations. a 1, b 1, c 1, d 1 respectibely denote the outputs of the (4i-3)-th, (4i-2)-th,(4i-1)-th and 4i-th steps for compressing M wherere 1>=i<=16. a`1, b`1, c`1, d`1 are defined similarly 2012/5/9 OPLAB, Dep. of Information Management, NTU 18 / 67

Sufficient Conditions According to the operations in the 8-th step, we have By the similar method, we can derive a set of sufficient conditions (see Table 4 and Table 6) which guarantee all the differential characteristics in the collision differential to hold.

Sufficient Conditions Table 4

Message Modification It is easy to modify M 0 such that the conditions of round 1 in Table 4 hold with probability 1 For example We want c 1,7 =0, c 1,12 =0, c 1,20 =0 So we modify m 2 as follows.

Message Modification By modifying each message word of message m 0, all the conditions in round 1 of Table 4 hold (first 16 step). The first iterations differential hold with probability 2-43. The same modification is applied to m 1,After modification, the second iterations differential hold with probability 2-37.

Multi-Message Message Modification It is even possible to fulfill a part of the conditions of the first 32 steps by a multimessage modification. For example, a 5,32 = 1, we correct it into a 5,32 = 0 by modifying m 1, m 2, m 3, m 4, m 5 such that the modification generates a partial collision from 2-6 steps, and remains that all the conditions in round 1 hold. Some other conditions can be corrected by the similar modification technique.

Message Modification By our modification, 37 conditions in round 2-4 are undetermined in the table 4, and 30 conditions in round 2-4 are undetermined in the table 6. So the first iteration differential hold with probability 2-37. The second iteration differential hold with probability 2-30.

Generate M 0+ M`0 Select random message M 0 Modify M 0 so it meets the conditions M 0 =M 0 + M 0 This will result in H 1 with probability 2-37 Test the messages on MD5. This doesn t require more then 2 39 MD5 operations

Generate M 1+ M`1 Select random message M 1 Modify M 1 so it meets the conditions M 1 =M 1 + M 1 Use H 1 as IV, The probability that H =0 is 2-30 Test if the messages lead to a collision. This doesn t require more then 2 32 MD5 operations

Creating More Collisions To select another message M 0 is only to change the last two words from the previous selected message M 0. it is easy to find many second blocks M, it is easy to find many second blocks M 1, M`1 which lead to collisions.

Summary This paper described a powerful attack against hash functions, and in particular showed that finding a collision of MD5 is easily feasible. This attack is also able to break efficiently other hash functions, such as HAVAL-128, MD4, RIPEMD, and SHA-0.

References How To Break MD5 and Other Hash Functions Xiaoyun Wang and Hongbo Yu www.cs.virginia.edu/cs588/lectures/md5- collisions.ppt

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback