Presentation is loading. Please wait.

Presentation is loading. Please wait.

MD5 Collisions Isabelle Stanton Chalermpong Worawannotai.

Similar presentations


Presentation on theme: "MD5 Collisions Isabelle Stanton Chalermpong Worawannotai."— Presentation transcript:

1 MD5 Collisions Isabelle Stanton Chalermpong Worawannotai

2 Description of MD5 Takes any message and outputs an 128-bit hash. A message is padded so the length is a multiple of 512 by concatenating a 1 then 0’s and it’s length as a 64 bit number. Each 512 bit block is compressed individually

3 Continued Description The 512-bit block is divided into bit words There are 4 32-bit registers a, b, c and d. These are initially loaded with IV 0 and carry the hash values from one 512-bit block to the next It works in an iterative (chaining) process: H i+1 = f(H i,M i ) IV 0 =H 0 where M i is a 512 bit block.

4 Hash Chaining f H 0 =IV 0 fixed M1M1 H1H1 f H2H2 … f H n = H M2M2 MnMn M i 512 bits H i 128 bits

5 One small step For each f there are 4 rounds and each round has 16 steps T i and S i are fixed constant and depend only on the steps. Courtesy of

6 The Rounds M i =(w 0,…,w 15 ) For fixed i, 4 consecutive steps will yield a i+4 =b i +((a i +F i (b i,c i,d i )+w i +t i )<<

7 The Non-Linear Functions F i changes every 16 steps F i (X,Y,Z)=(X^Y)ν(~X^Z)0≤i ≤15 F i (X,Y,Z)=(X^Z) ν(Y^~Z)16 ≤i ≤31 F i (X,Y,Z)=X  Y  Z32 ≤i ≤47 F i (X,Y,Z)=Y  (X ν ~Z) 48 ≤i ≤63 This provides non-linearity so you can not extract the message from the hash

8 Finding Collisions MD5 has a 128 bit hash so a brute force attack to find a collision requires at most applications of MD5 and 2 64 by the birthday paradox Xiaoyun Wang and Hongbo Yu have an attack that requires 2 39 operations This attack takes at most an hour and 5 minutes on a IBM P690 (supercomputer)

9 Recall: Differential Cryptanalysis Find a particular ∆M such that a particular ∆H occurs with high probability In collision case, want ∆H = 0.

10 Differentials The attack uses two types of differentials XOR differential: ΔX=X  X’ Modular differential: ΔX=X-X’ mod 2 32 For M=(m 0,…,m n-1 ) and M’=(m’ 0,…m’ n-1 ) the full hash differential is for a message of length 512n bits ΔH 0 -> ΔH 1 ->…-> ΔH n= ΔH If M and M’ are a collision pair ΔH=0

11 Round differentials ΔH i -> ΔH i+1 can be split into round differentials as well ΔH i ΔR 0 ΔR 1 ΔR 2 ΔR 3 =ΔH i+1 P0P0 P1P1 P2P2 P3P3

12 Probability Each of these differentials has a probabilistic relationship with the next. Ideally, we’d like to be able to set up 2 messages where we can guarantee with probability 1 that ΔH=0 This can be assured by modifying M so the first round differential will be what you want More modifications will improve the probability for the second, third and fourth round differentials ΔM 0 has been picked to improve this as well

13 The Attack Find M=(M 0,M 1 ) and M’=(M’ 0,M’ 1 ) ΔM 0 =M’ 0 -M 0 =(0,0,0,0,2 31,0,0,0,0,0,0,2 15,0,0,2 31,0) ΔM 1 =M’ 1 -M 1 =(0,0,0,0,2 31,0,0,0,0,0,0,-2 15,0,0,2 31,0) ΔH 1 =(2 31, , , ) i.e. M 0 and messages that does this is not a collision ΔM 0 has been picked to improve the probability that the round differentials will hold M’ 0 differ in the 5 th, 12 th and 15 th words only Same for M 1 and M’ 1. Every set of messages that does this is not a collision ΔM 0 has been picked to improve this as well

14 Message Modification It is easy to modify a message word so that the first non-zero step differential (after the 5 th step) is anything you want with probability 1 Modify multiple words to guarantee the round differentials with high probability Each modification to make one condition hold may make another not hold

15 Sufficient Conditions Δw 5 is first non-zero differential At the 8 th step Δw 5 has affected a, d and c so (Δc 2, Δd 2, Δa 2, Δb 1 )-> Δb 2 since Δb 1 =0 There are 13 conditions on a 2, c 2 and d 2 that will guarantee Δb 2 to be whatever you like with high probability Each characteristic has between 1 and 28 conditions for 30 characteristics for M 0 and 29 characteristics with between 2 and 25 conditions for M 1 for well over 200 conditions

16 Conditions for b i b 1,7 = 0 b 1,8 = c 1,8 b 1,9 = c 1,9 b 1,10 = c 1,10 b 1,11 = c 1,11 b 1,12 = 1 b 1,13 = c 1,13 b 1,14 = c 1,14 b 1,15 = c 1,15 b 1,16 = c 1,16 b 1,17 = c 1,17 b 1,18 = c 1,18 b 1,19 = c 1,19 b 1,20 = 1b 1,21 = c 1,21 b 1,22 = c 1,22 b 1,23 = c 1,23 b 1,24 = 0 b 1,32 = 1

17 Technique for M 0 Select random M 0 Modify M 0 so as many of the conditions hold as possible Create M 0 ’=M 0 + ΔM 0 This will result in ΔH 1 with probability Test this works This doesn’t require more then 2 39 MD5 operations

18 Technique for M 1 Select a random message M1 Modify M 1 so it meets the conditions M 1 ’ =M 1 + ΔM 0 Starting with ΔH 1 as IV the probability that H(M 1 )=H(M 1 ’) is Test the pair of messages for collisions

19 Creating More Collisions There are many M 1 s that will collide with any properly crafted M 0 You can also change the last two words of M 0 and maintain the conditions This reduces the amount of work needed

20 Actual Collisions M0 = 2dd31d1 c4eee6c5 69a3d69 5cf9af98 87b5ca2f ab7e4612 3e ffbb8 634ad55 2b3f e483 5a e fc9cdf7 f2bd1dd9 5b3c3780 M1=d11d0b96 9c7b41dc f497d8e4 d555655a c79a7335 cfdebf0 66f fb109d1 797f2775 eb5cd530 baade822 5c15cc79 ddcb74ed 6dd3c55f d80a9bb1 e3a7cc35 M0’=2dd31d1 c4eee6c5 69a3d69 5cf9af98 7b5ca2f ab7e4612 3e ffbb8 634ad55 2b3f e483 5a41f125 e fc9cdf7 72bd1dd9 5b3c3780 M1’=d11d0b96 9c7b41dc f497d8e4 d555655a 479a7335 cfdebf0 66f fb109d1 797f2775 eb5cd530 baade822 5c154c79 ddcb74ed 6dd3c55f 580a9bb1 e3a7cc35 Hash: f a30f9dbf 9f65ffbc f41fc7ef

21 References How To Break MD5 and Other Hash Functions – Xiaoyun Wang and Hongbo Yu (they did the SHA-1 break as well) Guide to Hash Functions Cryptographic Hash Lounge (lists what functions have been broken and links to how) hflounge.html hflounge.html Questions?


Download ppt "MD5 Collisions Isabelle Stanton Chalermpong Worawannotai."

Similar presentations


Ads by Google