2Description of MD5 Takes any message and outputs an 128-bit hash. A message is padded so the length is a multiple of 512 by concatenating a 1 then 0’s and it’s length as a 64 bit number.Each 512 bit block is compressed individually
3Continued Description The 512-bit block is divided into bit wordsThere are 4 32-bit registers a, b, c and d. These are initially loaded with IV0 and carry the hash values from one 512-bit block to the nextIt works in an iterative (chaining) process:Hi+1 = f(Hi,Mi) IV0=H0where Mi is a 512 bit block.
4… Hash Chaining M1 M2 Mn f f f H0=IV0 fixed Hn = H H1 H2 Mi 512 bits Hi 128 bits
5One small stepFor each f there are 4 rounds and each round has 16 stepsTi and Si are fixed constant and depend only on the steps.Courtesy of
6The Rounds Mi=(w0,…,w15) For fixed i, 4 consecutive steps will yield ai+4 =bi +((ai +Fi (bi,ci,di)+wi+ti)<<<si)di+4=ai+((di+Fi+1 (ai,bi,ci)+wi+1+ti+1)<<<si+1)ci+4=di+((ci+Fi+2 (di,ai,bi)+wi+2+ti+2)<<<si+2)bi+4=ci+((bi+Fi+3 (ci,di,ai)+wi+3+ti+3)<<<si+3)ti and si are predefined step dependant constants
7The Non-Linear Functions Fi changes every 16 stepsFi(X,Y,Z)=(X^Y)ν(~X^Z) 0≤i ≤15Fi(X,Y,Z)=(X^Z) ν(Y^~Z) 16 ≤i ≤31Fi(X,Y,Z)=X Y Z 32 ≤i ≤47Fi(X,Y,Z)=Y (X ν ~Z) 48 ≤i ≤63This provides non-linearity so you can not extract the message from the hash
8Finding CollisionsMD5 has a 128 bit hash so a brute force attack to find a collision requires at most 2128 applications of MD5 and 264 by the birthday paradoxXiaoyun Wang and Hongbo Yu have an attack that requires 239 operationsThis attack takes at most an hour and 5 minutes on a IBM P690 (supercomputer)
9Recall: Differential Cryptanalysis Find a particular ∆M such that a particular ∆H occurs with high probabilityIn collision case, want ∆H = 0.
10Differentials The attack uses two types of differentials XOR differential: ΔX=X X’Modular differential: ΔX=X-X’ mod 232For M=(m0,…,mn-1) and M’=(m’0,…m’n-1) the full hash differential is for a message of length 512n bitsΔH0 -> ΔH1 ->…-> ΔHn= ΔHIf M and M’ are a collision pair ΔH=0
11Round differentialsΔHi -> ΔHi+1 can be split into round differentials as wellΔHi ΔR ΔR ΔR ΔR3=ΔHi+1P3P0P1P2
12ProbabilityEach of these differentials has a probabilistic relationship with the next.Ideally, we’d like to be able to set up 2 messages where we can guarantee with probability 1 that ΔH=0This can be assured by modifying M so the first round differential will be what you wantMore modifications will improve the probability for the second, third and fourth round differentialsΔM0 has been picked to improve this as well
13The Attack Find M=(M0,M1 ) and M’=(M’0,M’1) i.e. M0 and messages that does this is not a collisionΔM0 has been picked to improve the probability that the round differentials will holdM’0 differ in the 5th, 12th and 15th words onlySame for M1 and M’1.Every set of messages that does this is not a collisionΔM0 has been picked to improve this as well
14Message ModificationIt is easy to modify a message word so that the first non-zero step differential (after the 5th step) is anything you want with probability 1Modify multiple words to guarantee the round differentials with high probabilityEach modification to make one condition hold may make another not hold
15Sufficient Conditions Δw5 is first non-zero differentialAt the 8th step Δw5 has affected a, d and c so (Δc2, Δd2, Δa2, Δb1 )-> Δb2 since Δb1=0There are 13 conditions on a2, c2 and d2 that will guarantee Δb2 to be whatever you like with high probabilityEach characteristic has between 1 and 28 conditions for 30 characteristics for M0 and 29 characteristics with between 2 and 25 conditions for M1 for well over 200 conditions
17Technique for M0 Select random M0 Modify M0 so as many of the conditions hold as possibleCreate M0’=M0+ ΔM0This will result in ΔH1 with probability 2-37Test this worksThis doesn’t require more then 239 MD5 operations
18Technique for M1 Select a random message M1 Modify M1 so it meets the conditionsM1’ =M1+ ΔM0Starting with ΔH1 as IV the probability that H(M1)=H(M1’) is 2-30Test the pair of messages for collisions
19Creating More Collisions There are many M1s that will collide with any properly crafted M0You can also change the last two words of M0 and maintain the conditionsThis reduces the amount of work needed
21ReferencesHow To Break MD5 and Other Hash Functions – Xiaoyun Wang and Hongbo Yu (they did the SHA-1 break as well)Guide to Hash FunctionsCryptographic Hash Lounge (lists what functions have been broken and links to how)Questions?