Download presentation

Presentation is loading. Please wait.

Published byDamien Lynn Modified about 1 year ago

1
MD5 Collisions Isabelle Stanton Chalermpong Worawannotai

2
Description of MD5 Takes any message and outputs an 128-bit hash. A message is padded so the length is a multiple of 512 by concatenating a 1 then 0’s and it’s length as a 64 bit number. Each 512 bit block is compressed individually

3
Continued Description The 512-bit block is divided into bit words There are 4 32-bit registers a, b, c and d. These are initially loaded with IV 0 and carry the hash values from one 512-bit block to the next It works in an iterative (chaining) process: H i+1 = f(H i,M i ) IV 0 =H 0 where M i is a 512 bit block.

4
Hash Chaining f H 0 =IV 0 fixed M1M1 H1H1 f H2H2 … f H n = H M2M2 MnMn M i 512 bits H i 128 bits

5
One small step For each f there are 4 rounds and each round has 16 steps T i and S i are fixed constant and depend only on the steps. Courtesy of

6
The Rounds M i =(w 0,…,w 15 ) For fixed i, 4 consecutive steps will yield a i+4 =b i +((a i +F i (b i,c i,d i )+w i +t i )<<~~
{
"@context": "http://schema.org",
"@type": "ImageObject",
"contentUrl": "http://images.slideplayer.com/11/3215540/slides/slide_5.jpg",
"name": "The Rounds M i =(w 0,…,w 15 ) For fixed i, 4 consecutive steps will yield a i+4 =b i +((a i +F i (b i,c i,d i )+w i +t i )<<~~~~
~~

7
The Non-Linear Functions F i changes every 16 steps F i (X,Y,Z)=(X^Y)ν(~X^Z)0≤i ≤15 F i (X,Y,Z)=(X^Z) ν(Y^~Z)16 ≤i ≤31 F i (X,Y,Z)=X Y Z32 ≤i ≤47 F i (X,Y,Z)=Y (X ν ~Z) 48 ≤i ≤63 This provides non-linearity so you can not extract the message from the hash

8
Finding Collisions MD5 has a 128 bit hash so a brute force attack to find a collision requires at most applications of MD5 and 2 64 by the birthday paradox Xiaoyun Wang and Hongbo Yu have an attack that requires 2 39 operations This attack takes at most an hour and 5 minutes on a IBM P690 (supercomputer)

9
Recall: Differential Cryptanalysis Find a particular ∆M such that a particular ∆H occurs with high probability In collision case, want ∆H = 0.

10
Differentials The attack uses two types of differentials XOR differential: ΔX=X X’ Modular differential: ΔX=X-X’ mod 2 32 For M=(m 0,…,m n-1 ) and M’=(m’ 0,…m’ n-1 ) the full hash differential is for a message of length 512n bits ΔH 0 -> ΔH 1 ->…-> ΔH n= ΔH If M and M’ are a collision pair ΔH=0

11
Round differentials ΔH i -> ΔH i+1 can be split into round differentials as well ΔH i ΔR 0 ΔR 1 ΔR 2 ΔR 3 =ΔH i+1 P0P0 P1P1 P2P2 P3P3

12
Probability Each of these differentials has a probabilistic relationship with the next. Ideally, we’d like to be able to set up 2 messages where we can guarantee with probability 1 that ΔH=0 This can be assured by modifying M so the first round differential will be what you want More modifications will improve the probability for the second, third and fourth round differentials ΔM 0 has been picked to improve this as well

13
The Attack Find M=(M 0,M 1 ) and M’=(M’ 0,M’ 1 ) ΔM 0 =M’ 0 -M 0 =(0,0,0,0,2 31,0,0,0,0,0,0,2 15,0,0,2 31,0) ΔM 1 =M’ 1 -M 1 =(0,0,0,0,2 31,0,0,0,0,0,0,-2 15,0,0,2 31,0) ΔH 1 =(2 31, , , ) i.e. M 0 and messages that does this is not a collision ΔM 0 has been picked to improve the probability that the round differentials will hold M’ 0 differ in the 5 th, 12 th and 15 th words only Same for M 1 and M’ 1. Every set of messages that does this is not a collision ΔM 0 has been picked to improve this as well

14
Message Modification It is easy to modify a message word so that the first non-zero step differential (after the 5 th step) is anything you want with probability 1 Modify multiple words to guarantee the round differentials with high probability Each modification to make one condition hold may make another not hold

15
Sufficient Conditions Δw 5 is first non-zero differential At the 8 th step Δw 5 has affected a, d and c so (Δc 2, Δd 2, Δa 2, Δb 1 )-> Δb 2 since Δb 1 =0 There are 13 conditions on a 2, c 2 and d 2 that will guarantee Δb 2 to be whatever you like with high probability Each characteristic has between 1 and 28 conditions for 30 characteristics for M 0 and 29 characteristics with between 2 and 25 conditions for M 1 for well over 200 conditions

16
Conditions for b i b 1,7 = 0 b 1,8 = c 1,8 b 1,9 = c 1,9 b 1,10 = c 1,10 b 1,11 = c 1,11 b 1,12 = 1 b 1,13 = c 1,13 b 1,14 = c 1,14 b 1,15 = c 1,15 b 1,16 = c 1,16 b 1,17 = c 1,17 b 1,18 = c 1,18 b 1,19 = c 1,19 b 1,20 = 1b 1,21 = c 1,21 b 1,22 = c 1,22 b 1,23 = c 1,23 b 1,24 = 0 b 1,32 = 1

17
Technique for M 0 Select random M 0 Modify M 0 so as many of the conditions hold as possible Create M 0 ’=M 0 + ΔM 0 This will result in ΔH 1 with probability Test this works This doesn’t require more then 2 39 MD5 operations

18
Technique for M 1 Select a random message M1 Modify M 1 so it meets the conditions M 1 ’ =M 1 + ΔM 0 Starting with ΔH 1 as IV the probability that H(M 1 )=H(M 1 ’) is Test the pair of messages for collisions

19
Creating More Collisions There are many M 1 s that will collide with any properly crafted M 0 You can also change the last two words of M 0 and maintain the conditions This reduces the amount of work needed

20
Actual Collisions M0 = 2dd31d1 c4eee6c5 69a3d69 5cf9af98 87b5ca2f ab7e4612 3e ffbb8 634ad55 2b3f e483 5a e fc9cdf7 f2bd1dd9 5b3c3780 M1=d11d0b96 9c7b41dc f497d8e4 d555655a c79a7335 cfdebf0 66f fb109d1 797f2775 eb5cd530 baade822 5c15cc79 ddcb74ed 6dd3c55f d80a9bb1 e3a7cc35 M0’=2dd31d1 c4eee6c5 69a3d69 5cf9af98 7b5ca2f ab7e4612 3e ffbb8 634ad55 2b3f e483 5a41f125 e fc9cdf7 72bd1dd9 5b3c3780 M1’=d11d0b96 9c7b41dc f497d8e4 d555655a 479a7335 cfdebf0 66f fb109d1 797f2775 eb5cd530 baade822 5c154c79 ddcb74ed 6dd3c55f 580a9bb1 e3a7cc35 Hash: f a30f9dbf 9f65ffbc f41fc7ef

21
References How To Break MD5 and Other Hash Functions – Xiaoyun Wang and Hongbo Yu (they did the SHA-1 break as well) Guide to Hash Functions Cryptographic Hash Lounge (lists what functions have been broken and links to how) hflounge.html hflounge.html Questions?

Similar presentations

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google