Description of MD5 Takes any message and outputs an 128-bit hash. A message is padded so the length is a multiple of 512 by concatenating a 1 then 0’s and it’s length as a 64 bit number. Each 512 bit block is compressed individually
Continued Description The 512-bit block is divided into bit words There are 4 32-bit registers a, b, c and d. These are initially loaded with IV 0 and carry the hash values from one 512-bit block to the next It works in an iterative (chaining) process: H i+1 = f(H i,M i ) IV 0 =H 0 where M i is a 512 bit block.
Hash Chaining f H 0 =IV 0 fixed M1M1 H1H1 f H2H2 … f H n = H M2M2 MnMn M i 512 bits H i 128 bits
One small step For each f there are 4 rounds and each round has 16 steps T i and S i are fixed constant and depend only on the steps. Courtesy of
The Rounds M i =(w 0,…,w 15 ) For fixed i, 4 consecutive steps will yield a i+4 =b i +((a i +F i (b i,c i,d i )+w i +t i )<<
The Non-Linear Functions F i changes every 16 steps F i (X,Y,Z)=(X^Y)ν(~X^Z)0≤i ≤15 F i (X,Y,Z)=(X^Z) ν(Y^~Z)16 ≤i ≤31 F i (X,Y,Z)=X Y Z32 ≤i ≤47 F i (X,Y,Z)=Y (X ν ~Z) 48 ≤i ≤63 This provides non-linearity so you can not extract the message from the hash
Finding Collisions MD5 has a 128 bit hash so a brute force attack to find a collision requires at most applications of MD5 and 2 64 by the birthday paradox Xiaoyun Wang and Hongbo Yu have an attack that requires 2 39 operations This attack takes at most an hour and 5 minutes on a IBM P690 (supercomputer)
Recall: Differential Cryptanalysis Find a particular ∆M such that a particular ∆H occurs with high probability In collision case, want ∆H = 0.
Differentials The attack uses two types of differentials XOR differential: ΔX=X X’ Modular differential: ΔX=X-X’ mod 2 32 For M=(m 0,…,m n-1 ) and M’=(m’ 0,…m’ n-1 ) the full hash differential is for a message of length 512n bits ΔH 0 -> ΔH 1 ->…-> ΔH n= ΔH If M and M’ are a collision pair ΔH=0
Round differentials ΔH i -> ΔH i+1 can be split into round differentials as well ΔH i ΔR 0 ΔR 1 ΔR 2 ΔR 3 =ΔH i+1 P0P0 P1P1 P2P2 P3P3
Probability Each of these differentials has a probabilistic relationship with the next. Ideally, we’d like to be able to set up 2 messages where we can guarantee with probability 1 that ΔH=0 This can be assured by modifying M so the first round differential will be what you want More modifications will improve the probability for the second, third and fourth round differentials ΔM 0 has been picked to improve this as well
The Attack Find M=(M 0,M 1 ) and M’=(M’ 0,M’ 1 ) ΔM 0 =M’ 0 -M 0 =(0,0,0,0,2 31,0,0,0,0,0,0,2 15,0,0,2 31,0) ΔM 1 =M’ 1 -M 1 =(0,0,0,0,2 31,0,0,0,0,0,0,-2 15,0,0,2 31,0) ΔH 1 =(2 31, , , ) i.e. M 0 and messages that does this is not a collision ΔM 0 has been picked to improve the probability that the round differentials will hold M’ 0 differ in the 5 th, 12 th and 15 th words only Same for M 1 and M’ 1. Every set of messages that does this is not a collision ΔM 0 has been picked to improve this as well
Message Modification It is easy to modify a message word so that the first non-zero step differential (after the 5 th step) is anything you want with probability 1 Modify multiple words to guarantee the round differentials with high probability Each modification to make one condition hold may make another not hold
Sufficient Conditions Δw 5 is first non-zero differential At the 8 th step Δw 5 has affected a, d and c so (Δc 2, Δd 2, Δa 2, Δb 1 )-> Δb 2 since Δb 1 =0 There are 13 conditions on a 2, c 2 and d 2 that will guarantee Δb 2 to be whatever you like with high probability Each characteristic has between 1 and 28 conditions for 30 characteristics for M 0 and 29 characteristics with between 2 and 25 conditions for M 1 for well over 200 conditions
Conditions for b i b 1,7 = 0 b 1,8 = c 1,8 b 1,9 = c 1,9 b 1,10 = c 1,10 b 1,11 = c 1,11 b 1,12 = 1 b 1,13 = c 1,13 b 1,14 = c 1,14 b 1,15 = c 1,15 b 1,16 = c 1,16 b 1,17 = c 1,17 b 1,18 = c 1,18 b 1,19 = c 1,19 b 1,20 = 1b 1,21 = c 1,21 b 1,22 = c 1,22 b 1,23 = c 1,23 b 1,24 = 0 b 1,32 = 1
Technique for M 0 Select random M 0 Modify M 0 so as many of the conditions hold as possible Create M 0 ’=M 0 + ΔM 0 This will result in ΔH 1 with probability Test this works This doesn’t require more then 2 39 MD5 operations
Technique for M 1 Select a random message M1 Modify M 1 so it meets the conditions M 1 ’ =M 1 + ΔM 0 Starting with ΔH 1 as IV the probability that H(M 1 )=H(M 1 ’) is Test the pair of messages for collisions
Creating More Collisions There are many M 1 s that will collide with any properly crafted M 0 You can also change the last two words of M 0 and maintain the conditions This reduces the amount of work needed
References How To Break MD5 and Other Hash Functions – Xiaoyun Wang and Hongbo Yu (they did the SHA-1 break as well) Guide to Hash Functions Cryptographic Hash Lounge (lists what functions have been broken and links to how) hflounge.html hflounge.html Questions?