Presentation is loading. Please wait.

Presentation is loading. Please wait.

Your Security in the IT Market www.i.cz Beyond the MD5 Collisions Daniel Joščák, S.ICZ a.s. & MFF UK 04/05/2007, SPI Brno.

Similar presentations


Presentation on theme: "Your Security in the IT Market www.i.cz Beyond the MD5 Collisions Daniel Joščák, S.ICZ a.s. & MFF UK 04/05/2007, SPI Brno."— Presentation transcript:

1 Your Security in the IT Market Beyond the MD5 Collisions Daniel Joščák, S.ICZ a.s. & MFF UK 04/05/2007, SPI Brno

2 Your Security in the IT Market Chewing functions

3 Your Security in the IT Market Chewing functions

4 Your Security in the IT Market Iterated hash functions ►We would like to have a hash function h h : {0,1}* → {0,1} n ►We have so-called compression function f f : {0,1} b → {0,1} n ►Pad a message m to be a multiple of b bits long ►Iterate the compression function f

5 Your Security in the IT Market Collisions in MD5 ►Messages (M0||M1) ≠ (N0||N1), h (M0||M1) = h (N0||N1) ►We have real collisions producing algorithms and methods ●Wang et al. 04 ●Klíma 05 ●Liang and Lai 05 ●Stevens 05 and 06 (new target collisions) ●…

6 Your Security in the IT Market Attempts to improve MD5 ►3C, 3C+, … constructions by Gauravaram, Millan, Dawson, and Viswanathan 06 ►Ring Iterative Structures by Su, Yang, Yang, Zhang 06. ►Keep the compression function f and change Merkle-Damgård construction to obtain “better” function

7 Your Security in the IT Market Attempts to improve MD5 3C 3C+ Single Feedback Multiple Feedback

8 Your Security in the IT Market Properties of the collisions ►Messages (M0||M1) ≠ (N0||N1), h (M0||M1) = h (N0||N1) ►Fixed message and chaining differences: ●Δ0 = M0 − N0 = (0, 0, 0, 0, 2^31, 0, 0, 0, 0, 0, 0, +2^15, 0, 0, 2^31, 0) ●Δ1 = M1 − N1 = (0, 0, 0, 0, 2^31, 0, 0, 0, 0, 0, 0, −2^15, 0, 0, 2^31, 0) ●δ = IV1 − IV’1 = f(IV, M0) − f(IV, N0) = (2^31, 2^31 + 2^25, 2^31 + 2^25, 2^31 + 2^25)

9 Your Security in the IT Market 4-block collisions for 3C ►Algorithms work for any IV and have the fixed chaining differences ►We can find (M1||M2||M3||M4) ≠ (N1||N2||N3||N4) s.t. ●h 3C (M1||M2||M3||M4) = h 3C (N1||N2||N3||N4) ►Find 2 pairs of MD5 collisions such that: ●h(IV 0,M1||M2) = h(IV 0,N1||N2) = IV 2, ●h(IV 2,M3||M4) = h(IV 2,N3||N4).

10 Your Security in the IT Market 5-block collisions for 3C+ ►(M1||M2||M3||M4||M5) ≠ (N1||N2||N3||N4||N5) such that ●h 3C+ (M1||M2||M3||M4||M5) = h 3C+ (N1||N2||N3||N4||N5) ►Find 2 pairs of MD5 collisions such that: ●M1 = N1 ●h(IV 1,M2||M3) = h(IV 1,N2||N3) = IV 2, ●h(IV 3,M4||M5) = h(IV 3,N4||N5).

11 Your Security in the IT Market 4-block collisions for simple feedback ring iterative struct. ►We can find (M1||M2||M3||M4) ≠ (N1||N2||N3||N4) s.t. ●h sf (M1||M2||M3||M4) = h sf (N1||N2||N3||N4) ►Find just one pair of MD5 collisions: ●M1 = N1 ●h(IV 1,M2||M3) = h(IV 1,N2||N3), ●M4 = N4.

12 Your Security in the IT Market Conclusions ►Be aware of quick “secure” changes in algorithms ►Time for Advanced Hash Standard ●Competition Organized by NIST ●Submission deadline 3Q 2008 ►Problems are gift (Bruno Buchberger)

13 Your Security in the IT Market Thank you for your attention. Daniel Joščák S.ICZ a.s. MFF UK, Dept. of Algebra


Download ppt "Your Security in the IT Market www.i.cz Beyond the MD5 Collisions Daniel Joščák, S.ICZ a.s. & MFF UK 04/05/2007, SPI Brno."

Similar presentations


Ads by Google