Presentation is loading. Please wait.

Presentation is loading. Please wait.

How Are Cryptographic Algorithms Broken??? Presented By Bhavana Tapde June 19, 2006.

Published byBuck Hood Modified over 8 years ago

Similar presentations

Presentation on theme: "How Are Cryptographic Algorithms Broken??? Presented By Bhavana Tapde June 19, 2006."— Presentation transcript:

1 How Are Cryptographic Algorithms Broken??? Presented By Bhavana Tapde June 19, 2006

2 Outline  Cryptographic Algorithms  Cryptographic Hash Algorithms  Applications of Hash Functions  Properties of Hash Functions  Case Study of MD5  Wang’s Method  Klima’s Method  Demo  Case Study of SHA-1  Conclusion

3 What is Cryptographic Algorithm?  Cryptography – process of scrambling information in a manner that is difficult to unscramble, and making scrambled information intelligible.  Cryptographic Algorithm – any algorithm written to achieve cryptography, and consequently confidentiality, integrity, and authentication.  Types of Cryptographic Algorithms  Symmetric Key Algorithms – DES, Triple DES  Asymmetric Key Algorithms – RSA  Cryptographic Hash Algorithms – MD5, SHA-1

4 Cryptographic Hash Algorithm  Hashing Algorithm – a protocol for using the hash function, specifying how the message will be broken up and how the results from previous message blocks are chained together.  Hash Function  is effectively computable.  compresses information of arbitrary length to some information of fixed length (“digital fingerprint”).  possesses Avalanche (Ripple Effect) – when a input is changed slightly, output changes significantly. 0101 Hash function

5 How hashes are used?  Digitally Signed Documents

6 How hashes are used? (…cont)  Hashing Passwords

7 How hashes are used? (…cont)  Verifying File Integrity  If you have just downloaded a large piece of software from a website, how do you know that you've received it correctly and that it has not been tampered with?  The website publishes the hash values of its download bundles, and you can compare a published hash (e.g.MD5 sum) with checksum of downloaded file.  Utilities Unix OS – includes MD5 utilities in their distribution packages. Windows – third party applications like FastSum (http://www.fastsum.com/)http://www.fastsum.com/

8 When a Cryptographic Hash Function is Secured? When it satisfies following three properties  Preimage-resistance: “Given V, find M such that h(M)= V” is infeasible.  2 nd -preimage-resistance: “Given M, find M’ M such that h(M’)=h(M)” is infeasible.  Collision-resistance: “Find M’ M such that h(M’)=h(M)” is infeasible.

9 Case Study of MD5

10 Description of MD5  MD5 (message digest algorithm) – developed at RSA Data Security, Inc.  Improved version of MD4.  Takes any message and outputs an 128-bit hash.  A message is padded so the length is multiple of 512.  Each 512-bit block is processed individually. MD5

11 Description of MD5 (…cont)  The 512-bit block is divided into 16 32-bit words.  There are 4 32-bit registers A, B, C and D. These are initially loaded with IV 0 and carry the hash values from one 512-bit block to the next.  It works in an iterative (chaining) process: H i+1 = f(H i,M i ) IV 0 =H 0 where M i is a 512-bit block. MD5

12 Hash Chaining f H 0 =IV 0 fixed M1M1 H1H1 f H2H2 … f H n = H M2M2 MnMn M i 512 bits H i 128 bits MD5

13 One Small Step  A,B,C,D – 4 registers.  F – nonlinear function; there are total 4 functions and one function is used in each round.  Each round has 16 steps (so, total 64 steps).  Mi – 32-bit block of the message input. (512/16=32)  Ki – 32-bit constant, different for each step.  s – Left bit rotation by s places; s varies for each operation.  – Addition modulo 2 32. MD5

14 The Rounds and Non-Linear Functions  M i =(w 0,…,w 15 )  For fixed i, 4 consecutive steps will yield a i+4 =b i +((a i +F i (b i,c i,d i )+w i +k i )<<<s i ) d i+4 =a i +((d i +F i+1 (a i,b i,c i )+w i+1 +k i+1 )<<<s i+1 ) c i+4 =d i +((c i +F i+2 (d i,a i,b i )+w i+2 +k i+2 )<<<s i+2 ) b i+4 =c i +((b i +F i+3 (c i,d i,a i )+w i+3 +k i+3 )<<<s i+3 ) k i and s i are predefined step dependant constants  F i changes every 16 steps F i (X,Y,Z)=(X^Y)ν(~X^Z) 0 ≤ i ≤ 15 F i (X,Y,Z)=(X^Z)ν(Y^~Z)16 ≤ i ≤ 31 F i (X,Y,Z)=X  Y  Z32 ≤ i ≤ 47 F i (X,Y,Z)=Y  (X ν ~Z) 48 ≤ i ≤ 63 MD5

15 Finding Collisions  MD5 does 64 rounds of scrambling, so a brute force attack to find a collision requires at most 2 64 operations. Brute Force Attack – method of defeating cryptographic scheme by exhaustively working through all possible keys.  Xiaoyun Wang and her team – have an attack that requires 2 39 operations. This attack takes at most an hour and 5 minutes on a IBM P690 (supercomputer).  Vlastimil Klima and his team – have an attack that can find collisions on a Notebook PC within a minute. MD5

16 Wang’s Method (August 2004)  Use of Differential Cryptanalysis: find a statistical correlation between key values and cipher transformations (typically Exclusive-OR of text pairs), then use sufficient defined plaintext to develop the key.  Find a particular M such that a particular H occurs with high probability.  In collision case, want H=0. MD5 - Wang

17 Differentials  The attack uses two types of differentials  XOR differential: ΔX=X  X’  Modular differential: ΔX=X-X’ mod 2 32  For M=(m 0,…,m n-1 ) and M’=(m’ 0,…m’ n-1 ) the full hash differential is for a message of length 512n bits ΔH 0 -> ΔH 1 ->…-> ΔH n= ΔH If M and M’ are a collision pair ΔH=0  Round Differentials  ΔH i -> ΔH i+1 can be split into round differentials as well  ΔH i ΔR 0 ΔR 1 ΔR 2 ΔR 3 = ΔH i+1 P0P0 P1P1 P2P2 P3P3 MD5 - Wang

18 Probability  Each of these differentials has a probabilistic relationship with the next.  Ideally, we’d like to be able to set up 2 messages where we can guarantee with probability 1 that ΔH=0.  This can be assured by modifying M so the first round differential will be what you want.  More modifications will improve the probability for the second, third and fourth round differentials. MD5 - Wang

19 The Attack with Message Modification  Find M=(M 0,M 1 ) and M’=(M’ 0,M’ 1 )  ΔM 0 =M’ 0 -M 0 =(0,0,0,0,2 31,0,0,0,0,0,0,2 15,0,0,2 31,0)  ΔM 1 =M’ 1 -M 1 =(0,0,0,0,2 31,0,0,0,0,0,0,-2 15,0,0,2 31,0)  M’ 0 differ in the 5 th, 12 th and 15 th words only.  Same for M 1 and M’ 1.  Message Modification Method – modify a message word so that the first non-zero step differential (after 5 th step) is anything you want with probability 1.  Modify multiple words to guarantee the round differentials with high probability. MD5 - Wang

20 Results - Actual Collisions M0 = 2dd31d1 c4eee6c5 69a3d69 5cf9af98 87b5ca2f ab7e4612 3e580440 897ffbb8 634ad55 2b3f409 8388e483 5a417125 e8255108 9fc9cdf7 f2bd1dd9 5b3c3780 M1 = d11d0b96 9c7b41dc f497d8e4 d555655a c79a7335 cfdebf0 66f12930 8fb109d1 797f2775 eb5cd530 baade822 5c15cc79 ddcb74ed 6dd3c55f d80a9bb1 e3a7cc35 M0’ = 2dd31d1 c4eee6c5 69a3d69 5cf9af98 7b5ca2f ab7e4612 3e580440 897ffbb8 634ad55 2b3f409 8388e483 5a41f125 e8255108 9fc9cdf7 72bd1dd9 5b3c3780 M1’ = d11d0b96 9c7b41dc f497d8e4 d555655a 479a7335 cfdebf0 66f12930 8fb109d1 797f2775 eb5cd530 baade822 5c154c79 ddcb74ed 6dd3c55f 580a9bb1 e3a7cc35 Hash: 9603161f a30f9dbf 9f65ffbc f41fc7ef MD5 - Wang

21 Klima’s Method (March 2006)  “Tunnels in Hash Functions: MD5 Collisions Within a Minute”  Tunnel – a complex function written to find collision which takes into account individual bit of message instead of word.  Tunnels replaces multi-message modification method, and exponentially accelerate collision search.  Several tunnels are written in MD5 hash function.  Also uses ‘differential path’ – the effect of a single bit change tracked through the hash algorithm. MD5 - Klima

22 Speed Comparison to Find MD5 Collisions Software - http://cryptography.hyperlink.cz/2006/web_version_1.ziphttp://cryptography.hyperlink.cz/2006/web_version_1.zip MD5 - Klima Machine Specification Avg. Time Min. Time Max. Time Colli- sions CPU Intel Pentium III (1 GHz), 512MB RAM, Windows 2000 53.0770.90299.00200 CPU Intel Pentium 4 (3 GHz), 512MB RAM, Windows XP 17.5420.2093.30200 Pentium M (1.7 GHz), 512MB RAM, debian 2.6.14 29.1041.03147.54102 AMD Athlon XP2000+(1.67 GHz), 256MB RAM, Windows XP 29.7330.30165.701000 Time in seconds.

23 Demo of Pack3  Pack3 – software developed by one of the team members of Klima.  “Give me three files and I will give you another three with the same MD5 hash!”  The program serves as a toy example of how to get around the necessity of creating the second preimage.  Usage: pack3 file1 file2 file3 file4 file5 file6 Will create two packages – package1.exe package2.exe, having same MD5 sum. package1 extracts files 1-3. package2 extracts files 4-6.  Pack3 is available at http://cryptography.hyperlink.cz/MD5_collisions.html http://cryptography.hyperlink.cz/MD5_collisions.html  Verification tool used is FastSum. http://www.fastsum.com/download.php MD5 - Klima

24 Screen Shots : FastSum Utility C:\Demo\fastsum>fsum "C:\Demo\pack3\selfextract-md5_coll\FileA.txt“ MD5 Checksum calculation and verification utility. [1.9.0.149] EN (C) 2003-2005 Kirill Zinov and Vitaly Rogotsevich. Web site: www.fastsum.com C:\Demo\pack3\selfextract-md5_coll\FileA.txt 12FABF28FF61D4AE9F7080F524CC3130 Calculation summary: Processed 1 files in 0 folders with total size 0.04 Kb. Elapsed time: 00:00:00 Average speed: 0.00 Kb\Sec. C:\Demo\fastsum>fsum "C:\Demo\pack3\selfextract-md5_coll\FileB.txt" MD5 Checksum calculation and verification utility. [1.9.0.149] EN (C) 2003-2005 Kirill Zinov and Vitaly Rogotsevich. Web site: www.fastsum.com C:\Demo\pack3\selfextract-md5_coll\FileB.txt 6DE787E2B6255B94B73DC39D32FC135C Calculation summary: Processed 1 files in 0 folders with total size 0.04 Kb. Elapsed time: 00:00:00 Average speed: 0.00 Kb\Sec.

25 Screen Shots : Pack3 C:\Demo\pack3\selfextract-md5_coll>pack3 file1.txt file2.txt file3.txt file4.txt file5.txt file6.txt

26 Screen Shots : Pack3 (…cont)  Verify results of Pack3 with FastSum C:\Demo\fastsum>fsum "C:\Demo\pack3\selfextract-md5_coll\package1.exe" MD5 Checksum calculation and verification utility. [1.9.0.149] EN (C) 2003-2005 Kirill Zinov and Vitaly Rogotsevich. Web site: www.fastsum.com C:\Demo\pack3\selfextract-md5_coll\package1.exe 0DAACC367624034BD6B4345E72241315 Calculation summary: Processed 1 files in 0 folders with total size 23.05 Kb. Elapsed time: 00:00:00 Average speed: 0.00 Kb\Sec. C:\Demo\fastsum>fsum "C:\Demo\pack3\selfextract-md5_coll\package2.exe" MD5 Checksum calculation and verification utility. [1.9.0.149] EN (C) 2003-2005 Kirill Zinov and Vitaly Rogotsevich. Web site: www.fastsum.com C:\Demo\pack3\selfextract-md5_coll\package2.exe 0DAACC367624034BD6B4345E72241315 Calculation summary: Processed 1 files in 0 folders with total size 23.05 Kb. Elapsed time: 00:00:00 Average speed: 23.05 Mb\Sec.

27 Case Study of SHA-1

28 Description of SHA-1  SHA-1 (Secure Hash Algorithm) – developed by NIST (National Institute of Standards and Technology).  Improved version of SHA-0.  Takes any message of length of less than 2 64 bits and outputs 160 bit hash.  A message is padded so the length is multiple of 512.  Each 512-bit block is processed individually. SHA-1

29 Description of SHA-1 (…cont)  The 512-bit block is divided into 16 32 bit words.  There are 5 32-bit registers A, B, C, D and E. These are initially loaded with IV0 and carry the hash value from one 512-bit block to the next.  It works in an iterative process. SHA-1

30 Hash Chaining Expansion Function 512 bit blocks Compression Function 2560 bits Initialization vector (fixed) 160 bit hash SHA-1

31 One Small Step  There are 4 rounds and each round has 20 steps (so, total 80 steps).  A,B,C,D,E – 5 registers.  F – Non-linear function.  W t – 32-bit word derived from current 512-bit input block.  t – Round number, 0 ≤ t ≤ 79.  K t – 32-bit constant, different for each step.  s – left bit rotation by s places; s varies for each step.  – Addition modulo 2 32. SHA-1

32 SHA-1 Functions  Expansion Function: W i = (W i-3  W i-8  W i-14  W i-16 ) << 1 16 ≤i ≤79  F Functions: F t (B,C,D)=(B^C)v(~B^D) 0 ≤ t ≤ 19 F t (B,C,D)=B  C  D20 ≤ t ≤ 39 F t (B,C,D)=(B^C)v(B^D)v(C^D) 40 ≤ t ≤ 59 F t (B,C,D)= B  C  D 60 ≤ t ≤ 79 SHA-1

33 Finding Collisions  SHA-1 does 80 rounds of scrambling, so a brute force attack to find a collision requires at most 2 80 operations.  Xiaoyun Wang and her team – have an attack that requires 2 69 operations (i.e. 2000 times faster than 2 80 brute force). SHA-1

34 Wang’s Method (February 2005) Wang found following short-comings in SHA-1  The message expansion does not offer enough avalanche effect in terms of spreading the input differences.  The structure of all the step functions is unexpectedly weak. Because of the simple step operation, the certain step properties of some Boolean functions combined with the carry effect actually facilitate, rather than prevent, differential attack. SHA-1

35 Final Attack  Wang’s attack on SHA-1 consisted following techniques:  Message Modification Method  Differential Attack  Local Collision Attack  Use of Differential Path ( effect of a single bit change tracked through the hash algorithm ) and Disturbance Vector (set of bit changes to the hash input designed to create a set of changes to the hash sequence). SHA-1

36 Differential Attack  Differential Cryptanalysis : the study of how differences in an input can affect the resultant difference at the output.  Fundamental Observations made by the team: A change in a bit j of word W i can be corrected by complementary changes in the following bits –  bit (j+6) mod 32 of word W i+1  bit j of word W i+2  bit (j+30) mod 32 of word W i+3  bit (j+30) mod 32 of word W i+4  bit (j+30) mod 32 of word W i+5 SHA-1

37 Local Collision Attack  Local Collision – a collision within a single message (or within a few steps of hash function), including intermediate hash results.  SHA-1 has a 6-step local collision that can start at any step. SHA-1

38 Local Collision Attack (…cont) ΔmΔmΔaΔaΔbΔbΔcΔcΔdΔdΔeΔe i 0000 0001 0000 i+1 0000 00200000 0000 00010000 i+2 0000 00010000 4000 00000000 i+3 4000 00000000 4000 00000000 i+4 4000 00000000 4000 0000 i+5 4000 00000000 Collision SHA-1

39 Conclusion  MD5 is breakable – 2 39 complexity  SHA-1 is breakable – 2 69 complexity  So, it’s time to switch from MD5 and SHA-1.  What next? Longer variants published by NIST  SHA-224  SHA-256  SHA-384  SHA-512  Because “Attacks always get better; they never get worse…”

40 References  Xiaoyun Wang et. al. “Finding Collisions in the Full SHA-1”, http://www.infosec.sdu.edu.cn/paper/sha1-crypto-auth-new-2- yao.pdf http://www.infosec.sdu.edu.cn/paper/sha1-crypto-auth-new-2- yao.pdf  Xiaoyun Wang et. al. “Collisions for Hash Functions MD4, MD5, HAVAL-128 and RIPEMD”, http://eprint.iacr.org/2004/199.pdf http://eprint.iacr.org/2004/199.pdf  Vlastimil Klima “Tunnels in Hash Functions: MD5 Collisions Within a Minute” http://eprint.iacr.org/2006/105.pdf http://eprint.iacr.org/2006/105.pdf  Steve Friedl, “An Illustrated Guide to Cryptographic Hashes ”, http://unixwiz.net/techtips/iguide-crypto-hashes.html#digestonly http://unixwiz.net/techtips/iguide-crypto-hashes.html#digestonly  Hashing Function Lounge http://paginas.terra.com.br/informatica/paulobarreto/hflounge.html http://paginas.terra.com.br/informatica/paulobarreto/hflounge.html  http://en.wikipedia.org/wiki/SHA1 http://en.wikipedia.org/wiki/SHA1  http://en.wikipedia.org/wiki/MD5 http://en.wikipedia.org/wiki/MD5

41 Thank You! Questions? What is she talking about? mmm… Z Z z…

Download ppt "How Are Cryptographic Algorithms Broken??? Presented By Bhavana Tapde June 19, 2006."

Similar presentations

Lecture 5: Cryptographic Hashes

Lecture 5: Cryptographic Hashes
SHA-1 collision found Lukáš Miňo, Richard Bartuš.

SHA-1 collision found Lukáš Miňo, Richard Bartuš.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
MD Collision Sought Marian Ščerbák University of Pavol Jozef Šafárik Košice.

MD Collision Sought Marian Ščerbák University of Pavol Jozef Šafárik Košice.
1 Counter-measures Threat Monitoring Cryptography as a security tool Encryption Digital Signature Key distribution.

1 Counter-measures Threat Monitoring Cryptography as a security tool Encryption Digital Signature Key distribution.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
PIITMadhumita Chatterjee Security 1 Hashes and Message Digests.

PIITMadhumita Chatterjee Security 1 Hashes and Message Digests.
1 Chapter 5 Hashes and Message Digests Instructor: 孫宏民 Room: EECS 6402, Tel:03-5742968, Fax : 886-3-572-3694.

1 Chapter 5 Hashes and Message Digests Instructor: 孫宏民 Room: EECS 6402, Tel: , Fax :
“Chinese” Attacks on Hashes March 11, 2006, Bing Wu Topic 1.Background 2.“Chinese” collision attacks 3.Results for MD4 and MD5.

“Chinese” Attacks on Hashes March 11, 2006, Bing Wu Topic 1.Background 2.“Chinese” collision attacks 3.Results for MD4 and MD5.
Announcements: 1. HW7 due next Tuesday. 2. Inauguration today! Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman,

Announcements: 1. HW7 due next Tuesday. 2. Inauguration today! Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman,
Announcements:Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman, ElGamal Hash Functions and SHA-1 Hash Functions.

Announcements:Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman, ElGamal Hash Functions and SHA-1 Hash Functions.
BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.

BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.
Cryptography and Network Security Hash Algorithms.

Cryptography and Network Security Hash Algorithms.
Chapter 4  Hash Functions 1 Overview  Cryptographic hash functions are functions that: o Map an arbitrary-length (but finite) input to a fixed-size output.

Chapter 4  Hash Functions 1 Overview  Cryptographic hash functions are functions that: o Map an arbitrary-length (but finite) input to a fixed-size output.
Information Security and Management 11

Information Security and Management 11
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.

Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
Module 4 Hash Functions Highline Community College Seattle University University of Washington in conjunction with the National Science Foundation.

Module 4 Hash Functions Highline Community College Seattle University University of Washington in conjunction with the National Science Foundation.
1 Pertemuan 09 Hash and Message Digest Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 09 Hash and Message Digest Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
Cryptography and Network Security Chapter 11 Fourth Edition by William Stallings Lecture slides by Lawrie Brown/Mod. & S. Kondakci.

Cryptography and Network Security Chapter 11 Fourth Edition by William Stallings Lecture slides by Lawrie Brown/Mod. & S. Kondakci.

Similar presentations

Ads by Google