MD Collision Sought Marian Ščerbák University of Pavol Jozef Šafárik Košice

MD5 algorithm MD means “Message digest” algorithm MD means “Message digest” algorithm MD family has MD1, MD2, MD3, MD4, MD5 algorithms; MD5 is most secured from this family MD family has MD1, MD2, MD3, MD4, MD5 algorithms; MD5 is most secured from this family MD1 and MD3 was never published MD1 and MD3 was never published Input is file Input is file Output is 128 bits hash (message digest) Output is 128 bits hash (message digest) It works only “One-Way” It works only “One-Way”

Usage MD5 ● Verifying file integrity (digital fingerprint) MD5 became an web standard 1_0 ● Hashing passwords very imported function (system, digital signs) ● Digitally signed document ● Databases on two remote places (Australia, Norway)

History MD5 ● MD5 was designed by Ronald “Ron” Lorin Rivest in 1991 to be a most secure successor of MD4 algorithm ● announced pseudo-collision in compress function ● Wang's collisions attack, it take 1 hour on IBM cluster ● Klima's collisions attack: on notebook in 17 sec. ● Still using MD5? :-)

How it works ● Append Padding Bits The length of message (M) must be congruent to 448 modulo 512 Add bit "1" on the end of M Add bits "0" to fill block to the requested length ● Append length Add on the end of message length of M (in 64 bits representation)

Initialize Message Digest buffer Initialize Message Digest buffer Using four 32 bits registry (A, B, C, D) A:= B:= 89 ab cd ef C:= fe dc ba 98 D:= hexadecimal number

● Process message in 16 words blocks 4 rounds each every with 16 operations

● F: function ● Mi: message ● K: constant ● A, B, C, D: ● register ● <<< s: left rotate bit function bit function

Output ● Output is in four registers A, B, C, D ● Hash:A || B || C || D ● Example: Message 1: “Žltý kôň” MD5: ecc35622b6252f75ae444420c78eaf2b Message 2: “Zltý kôň” MD5:4002f8e5cec5e389c4f189f28c86d1c5

Attacks ● 3 main methods: Wang's (differential path), Message Modifications and Tunneling ● First successful attack announced Wang ● Take 1 hour on IBM cluster ● Method: We must find two 1024 bit messages (M,M*) with same hash, but difference (D) is constant M = (M1,N1)=> 1024 bits M2 = M1+D => N2 = N1+D => M*= (M2,N2) =>1024 bits

Now we must tracking the differences in steps during computation M and M* Q -3, Q -2, Q -1, Q 0 and Q' -3, Q' -2, Q' -1,Q' 0 is start values Q 1 -Q 64 and Q' 1 - Q' 64 denote the output in the i-th round during computation MD5( M ) and MD5( M* ) Then is supplied 128 values a i (64 for both blocks) for M must be such that MD5(M)=MD5(M*) => Q' i - Q i = a i during computation MD5(M) & MD5(M*) and Q' I - Q i = a i during computation MD5(M 1 ) & MD5(M 1 *) D= Q' i - Q i but I don't know, from where is a

Message modification ● sufficient conditions (defined by Wang) ● commonly are that methods able to find collisions after computing the message, which satisfied the POV (Point Of Verification) mostly in Q 24 and later. So this is hard to compute this. ● POV is point during computing hash, where are the values verified in function (there is a lot of them, at about 300) ● We must compute 2 power 29 POV to find the collision, so this methods are slow

Tunneling ● was announced by V. Klima in 2005 and improved in 2006 ● similar to others method ● we must not computing POV, just trying it random for first POV (Birthday paradox) ● if we find first POV (Q 24 ), we can compute others POV by sufficient condition using the differential path ● from one POV we can get 2 power 29 POV

● extra conditions are similar sufficient conditions but not necessary for the given of differential path ● several types of tunnels ● this methods can compute POV without changing some others bits in other Q i ● Klima' s method can be used no just for MD5 hash algorithm, but in the others hash algorithms too (SHA-*, HAVAL etc.) ● will be SHA-2* collision attack next?