MD Collision Sought

1
MD Collision Sought

• Marian cerbák
• University of Pavol Jozef afárik
• Koice

2
MD5 algorithm

• MD means Message digest algorithm
• MD family has MD1, MD2, MD3, MD4, MD5
  algorithms MD5 is most secured from this
  family
• MD1 and MD3 was never published
• Input is file
• Output is 128 bits hash (message digest)
• It works only One-Way

3
Usage MD5

• Verifying file integrity (digital fingerprint)
• MD5 became an web standard
• http//www.w3.org/TR/1998/REC-DSig-label/MD5-1_0
• Hashing passwords
• very imported function (system, digital signs)
• Digitally signed document
• Databases on two remote places (Australia, Norway)

4
History MD5

• MD5 was designed by Ronald Ron Lorin Rivest in
  1991 to be a most secure successor of MD4
  algorithm
• 1993- announced pseudo-collision in compress
  function
• 2004- Wang's collisions attack, it take 1 hour on
  IBM cluster
• Klima's collisions attack on notebook in 17 sec.
  
• Still using MD5? -)

5
How it works

• Append Padding Bits
• The length of message (M) must be congruent to
  448 modulo 512
• Add bit "1" on the end of M
• Add bits "0" to fill block to the requested
  length
• Append length
• Add on the end of message length of M (in 64 bits
  representation)

6

• Initialize Message Digest buffer
• Using four 32 bits registry (A, B, C, D)
• A 01 23 45 67
• B 89 ab cd ef
• C fe dc ba 98
• D 76 54 32 10
• hexadecimal number

7

• Process message in 16 words blocks
• 4 rounds each every with 16 operations

8

• F function
• Mi message
• K constant
• A, B, C, D
• register
• ltltlt s
• left rotate
• bit function

9
Output

• Output is in four registers A, B, C, D
• Hash A B C D
• Example
• Message 1 ltý kôn
• MD5 ecc35622b6252f75ae444420c78eaf2b
• Message 2 Zltý kôn
• MD5 4002f8e5cec5e389c4f189f28c86d1c5

10
Attacks

• 3 main methods Wang's (differential path),
  Message Modifications and Tunneling
• First successful attack announced Wang
• Take 1 hour on IBM cluster
• Method
• We must find two 1024 bit messages (M,M) with
  same hash, but difference (D) is constant
• M (M1,N1)gt 1024 bits
• M2 M1D gt N2 N1D gt M (M2,N2) gt1024 bits

11

• Now we must tracking the differences in steps
  during computation M and M
• Q-3, Q-2, Q-1, Q0 and Q'-3, Q'-2, Q'-1,Q'0 is
  start values
• Q1-Q64 and Q'1- Q'64 denote the output in the
  i-th round during computation MD5(M) and MD5(M)
• Then is supplied 128 values ai (64 for both
  blocks)
• for M must be such that MD5(M)MD5(M) gt Q'i-
  Qiai during computation MD5(M) MD5(M)
• and Q'I - Qiai during computation MD5(M1)
  MD5(M1)
• D Q'i- Qi
• but I don't know, from where is a

12
Message modification

• sufficient conditions (defined by Wang)
• commonly are that methods able to find collisions
  after computing the message, which satisfied the
  POV (Point Of Verification) mostly in Q24 and
  later. So this is hard to compute this.
• POV is point during computing hash, where are the
  values verified in function (there is a lot of
  them, at about 300)
• We must compute 2 power 29 POV to find the
  collision, so this methods are slow

13
Tunneling

• was announced by V. Klima in 2005 and improved in
  2006
• similar to others method
• we must not computing POV, just trying it random
  for first POV (Birthday paradox)
• if we find first POV (Q24), we can compute
  others POV by sufficient condition using the
  differential path
• from one POV we can get 2 power 29 POV

14

• extra conditions are similar sufficient
  conditions
• but not necessary for the given of differential
  path
• several types of tunnels
• this methods can compute POV without changing
  some others bits in other Qi
• Klima' s method can be used no just for MD5 hash
  algorithm, but in the others hash algorithms too
  (SHA-, HAVAL etc.)
• will be SHA-2 collision attack next?