MD Collision Sought - PowerPoint PPT Presentation

Loading...

PPT – MD Collision Sought PowerPoint presentation | free to view - id: 1525b2-ZDdhY



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

MD Collision Sought

Description:

MD family has MD1, MD2, MD3, MD4, MD5 algorithms; MD5 is most secured from ... we must not computing POV, just trying it random for first POV (Birthday paradox) ... – PowerPoint PPT presentation

Number of Views:61
Avg rating:3.0/5.0
Slides: 15
Provided by: marin58
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: MD Collision Sought


1
MD Collision Sought
  • Marian cerbák
  • University of Pavol Jozef afárik
  • Koice

2
MD5 algorithm
  • MD means Message digest algorithm
  • MD family has MD1, MD2, MD3, MD4, MD5
    algorithms MD5 is most secured from this
    family
  • MD1 and MD3 was never published
  • Input is file
  • Output is 128 bits hash (message digest)
  • It works only One-Way

3
Usage MD5
  • Verifying file integrity (digital fingerprint)
  • MD5 became an web standard
  • http//www.w3.org/TR/1998/REC-DSig-label/MD5-1_0
  • Hashing passwords
  • very imported function (system, digital signs)
  • Digitally signed document
  • Databases on two remote places (Australia, Norway)

4
History MD5
  • MD5 was designed by Ronald Ron Lorin Rivest in
    1991 to be a most secure successor of MD4
    algorithm
  • 1993- announced pseudo-collision in compress
    function
  • 2004- Wang's collisions attack, it take 1 hour on
    IBM cluster
  • Klima's collisions attack on notebook in 17 sec.
  • Still using MD5? -)

5
How it works
  • Append Padding Bits
  • The length of message (M) must be congruent to
    448 modulo 512
  • Add bit "1" on the end of M
  • Add bits "0" to fill block to the requested
    length
  • Append length
  • Add on the end of message length of M (in 64 bits
    representation)

6
  • Initialize Message Digest buffer
  • Using four 32 bits registry (A, B, C, D)
  • A 01 23 45 67
  • B 89 ab cd ef
  • C fe dc ba 98
  • D 76 54 32 10
  • hexadecimal number

7
  • Process message in 16 words blocks
  • 4 rounds each every with 16 operations

8
  • F function
  • Mi message
  • K constant
  • A, B, C, D
  • register
  • ltltlt s
  • left rotate
  • bit function

9
Output
  • Output is in four registers A, B, C, D
  • Hash A B C D
  • Example
  • Message 1 ltý kôn
  • MD5 ecc35622b6252f75ae444420c78eaf2b
  • Message 2 Zltý kôn
  • MD5 4002f8e5cec5e389c4f189f28c86d1c5

10
Attacks
  • 3 main methods Wang's (differential path),
    Message Modifications and Tunneling
  • First successful attack announced Wang
  • Take 1 hour on IBM cluster
  • Method
  • We must find two 1024 bit messages (M,M) with
    same hash, but difference (D) is constant
  • M (M1,N1)gt 1024 bits
  • M2 M1D gt N2 N1D gt M (M2,N2) gt1024 bits

11
  • Now we must tracking the differences in steps
    during computation M and M
  • Q-3, Q-2, Q-1, Q0 and Q'-3, Q'-2, Q'-1,Q'0 is
    start values
  • Q1-Q64 and Q'1- Q'64 denote the output in the
    i-th round during computation MD5(M) and MD5(M)
  • Then is supplied 128 values ai (64 for both
    blocks)
  • for M must be such that MD5(M)MD5(M) gt Q'i-
    Qiai during computation MD5(M) MD5(M)
  • and Q'I - Qiai during computation MD5(M1)
    MD5(M1)
  • D Q'i- Qi
  • but I don't know, from where is a

12
Message modification
  • sufficient conditions (defined by Wang)
  • commonly are that methods able to find collisions
    after computing the message, which satisfied the
    POV (Point Of Verification) mostly in Q24 and
    later. So this is hard to compute this.
  • POV is point during computing hash, where are the
    values verified in function (there is a lot of
    them, at about 300)
  • We must compute 2 power 29 POV to find the
    collision, so this methods are slow

13
Tunneling
  • was announced by V. Klima in 2005 and improved in
    2006
  • similar to others method
  • we must not computing POV, just trying it random
    for first POV (Birthday paradox)
  • if we find first POV (Q24), we can compute
    others POV by sufficient condition using the
    differential path
  • from one POV we can get 2 power 29 POV

14
  • extra conditions are similar sufficient
    conditions
  • but not necessary for the given of differential
    path
  • several types of tunnels
  • this methods can compute POV without changing
    some others bits in other Qi
  • Klima' s method can be used no just for MD5 hash
    algorithm, but in the others hash algorithms too
    (SHA-, HAVAL etc.)
  • will be SHA-2 collision attack next?
About PowerShow.com