MD Collision Sought - PowerPoint PPT Presentation


PPT – MD Collision Sought PowerPoint presentation | free to view - id: 1525b2-ZDdhY


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation

MD Collision Sought


MD family has MD1, MD2, MD3, MD4, MD5 algorithms; MD5 is most secured from ... we must not computing POV, just trying it random for first POV (Birthday paradox) ... – PowerPoint PPT presentation

Number of Views:61
Avg rating:3.0/5.0
Slides: 15
Provided by: marin58


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: MD Collision Sought

MD Collision Sought
  • Marian cerbák
  • University of Pavol Jozef afárik
  • Koice

MD5 algorithm
  • MD means Message digest algorithm
  • MD family has MD1, MD2, MD3, MD4, MD5
    algorithms MD5 is most secured from this
  • MD1 and MD3 was never published
  • Input is file
  • Output is 128 bits hash (message digest)
  • It works only One-Way

Usage MD5
  • Verifying file integrity (digital fingerprint)
  • MD5 became an web standard
  • http//
  • Hashing passwords
  • very imported function (system, digital signs)
  • Digitally signed document
  • Databases on two remote places (Australia, Norway)

History MD5
  • MD5 was designed by Ronald Ron Lorin Rivest in
    1991 to be a most secure successor of MD4
  • 1993- announced pseudo-collision in compress
  • 2004- Wang's collisions attack, it take 1 hour on
    IBM cluster
  • Klima's collisions attack on notebook in 17 sec.
  • Still using MD5? -)

How it works
  • Append Padding Bits
  • The length of message (M) must be congruent to
    448 modulo 512
  • Add bit "1" on the end of M
  • Add bits "0" to fill block to the requested
  • Append length
  • Add on the end of message length of M (in 64 bits

  • Initialize Message Digest buffer
  • Using four 32 bits registry (A, B, C, D)
  • A 01 23 45 67
  • B 89 ab cd ef
  • C fe dc ba 98
  • D 76 54 32 10
  • hexadecimal number

  • Process message in 16 words blocks
  • 4 rounds each every with 16 operations

  • F function
  • Mi message
  • K constant
  • A, B, C, D
  • register
  • ltltlt s
  • left rotate
  • bit function

  • Output is in four registers A, B, C, D
  • Hash A B C D
  • Example
  • Message 1 ltý kôn
  • MD5 ecc35622b6252f75ae444420c78eaf2b
  • Message 2 Zltý kôn
  • MD5 4002f8e5cec5e389c4f189f28c86d1c5

  • 3 main methods Wang's (differential path),
    Message Modifications and Tunneling
  • First successful attack announced Wang
  • Take 1 hour on IBM cluster
  • Method
  • We must find two 1024 bit messages (M,M) with
    same hash, but difference (D) is constant
  • M (M1,N1)gt 1024 bits
  • M2 M1D gt N2 N1D gt M (M2,N2) gt1024 bits

  • Now we must tracking the differences in steps
    during computation M and M
  • Q-3, Q-2, Q-1, Q0 and Q'-3, Q'-2, Q'-1,Q'0 is
    start values
  • Q1-Q64 and Q'1- Q'64 denote the output in the
    i-th round during computation MD5(M) and MD5(M)
  • Then is supplied 128 values ai (64 for both
  • for M must be such that MD5(M)MD5(M) gt Q'i-
    Qiai during computation MD5(M) MD5(M)
  • and Q'I - Qiai during computation MD5(M1)
  • D Q'i- Qi
  • but I don't know, from where is a

Message modification
  • sufficient conditions (defined by Wang)
  • commonly are that methods able to find collisions
    after computing the message, which satisfied the
    POV (Point Of Verification) mostly in Q24 and
    later. So this is hard to compute this.
  • POV is point during computing hash, where are the
    values verified in function (there is a lot of
    them, at about 300)
  • We must compute 2 power 29 POV to find the
    collision, so this methods are slow

  • was announced by V. Klima in 2005 and improved in
  • similar to others method
  • we must not computing POV, just trying it random
    for first POV (Birthday paradox)
  • if we find first POV (Q24), we can compute
    others POV by sufficient condition using the
    differential path
  • from one POV we can get 2 power 29 POV

  • extra conditions are similar sufficient
  • but not necessary for the given of differential
  • several types of tunnels
  • this methods can compute POV without changing
    some others bits in other Qi
  • Klima' s method can be used no just for MD5 hash
    algorithm, but in the others hash algorithms too
    (SHA-, HAVAL etc.)
  • will be SHA-2 collision attack next?