MD5 Collisions

1
MD5 Collisions

• Isabelle Stanton
• Chalermpong Worawannotai

2
Description of MD5

• Takes any message and outputs an 128-bit hash.
• A message is padded so the length is a multiple
  of 512 by concatenating a 1 then 0s and its
  length as a 64 bit number.
• Each 512 bit block is compressed individually

3
Continued Description

• The 512-bit block is divided into 16 32-bit words
• There are 4 32-bit registers a, b, c and d.
  These are initially loaded with IV0 and carry the
  hash values from one 512-bit block to the next
• It works in an iterative (chaining) process
• Hi1 f(Hi,Mi) IV0H0
• where Mi is a 512 bit block.

4
Hash Chaining
M1
M2
Mn

f
f
f
H0IV0 fixed
Hn H
H2
H1
Mi 512 bits Hi 128 bits
5
One small step

• For each f there are 4 rounds and each round has
  16 steps
• Ti and Si are fixed constant and depend only on
  the steps.

Courtesy of www.wikipedia.org
6
The Rounds

• Mi(w0,,w15)
• For fixed i, 4 consecutive steps will yield
• ai4 bi ((ai Fi (bi,ci,di)witi)ltltltsi)
• di4ai((diFi1 (ai,bi,ci)wi1ti1)ltltltsi1)
• ci4di((ciFi2 (di,ai,bi)wi2ti2)ltltltsi2)
• bi4ci((biFi3 (ci,di,ai)wi3ti3)ltltltsi3)
• ti and si are predefined step dependant constants

7
The Non-Linear Functions

• Fi changes every 16 steps
• Fi(X,Y,Z)(XY)?(XZ) 0i 15
• Fi(X,Y,Z)(XZ) ?(YZ) 16 i 31
• Fi(X,Y,Z)X ? Y ? Z 32 i 47
• Fi(X,Y,Z)Y ? (X ? Z) 48 i 63
• This provides non-linearity so you can not
  extract the message from the hash

8
Finding Collisions

• MD5 has a 128 bit hash so a brute force attack to
  find a collision requires at most 2128
  applications of MD5 and 264 by the birthday
  paradox
• Xiaoyun Wang and Hongbo Yu have an attack that
  requires 239 operations
• This attack takes at most an hour and 5 minutes
  on a IBM P690 (supercomputer)

9
Recall Differential Cryptanalysis

• Find a particular ?M such that a particular ?H
  occurs with high probability
• In collision case, want ?H 0.

10
Differentials

• The attack uses two types of differentials
• XOR differential ?XX ? X
• Modular differential ?XX-X mod 232
• For M(m0,,mn-1) and M(m0,mn-1) the full
  hash differential is for a message of length 512n
  bits
• ?H0 -gt ?H1 -gt-gt ?Hn ?H
• If M and M are a collision pair ?H0

11
Round differentials

• ?Hi -gt ?Hi1 can be split into round
  differentials as well
• ?Hi ?R0 ?R1 ?R2 ?R3?Hi1

P3
P0
P1
P2
12
Probability

• Each of these differentials has a probabilistic
  relationship with the next.
• Ideally, wed like to be able to set up 2
  messages where we can guarantee with probability
  1 that ?H0
• This can be assured by modifying M so the first
  round differential will be what you want
• More modifications will improve the probability
  for the second, third and fourth round
  differentials
• ?M0 has been picked to improve this as well

13
The Attack

• Find M(M0,M1 ) and M(M0,M1)
• ?M0M0-M0(0,0,0,0,231,0,0,0,0,0,0,215,0,0,231,0)
  
• ?M1M1-M1(0,0,0,0,231,0,0,0,0,0,0,-215,0,0,231,0
  )
• ?H1(231,231225,231225,231225)
• i.e. M0 and messages that does this is not a
  collision
• ?M0 has been picked to improve the probability
  that the round differentials will hold
• M0 differ in the 5th, 12th and 15th words only
• Same for M1 and M1.
• Every set of messages that does this is not a
  collision
• ?M0 has been picked to improve this as well

14
Message Modification

• It is easy to modify a message word so that the
  first non-zero step differential (after the 5th
  step) is anything you want with probability 1
• Modify multiple words to guarantee the round
  differentials with high probability
• Each modification to make one condition hold may
  make another not hold

15
Sufficient Conditions

• ?w5 is first non-zero differential
• At the 8th step ?w5 has affected a, d and c so
  (?c2, ?d2, ?a2, ?b1 )-gt ?b2 since ?b10
• There are 13 conditions on a2, c2 and d2 that
  will guarantee ?b2 to be whatever you like with
  high probability
• Each characteristic has between 1 and 28
  conditions for 30 characteristics for M0 and 29
  characteristics with between 2 and 25 conditions
  for M1 for well over 200 conditions

16
Conditions for bi

• b1,7 0 b1,8 c1,8 b1,9 c1,9
• b1,10 c1,10 b1,11 c1,11 b1,12 1
• b1,13 c1,13 b1,14 c1,14 b1,15 c1,15
  b1,16 c1,16 b1,17 c1,17 b1,18 c1,18
• b1,19 c1,19 b1,20 1 b1,21 c1,21 b1,22
  c1,22 b1,23 c1,23 b1,24 0
• b1,32 1

17
Technique for M0

• Select random M0
• Modify M0 so as many of the conditions hold as
  possible
• Create M0M0 ?M0
• This will result in ?H1 with probability 2-37
• Test this works
• This doesnt require more then 239 MD5 operations

18
Technique for M1

• Select a random message M1
• Modify M1 so it meets the conditions
• M1 M1 ?M0
• Starting with ?H1 as IV the probability that
  H(M1)H(M1) is 2-30
• Test the pair of messages for collisions

19
Creating More Collisions

• There are many M1s that will collide with any
  properly crafted M0
• You can also change the last two words of M0 and
  maintain the conditions
• This reduces the amount of work needed

20
Actual Collisions

• M0 2dd31d1 c4eee6c5 69a3d69 5cf9af98 87b5ca2f
  ab7e4612 3e580440 897ffbb8 634ad55 2b3f409
  8388e483 5a417125 e8255108 9fc9cdf7 f2bd1dd9
  5b3c3780
• M1d11d0b96 9c7b41dc f497d8e4 d555655a c79a7335
  cfdebf0 66f12930 8fb109d1 797f2775 eb5cd530
  baade822 5c15cc79 ddcb74ed 6dd3c55f d80a9bb1
  e3a7cc35
• M02dd31d1 c4eee6c5 69a3d69 5cf9af98 7b5ca2f
  ab7e4612 3e580440 897ffbb8 634ad55 2b3f409
  8388e483 5a41f125 e8255108 9fc9cdf7 72bd1dd9
  5b3c3780
• M1d11d0b96 9c7b41dc f497d8e4 d555655a 479a7335
  cfdebf0 66f12930 8fb109d1 797f2775 eb5cd530
  baade822 5c154c79 ddcb74ed 6dd3c55f 580a9bb1
  e3a7cc35
• Hash 9603161f a30f9dbf 9f65ffbc f41fc7ef

21
References

• How To Break MD5 and Other Hash Functions
  Xiaoyun Wang and Hongbo Yu (they did the SHA-1
  break as well)
• Guide to Hash Functions http//unixwiz.net/techtip
  s/iguide-crypto-hashes.html
• Cryptographic Hash Lounge (lists what functions
  have been broken and links to how)
  http//planeta.terra.com.br/informatica/paulobarre
  to/hflounge.html
• Questions?