How%20Are%20Cryptographic%20Algorithms%20Broken???

1
How Are Cryptographic Algorithms Broken???

• Presented By
• Bhavana Tapde
• June 19, 2006

2
Outline

• Cryptographic Algorithms
• Cryptographic Hash Algorithms
• Applications of Hash Functions
• Properties of Hash Functions
• Case Study of MD5
• Wangs Method
• Klimas Method
• Demo
• Case Study of SHA-1
• Conclusion

3
What is Cryptographic Algorithm?

• Cryptography process of scrambling information
  in a manner that is difficult to unscramble, and
  making scrambled information intelligible.
• Cryptographic Algorithm any algorithm written
  to achieve cryptography, and consequently
  confidentiality, integrity, and authentication.
• Types of Cryptographic Algorithms
• Symmetric Key Algorithms DES, Triple DES
• Asymmetric Key Algorithms RSA
• Cryptographic Hash Algorithms MD5, SHA-1

4
Cryptographic Hash Algorithm

• Hashing Algorithm a protocol for using the hash
  function, specifying how the message will be
  broken up and how the results from previous
  message blocks are chained together.
• Hash Function
• is effectively computable.
• compresses information of arbitrary length to
  some information of fixed length (digital
  fingerprint).
• possesses Avalanche (Ripple Effect) when a
  input is changed slightly, output changes
  significantly.

Hash function
0101
5
How hashes are used?

• Digitally Signed Documents

6
How hashes are used? (cont)

• Hashing Passwords

7
How hashes are used? (cont)

• Verifying File Integrity
• If you have just downloaded a large piece of
  software from a website, how do you know that
  you've received it correctly and that it has not
  been tampered with?
• The website publishes the hash values of its
  download bundles, and you can compare a published
  hash (e.g.MD5 sum) with checksum of downloaded
  file.
• Utilities
• Unix OS includes MD5 utilities in their
  distribution packages.
• Windows third party applications like
  FastSum
• (http//www.fastsum.com/)

8
When a Cryptographic Hash Function is Secured?

• When it satisfies following three properties
• Preimage-resistance
• Given V, find M such that h(M) V is
  infeasible.
• 2nd-preimage-resistance
• Given M, find M M such that h(M)h(M)
  is infeasible.
• Collision-resistance
• Find M M such that h(M)h(M) is
  infeasible.

9
Case Study of MD5
10
Description of MD5
MD5

• MD5 (message digest algorithm) developed at RSA
  Data Security, Inc.
• Improved version of MD4.
• Takes any message and outputs an 128-bit hash.
• A message is padded so the length is multiple of
  512.
• Each 512-bit block is processed individually.

11
Description of MD5 (cont)
MD5

• The 512-bit block is divided into 16 32-bit
  words.
• There are 4 32-bit registers A, B, C and D. These
  are initially loaded with IV0 and carry the hash
  values from one 512-bit block to the next.
• It works in an iterative (chaining) process
  
• Hi1 f(Hi,Mi) IV0H0
• where Mi is a 512-bit block.

12
Hash Chaining
MD5
M1
M2
Mn

f
f
f
H0IV0 fixed
Hn H
H2
H1
Mi 512 bits Hi 128 bits
13
One Small Step
MD5

• A,B,C,D 4 registers.
• F nonlinear function there are total 4
  functions and one function is used in each round.
  
• Each round has 16 steps (so, total 64 steps).
• Mi 32-bit block of the message input.
  (512/1632)
• Ki 32-bit constant, different for each step.
• s Left bit rotation by s places s varies for
  each operation.
• Addition modulo 232.

14
The Rounds and Non-Linear Functions
MD5

• Mi(w0,,w15)
• For fixed i, 4 consecutive steps will yield
• ai4 bi ((ai Fi (bi,ci,di)wiki)ltltltsi)
• di4ai((diFi1 (ai,bi,ci)wi1ki1)ltltltsi1)
• ci4di((ciFi2 (di,ai,bi)wi2ki2)ltltltsi2)
• bi4ci((biFi3 (ci,di,ai)wi3ki3)ltltltsi3)
• ki and si are predefined step dependant
  constants
• Fi changes every 16 steps
• Fi(X,Y,Z)(XY)?(XZ) 0 i 15
• Fi(X,Y,Z)(XZ)?(YZ) 16 i 31
• Fi(X,Y,Z)X ? Y ? Z 32 i 47
• Fi(X,Y,Z)Y ? (X ? Z) 48 i 63

15
Finding Collisions
MD5

• MD5 does 64 rounds of scrambling, so a brute
  force attack to find a collision requires at most
  264 operations.
• Brute Force Attack method of defeating
  cryptographic scheme by exhaustively working
  through all possible keys.
• Xiaoyun Wang and her team have an attack that
  requires 239 operations. This attack takes at
  most an hour and 5 minutes on a IBM P690
  (supercomputer).
• Vlastimil Klima and his team have an attack
  that can find collisions on a Notebook PC within
  a minute.

16
Wangs Method (August 2004)
MD5 - Wang

• Use of Differential Cryptanalysis find a
  statistical correlation between key values and
  cipher transformations (typically Exclusive-OR of
  text pairs), then use sufficient defined
  plaintext to develop the key.
• Find a particular M such that a particular H
  occurs with high probability.
• In collision case, want H0.

17
Differentials
MD5 - Wang

• The attack uses two types of differentials
• XOR differential ?XX ? X
• Modular differential ?XX-X mod 232
• For M(m0,,mn-1) and M(m0,mn-1) the full
  hash differential is for a message of length 512n
  bits
• ?H0 -gt ?H1 -gt-gt ?Hn ?H
• If M and M are a collision pair ?H0
• Round Differentials
• ?Hi -gt ?Hi1 can be split into round
  differentials as well
• ?Hi ?R0 ?R1 ?R2 ?R3
  ?Hi1

P0
P1
P2
P3
18
Probability
MD5 - Wang

• Each of these differentials has a probabilistic
  relationship with the next.
• Ideally, wed like to be able to set up 2
  messages where we can guarantee with probability
  1 that ?H0.
• This can be assured by modifying M so the first
  round differential will be what you want.
• More modifications will improve the probability
  for the second, third and fourth round
  differentials.

19
The Attack with Message Modification
MD5 - Wang

• Find M(M0,M1 ) and M(M0,M1)
• ?M0M0-M0(0,0,0,0,231,0,0,0,0,0,0,215,0,0,231,0)
  
• ?M1M1-M1(0,0,0,0,231,0,0,0,0,0,0,-215,0,0,231,0
  )
• M0 differ in the 5th, 12th and 15th words only.
• Same for M1 and M1.
• Message Modification Method modify a message
  word so that the first non-zero step differential
  (after 5th step) is anything you want with
  probability 1.
• Modify multiple words to guarantee the round
  differentials with high probability.

20
Results - Actual Collisions
MD5 - Wang

• M0 2dd31d1 c4eee6c5 69a3d69 5cf9af98 87b5ca2f
  ab7e4612 3e580440 897ffbb8 634ad55 2b3f409
  8388e483 5a417125 e8255108 9fc9cdf7 f2bd1dd9
  5b3c3780
• M1 d11d0b96 9c7b41dc f497d8e4 d555655a c79a7335
  cfdebf0 66f12930 8fb109d1 797f2775 eb5cd530
  baade822 5c15cc79 ddcb74ed 6dd3c55f d80a9bb1
  e3a7cc35
• M0 2dd31d1 c4eee6c5 69a3d69 5cf9af98 7b5ca2f
  ab7e4612 3e580440 897ffbb8 634ad55 2b3f409
  8388e483 5a41f125 e8255108 9fc9cdf7 72bd1dd9
  5b3c3780
• M1 d11d0b96 9c7b41dc f497d8e4 d555655a
  479a7335 cfdebf0 66f12930 8fb109d1 797f2775
  eb5cd530 baade822 5c154c79 ddcb74ed 6dd3c55f
  580a9bb1 e3a7cc35
• Hash 9603161f a30f9dbf 9f65ffbc f41fc7ef

21
Klimas Method (March 2006)
MD5 - Klima

• Tunnels in Hash Functions MD5 Collisions Within
  a Minute
• Tunnel a complex function written to find
  collision which takes into account individual bit
  of message instead of word.
• Tunnels replaces multi-message modification
  method, and exponentially accelerate collision
  search.
• Several tunnels are written in MD5 hash function.
• Also uses differential path the effect of a
  single bit change tracked through the hash
  algorithm.

22
Speed Comparison to Find MD5 Collisions
MD5 - Klima
Machine Specification Avg. Time Min. Time Max. Time Colli-sions
CPU Intel Pentium III (1 GHz), 512MB RAM, Windows 2000 53.077 0.90 299.00 200
CPU Intel Pentium 4 (3 GHz), 512MB RAM, Windows XP 17.542 0.20 93.30 200
Pentium M (1.7 GHz), 512MB RAM, debian 2.6.14 29.104 1.03 147.54 102
AMD Athlon XP2000(1.67 GHz), 256MB RAM, Windows XP 29.733 0.30 165.70 1000
Time in seconds.

• Software - http//cryptography.hyperlink.cz/2006/w
  eb_version_1.zip

23
Demo of Pack3
MD5 - Klima

• Pack3 software developed by one of the team
  members of Klima.
• Give me three files and I will give you another
  three with the same MD5 hash!
• The program serves as a toy example of how to get
  around the necessity of creating the second
  preimage.
• Usage pack3 file1 file2 file3 file4 file5 file6
• Will create two packages package1.exe
  package2.exe,
• having same MD5 sum.
• package1 extracts files 1-3.
• package2 extracts files 4-6.
• Pack3 is available at http//cryptography.hyperlin
  k.cz/MD5_collisions.html
• Verification tool used is FastSum.
• http//www.fastsum.com/download.php

24
Screen Shots FastSum Utility
C\Demo\fastsumgtfsum "C\Demo\pack3\selfextract-md
5_coll\FileA.txt MD5 Checksum calculation and
verification utility. 1.9.0.149 EN (C)
2003-2005 Kirill Zinov and Vitaly Rogotsevich.
Web site www.fastsum.com C\Demo\pack3\selfextrac
t-md5_coll\FileA.txt 12FABF28FF61D4AE9F7080F524CC3
130 Calculation summary Processed 1 files in 0
folders with total size 0.04 Kb. Elapsed time
000000 Average speed 0.00 Kb\Sec. C\Demo\fast
sumgtfsum "C\Demo\pack3\selfextract-md5_coll\FileB
.txt" MD5 Checksum calculation and verification
utility. 1.9.0.149 EN (C) 2003-2005 Kirill
Zinov and Vitaly Rogotsevich. Web site
www.fastsum.com C\Demo\pack3\selfextract-md5_coll
\FileB.txt 6DE787E2B6255B94B73DC39D32FC135C Calcul
ation summary Processed 1 files in 0 folders
with total size 0.04 Kb. Elapsed time 000000
Average speed 0.00 Kb\Sec.
25
Screen Shots Pack3
C\Demo\pack3\selfextract-md5_collgtpack3
file1.txt file2.txt file3.txt file4.txt file5.txt
file6.txt
26
Screen Shots Pack3 (cont)

• Verify results of Pack3 with FastSum

C\Demo\fastsumgtfsum "C\Demo\pack3\selfextract-md
5_coll\package1.exe" MD5 Checksum calculation and
verification utility. 1.9.0.149 EN (C)
2003-2005 Kirill Zinov and Vitaly Rogotsevich.
Web site www.fastsum.com C\Demo\pack3\selfextra
ct-md5_coll\package1.exe 0DAACC367624034BD6B4345E7
2241315 Calculation summary Processed 1 files
in 0 folders with total size 23.05 Kb. Elapsed
time 000000 Average speed 0.00
Kb\Sec. C\Demo\fastsumgtfsum "C\Demo\pack3\self
extract-md5_coll\package2.exe" MD5 Checksum
calculation and verification utility. 1.9.0.149
EN (C) 2003-2005 Kirill Zinov and Vitaly
Rogotsevich. Web site www.fastsum.com C\Demo\pa
ck3\selfextract-md5_coll\package2.exe
0DAACC367624034BD6B4345E72241315 Calculation
summary Processed 1 files in 0 folders with
total size 23.05 Kb. Elapsed time 000000
Average speed 23.05 Mb\Sec.
27
Case Study of SHA-1
28
Description of SHA-1
SHA-1

• SHA-1 (Secure Hash Algorithm) developed by NIST
  (National Institute of Standards and Technology).
• Improved version of SHA-0.
• Takes any message of length of less than 264 bits
  and outputs 160 bit hash.
• A message is padded so the length is multiple of
  512.
• Each 512-bit block is processed individually.

29
Description of SHA-1 (cont)
SHA-1

• The 512-bit block is divided into 16 32 bit
  words.
• There are 5 32-bit registers A, B, C, D and E.
  These are initially loaded with IV0 and carry the
  hash value from one 512-bit block to the next.
• It works in an iterative process.

30
Hash Chaining
SHA-1
512 bit blocks
Expansion Function
2560 bits
Initialization vector (fixed)
Compression Function
160 bit hash
31
One Small Step
SHA-1

• There are 4 rounds and each round has 20 steps
  (so, total 80 steps).
• A,B,C,D,E 5 registers.
• F Non-linear function.
• Wt 32-bit word derived from current 512-bit
  input block.
• t Round number, 0 t 79.
• Kt 32-bit constant, different for each step.
• s left bit rotation by s places s varies for
  each step.
• Addition modulo 232.

32
SHA-1 Functions
SHA-1

• Expansion Function
• Wi (Wi-3 ? Wi-8 ? Wi-14 ? Wi-16) ltlt 1 16
  i 79
• F Functions
• Ft(B,C,D)(BC)v(BD) 0 t 19
• Ft(B,C,D)B ? C ? D 20 t 39
• Ft(B,C,D)(BC)v(BD)v(CD) 40 t 59
• Ft(B,C,D) B ? C ? D 60 t 79

33
Finding Collisions
SHA-1

• SHA-1 does 80 rounds of scrambling, so a brute
  force attack to find a collision requires at most
  280 operations.
• Xiaoyun Wang and her team have an attack that
  requires 269 operations (i.e. 2000 times faster
  than 280 brute force).

34
Wangs Method (February 2005)
SHA-1

• Wang found following short-comings in SHA-1
• The message expansion does not offer enough
  avalanche effect in terms of spreading the input
  differences.
• The structure of all the step functions is
  unexpectedly weak. Because of the simple step
  operation, the certain step properties of some
  Boolean functions combined with the carry effect
  actually facilitate, rather than prevent,
  differential attack.

35
Final Attack
SHA-1

• Wangs attack on SHA-1 consisted following
  techniques
• Message Modification Method
• Differential Attack
• Local Collision Attack
• Use of Differential Path (effect of a single bit
  change tracked through the hash algorithm) and
  Disturbance Vector (set of bit changes to the
  hash input designed to create a set of changes to
  the hash sequence).

36
Differential Attack
SHA-1

• Differential Cryptanalysis the study of how
  differences in an input can affect the resultant
  difference at the output.
• Fundamental Observations made by the team
• A change in a bit j of word Wi can be corrected
  by complementary changes in the following bits
• bit (j6) mod 32 of word Wi1
• bit j of word Wi2
• bit (j30) mod 32 of word Wi3
• bit (j30) mod 32 of word Wi4
• bit (j30) mod 32 of word Wi5

37
Local Collision Attack
SHA-1

• Local Collision a collision within a single
  message (or within a few steps of hash function),
  including intermediate hash results.
• SHA-1 has a 6-step local collision that can start
  at any step.

38
Local Collision Attack (cont)
SHA-1
?m ?a ?b ?c ?d ?e
i 0000 0001 0000 0001 0000 0000 0000 0000 0000 0000 0000 0000
i1 0000 0020 0000 0000 0000 0001 0000 0000 0000 0000 0000 0000
i2 0000 0001 0000 0000 0000 0000 4000 0000 0000 0000 0000 0000
i3 4000 0000 0000 0000 0000 0000 0000 0000 4000 0000 0000 0000
i4 4000 0000 0000 0000 0000 0000 0000 0000 0000 0000 4000 0000
i5 4000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000
Collision
39
Conclusion

• MD5 is breakable 239 complexity
• SHA-1 is breakable 269 complexity
• So, its time to switch from MD5 and SHA-1.
• What next?
• Longer variants published by NIST
• SHA-224
• SHA-256
• SHA-384
• SHA-512
• Because Attacks always get better they never
  get worse

40
References

• Xiaoyun Wang et. al. Finding Collisions in the
  Full SHA-1, http//www.infosec.sdu.edu.cn/paper/s
  ha1-crypto-auth-new-2-yao.pdf
• Xiaoyun Wang et. al. Collisions for Hash
  Functions MD4, MD5, HAVAL-128 and RIPEMD,
  http//eprint.iacr.org/2004/199.pdf
• Vlastimil Klima Tunnels in Hash Functions MD5
  Collisions Within a Minute http//eprint.iacr.org
  /2006/105.pdf
• Steve Friedl , An Illustrated Guide to
  Cryptographic Hashes , http//unixwiz.net/techtip
  s/iguide-crypto-hashes.htmldigestonly
• Hashing Function Lounge http//paginas.terra.com.b
  r/informatica/paulobarreto/hflounge.html
• http//en.wikipedia.org/wiki/SHA1
• http//en.wikipedia.org/wiki/MD5

41
Thank You!
Questions?
What is she talking about?
mmm
Z Z z