How to Break MD5 and Other Hash Functions - PowerPoint PPT Presentation

1 / 67
About This Presentation
Title:

How to Break MD5 and Other Hash Functions

Description:

How to Break MD5 and Other Hash Functions Xiaoyun Wang( ) and Hongbo Yu( ) Cryptography & Information Security Shandong University China – PowerPoint PPT presentation

Number of Views:157
Avg rating:3.0/5.0
Slides: 68
Provided by: HENR182
Category:

less

Transcript and Presenter's Notes

Title: How to Break MD5 and Other Hash Functions


1
How to Break MD5 and Other Hash Functions
  • Xiaoyun Wang(???) and Hongbo Yu(???)
  • Cryptography Information Security
  • Shandong University China
  • Advances in Cryptology - EUROCRYPT 2005, 24th
    Annual International Conference on the Theory and
    Applications of Cryptographic Techniques, Aarhus,
    Denmark, May 22-26, 2005, Proceedings.
  • Presented by Henrry, C.Y. Chiang (???)

2
EUROCRYPT (1/1)
  • Eurocrypt (or EUROCRYPT) is an important
    conference for cryptography research.
  • The full name of the conference is currently the
    Annual International Conference on the Theory and
    Applications of Cryptographic Techniques, but
    this has not always been its name.
  • Eurocrypt is held annually in the spring in
    various locations throughout Europe.
  • The first workshop in the series of conferences
    that became known as Eurocrypt was held in 1982.
  • In 1984, the name "Eurocrypt" was first used.
    Generally, there have been published proceedings
    including all papers at the conference every year.

3
About The Author (1/2)
  • Xiaoyun Wang (Simplified Chinese ???
    Traditional Chinese ???) (born 1966) is a
    researcher and professor in the Department of
    Mathematics and System Science, Shandong
    University, Shandong, China.

4
About The Author (2/2)
  • At the rump session of CRYPTO 2004, she and
    co-authors demonstrated collision attacks against
    MD5, SHA-0 and other related hash functions. They
    received a standing ovation for their work.
  • In February 2005 it was reported that Wang and
    co-authors had found a method to find collisions
    in the SHA-1 hash function, which is used in many
    of today's mainstream security products.
  • She gained bachelors (1987), masters (1990) and
    doctorate (1993) degrees at Shandong University,
    and subsequently lectured in the mathematics
    department from 1993. Wang was appointed
    assistant professor in 1995, and full professor
    in 2001.

5
OUTLINE
  1. Introduction
  2. Description of MD5
  3. Differential Attack for Hash Functions
  4. Differential Attack on MD5
  5. Summary

6
OUTLINE
  1. Introduction
  2. Description of MD5
  3. Differential Attack for Hash Functions
  4. Differential Attack on MD5
  5. Summary

7
1. Introduction (1/6)
  • People know that digital signatures are very
    important in information security.
  • The security of digital signatures depends on the
    cryptographic strength of the underlying hash
    functions.
  • Hash functions also have many other applications
    such as data integrity, group signature, e-cash
    and many other cryptographic protocols.
  • Nowadays, there are two widely used hash
    functions MD5 and SHA-1.

8
1. Introduction (2/6)
  • MD5 is one of the most widely used cryptographic
    hash functions nowadays.
  • It was designed in 1992 as an improvement of MD4.
  • In this paper we present a new powerful attack on
    MD5 which allows us to find collisions
    efficiently.
  • We used this attack to find collision of MD5 in
    about 15 minutes up to an hour computation time.

9
1. Introduction (3/6)
  • The attack is a differential attack, which unlike
    most differential attack, does not use the
    exclusive-or as a measure of difference, but
    instead uses modular integer subtraction as the
    measure.
  • An application of this attack to MD4 can find
    collision in less than a fraction of a second.
  • This attack is also applicable to other hash
    functions, such as RIPEMD and HAVAL.

10
1. Introduction (4/6)
  • In this paper, we want to find a pair (M0, M1)
    and (M0, M1) such that
  • We show that such collisions of MD5 can be found
    efficiently, where finding the first blocks (M0,
    M0) takes about MD5 operations, and
    finding the second blocks (M1, M1) takes about
    MD5 operations.

11
1. Introduction (5/6)
12
1. Introduction (6/6)
Birthday Attack ( MD5 operations)
13
OUTLINE
  1. Introduction
  2. Description of MD5
  3. Differential Attack for Hash Functions
  4. Differential Attack on MD5
  5. Summary

14
2. Description of MD5 (1/5)
  • Generally a hash function is iterated by a
    compression function X f( Z ) which compress
    l-bit message block Z to s-bit hash value X where
    l gt s.
  • For MD5, l 512, and s 128.
  • For a padded message M with multiples of l-bit
    length, the iterating process is as follows

15
2. Description of MD5 (2/5)
  • In the above iterating process, we omit the
    padding method because it has no influence on our
    attack.

16
2. Description of MD5 (3/5)
17
2. Description of MD5 (4/5)
18
2. Description of MD5 (5/5)
19
OUTLINE
  1. Introduction
  2. Description of MD5
  3. Differential Attack for Hash Functions
  4. Differential Attack on MD5
  5. Summary

20
OUTLINE
  • Introduction
  • Description of MD5
  • Differential Attack for Hash Functions
  • 3.1 The Modular Differential and the XOR
    Differential
  • 3.2 Differential Attacks on Hash Functions
  • 3.3 Optimized Collision Differentials for Hash
    Functions
  • 4. Differential Attack on MD5
  • 5. Summary

21
3. Differential Attack for Hash Functions3.1 The
Modular Differential and the XOR Differential
(1/7)
  • The most important analysis method for hash
    functions is differential attack which is also
    one of most important methods for analyzing block
    ciphers.
  • In general, the differential attack especially in
    block ciphers is a kind of XOR differential
    attack which uses exclusive-or as the difference.
  • Differential cryptanalysis is a method which
    analyzes the effect of particular differences in
    plain text pairs on the differences of the
    resultant cipher text pairs.

22
3. Differential Attack for Hash Functions3.1 The
Modular Differential and the XOR Differential
(2/7)
  • The differential definition in this paper is a
    kind of precise differential which uses the
    difference in term of integer modular
    subtraction.
  • We also use integer modular subtraction and the
    differences in term of XOR.
  • The combination of both kinds of differences give
    us more information than each of them keep by
    itself.

23
3. Differential Attack for Hash Functions3.1 The
Modular Differential and the XOR Differential
(3/7)
  • For example, when the modular integer subtraction
    difference is for some value X,
    the XOR difference can have many
    possibilities, which are
  • 1. One-bit difference in bit 7, i.e., 0x00000040.
    In this case which means that
    bit 7 in X is 1 and bit 7 in X is 0.
  • X 0100 0000
  • X 0000 0000
  • 2. Two-bit difference, in which a different carry
    is transferred from bit 7 to bit 8, i.e.,
    0x000000C0.
  • X 1000 0000
  • X 0100 0000

24
3. Differential Attack for Hash Functions3.1 The
Modular Differential and the XOR Differential
(4/7)
  • 3. Three-bit difference, in which a different
    carry is transferred from bit 7 to bit 8 and then
    to bit 9, i.e., 0x000001C0.
  • X 0001 0000 0000
  • X 0000 1100 0000
  • 4. Similarly, there can be more carries to
    further bits, and the binary form of X is 1000,
    and of X is 0111.
  • 5. In case the former difference is negative, the
    XOR differences still look the same, but the
    values of X and X are exchanged (i.e., X is of
    the form 1000, and X of the form 0111 ).

25
3. Differential Attack for Hash Functions3.1 The
Modular Differential and the XOR Differential
(5/7)
26
3. Differential Attack for Hash Functions3.1 The
Modular Differential and the XOR Differential
(6/7)
27
3. Differential Attack for Hash Functions3.1 The
Modular Differential and the XOR Differential
(7/7)
  • Compared with earlier modular differential
    attacks, our attack has the following advantages
  • Our attack is to find collisions with two
    iterations, i. e., each message in the collision
    includes two message blocks (1024-bit).
  • Our attack is a precise differential attack in
    which the characteristics are more restrictive
    than used, and that they gives values of bits in
    addition to the differences.
  • Our attack gives a set of sufficient conditions
    which ensure the differential to occur.
  • Our attack use a message modification technique
    to greatly improve the collision probability.

28
3. Differential Attack for Hash Functions3.2
Differential Attacks on Hash Functions (1/2)
  • The difference for two parameters X and X is
    defined as
  • For any two messages M and M with l-bit
    multiples,

  • a full
    differential for a hash function is defined as
    follows
  • where is the initial value difference
    which equals to zero. is the output
    difference for the two messages.
    is the output difference for the i-th
    iteration, and also is the initial difference for
    the next iteration.

29
3. Differential Attack for Hash Functions3.2
Differential Attacks on Hash Functions (2/2)
j
30
3. Differential Attack for Hash Functions3.3
Optimized Collision Differentials for Hash
Functions (1/2)
  • Our attack uses a message modification technique
    to improve the collision probability.
  • According to the modification technique, we can
    get a rough method to search for optimized
    differentials of a hash function.

31
3. Differential Attack for Hash Functions3.3
Optimized Collision Differentials for Hash
Functions (2/2)
  • There are two kinds of message modifications

32
OUTLINE
  1. Introduction
  2. Description of MD5
  3. Differential Attack for Hash Functions
  4. Differential Attack on MD5
  5. Summary

33
OUTLINE
  • Introduction
  • Description of MD5
  • Differential Attack for Hash Functions
  • Differential Attack on MD5
  • 4.1 Notation
  • 4.2 Collision Differentials for MD5
  • 4.3 Sufficient Conditions for the
    Characteristics to Hold
  • 4.4 Message Modification
  • 4.5 The Differential Attack on MD5
  • 5. Summary

34
4. Differential Attack on MD54.1 Notation (1/1)
35
4. Differential Attack on MD54.2 Collision
Differentials for MD5 (1/5)
  • Our attack can find many real collisions which
    are composed of two 1024-bit messages
    and with the original
    initial value of MD5
  • We select a collision differential with two
    iterations as follows

36
4. Differential Attack on MD54.2 Collision
Differentials for MD5 (2/5)
37
4. Differential Attack on MD54.2 Collision
Differentials for MD5 (3/5)
Why does the author choose this collision
differential?
38
4. Differential Attack on MD54.2 Collision
Differentials for MD5 (4/5)
StepChaining Variable for M0Message Word for
M0Shift RotationMessage Word
DifferenceChaining Variable DifferenceChaining
Variable for M0
Especially, the empty items both in sixth and
fifth columns denotes zero differences, and steps
those arent listed in the table have zero
differences both for message words and chaining
variables.
39
4. Differential Attack on MD54.2 Collision
Differentials for MD5 (5/5)
40
4. Differential Attack on MD54.3 Sufficient
Conditions for the Characteristics to Hold (1/9)
  • How to derive a set of sufficient conditions that
    guarantee the differential characteristic in Step
    8 of MD5 (Table 3) to hold. Other conditions can
    be derived similarly.
  • The differential characteristic in Step 8 of MD5
    is
  • Each chaining variable satisfies one of the
    following equations.

41
4. Differential Attack on MD54.3 Sufficient
Conditions for the Characteristics to Hold (2/9)
42
4. Differential Attack on MD54.3 Sufficient
Conditions for the Characteristics to Hold (3/9)
  • According to the operations in the 8-th step, we
    have

43
4. Differential Attack on MD54.3 Sufficient
Conditions for the Characteristics to Hold (4/9)
  • We get a set of sufficient conditions that ensure
    the differential characteristic holds

44
4. Differential Attack on MD54.3 Sufficient
Conditions for the Characteristics to Hold (5/9)
45
4. Differential Attack on MD54.3 Sufficient
Conditions for the Characteristics to Hold (6/9)
46
4. Differential Attack on MD54.3 Sufficient
Conditions for the Characteristics to Hold (7/9)
47
4. Differential Attack on MD54.3 Sufficient
Conditions for the Characteristics to Hold (8/9)
By the similar method, we can derive a set of
sufficient conditions (Table 4 and Table 6) which
guarantee all the differential characteristics in
the collision differential to hold
48
4. Differential Attack on MD54.3 Sufficient
Conditions for the Characteristics to Hold (9/9)
49
4. Differential Attack on MD54.4 Message
Modification (1/9)
  • Single-Message Modification
  • In order to make the attack efficient, it is very
    attractive to improve over the probabilistic
    method, by fixing some of the message words to a
    prior fulfilling some of the conditions
  • We observe that it is very easy to generate
    messages that fulfill all the conditions of the
    first 16 steps of MD5. We call it single-message
    modification.
  • For each message block M0 (or similarly M1) and
    intermediate values (H0, or for the second block
    H1 and H1), we apply the following procedures to
    modify M0 (or M1), so that all the conditions of
    round 1 (the first 16 steps) in Table 4 and Table
    6 hold.

50
4. Differential Attack on MD54.4 Message
Modification (2/9)
  • Single-Message Modification (cont.)
  • It is easy to modify M0 such that the conditions
    of round 1 in Table 4 hold with probability 1.
  • For example, to ensure that 3 conditions for c1
    in Table 4 hold, we modify m2 as follows

51
4. Differential Attack on MD54.4 Message
Modification (3/9)
52
4. Differential Attack on MD54.4 Message
Modification (4/9)
53
4. Differential Attack on MD54.4 Message
Modification (5/9)
  • Single-Message Modification (cont.)
  • By modifying each message word of message M0, all
    the conditions in round 1 of Table 4 hold. The
    first iterations differential hold with
    probability .
  • The same modification is applied to M1. After
    modification, the second iteration differential
    hold with probability .

54
4. Differential Attack on MD54.4 Message
Modification (6/9)
  • Multi-Message Modification
  • It is even possible to fulfill a part of the
    conditions of the first 32 steps by an
    multi-message modification.
  • For example, a5,32 1, we correct it into a5,32
    0 by modifying m1, m2, m3, m4, m5 such that the
    modification generates a partial collision from
    2-6 steps, and remains that all the conditions in
    round 1 hold.

55
4. Differential Attack on MD54.4 Message
Modification (7/9)
  • Multi-Message Modification (cont.)

56
4. Differential Attack on MD54.4 Message
Modification (8/9)
57
4. Differential Attack on MD54.4 Message
Modification (9/9)
  • Multi-Message Modification (cont.)
  • By our modification, 37 conditions in round 2-4
    are undetermined in the table 4, and 30
    conditions in round 2-4 are undetermined in the
    table 6.
  • So, the 1-st iteration differential holds with
    probability , and the second iteration
    differential holds with probability .

58
4. Differential Attack on MD54.5 The
Differential Attack on MD5 (1/5)
59
4. Differential Attack on MD54.5 The
Differential Attack on MD5 (2/5)
60
4. Differential Attack on MD54.5 The
Differential Attack on MD5 (3/5)
  • The complexity of finding (M0, M0) doesnt
    exceed the time of running MD5
    operations.
  • To select another message M0 is only to change
    the last two words from the previous selected
    message M0.
  • So, finding (M0, M0) only needs about one-time
    single-message modification for the first 14
    words. This time can be neglected.

61
4. Differential Attack on MD54.5 The
Differential Attack on MD5 (4/5)
  • For each selected message M0, it is only needs
    two-time single-message modifications for the
    last two words and 7-time multi-message
    modifications for correcting 7 conditions in the
    second round, and each multi-message modification
    only needs about a few step operations.
  • According to the probability of the first
    iteration differential, it is easy to know that
    the complexity of finding (M0, M0) is not
    exceeds MD5 operations.
  • Similarly, we can show that the complexity of
    finding (M1, M1) is not exceeds MD5
    operations.

62
4. Differential Attack on MD54.5 The
Differential Attack on MD5 (5/5)
63
OUTLINE
  1. Introduction
  2. Description of MD5
  3. Differential Attack for Hash Functions
  4. Differential Attack on MD5
  5. Summary

64
5. Summary(1/3)
  • This paper described a powerful attack against
    hash functions, and in particular showed that
    finding a collision of MD5 is easily feasible.
  • This attack is also able to break efficiently
    other hash functions, such as HAVAL-128, MD4,
    RIPEMD, and SHA-0.

65
5. Summary(2/3)The analysis results for these
hash functions are as follows
  1. The time complexity for finding a collision for
    MD4 is about MD4 operations without the
    multi-message modification, and is about
    MD4 operations with the multi-message
    modification.
  2. The time complexity for finding a collision for
    HAVAL-128 is about HAVAL-128 operations
    without the multi-message modification, and is
    HAVAL-128 operations with the
    multi-message modification.

66
5. Summary(3/3)The analysis results for these
hash functions are as follows
  • 3. The time complexity for finding a collision
    for RIPEMD is about RIPEMD operations
    without the multi-message modification, and is
    RIPEMD operations with the multi-message
    modification.
  • 4. The time complexity for finding a collision
    for SHA-0 is about SHA-0 operations
    without the multi-message modification, and is
    SHA-0 operations with the multi-message
    modification.

67
  • ???
  • Thanks A Lot
  • ???Presentation
Write a Comment
User Comments (0)
About PowerShow.com