Embed Size (px)
Citation preview
A Brief Summary and Demonstration of Hash functions Collisions
July 2011
1
Topics
2
Overview of attacks
MD5, SHA-0 and SHA-1 attack
Attack Demo
Hash Collision at present
3
Hash collision situations MD5 and SHA-0 already broken SHA-1 insecure
Real existing collisions algorithms and methods
The meaning of “Broken”
4
Hash function is cryptographically strong if no methods better than brute force are known (and n is big enough)
Hash function is cryptographically broken if a better method has been found
MD5 has n= 128, brute force cost for : Second preimage : 2n =2128 =3x1038
Collision : 2n/2 = 264 =2x1019
Bruce-force Attack Complexity
5
What is regarded as secure?
6
264 hash computations is at the edge of feasibility with realistic investments in equipment and time 128 bit hash not safe anymore against brute force collision
attack
280 hash computations is still infeasible unless with major investments in equipment and time 160 bit hash still safe against brute force collision attack
Today’s Cryptanalysis
7
(second) preimages: not known for MD5 (?), SHA-1, SHA-2
Collisions: MD5: easy SHA-1: doable with lot of effort, no collision has been found
yet SHA-2: no attack known
Topics
8
Overview of attacks
MD5, SHA-0 and SHA-1 attack
Attack Demo
MD5 Attack
9
2004 First collision for MD5 presented Two 128 byte messages with same MD5 hash value Identical prefix collision attack 15 minutes up to an hour on a IBM P690 with about 239
2005 Attack method released
2006 Chosen-prefix collision (CPC) attack Choose two arbitrary files (same length) Make them collide by appending 716 ‘random’ bytes
COLLISION IMPROVEMENTS
10
Rogue CA construction (<2048 bits) Cluster of 215 PlayStation3s
Performing like 8600 pc cores Complexity 250 using 30GB:
1 day on cluster Complexity 248.2 using a few TBs:
1 day on 20 PS3s and 1 pc 1 day on 8 NVIDIA GeForce GTX280s 1 day on Amazon EC2 at the cost of $2,000
Normal CPC Complexity approx. 239 (<1 day on quadcore pc)
MD5 Breakers
11
Xiaoyun Wang (China) collisions for MD5 in 2004 in a few hours on a big computer
Marc Stevens (Amsterdam) MSc thesis 2007, TU/e improved method, fully automated collisions can now be found in about
1 second on a standard laptop
Wang’s Collisions : Identical Prefix
12
identical prefix P
different collision blocks C, C’
identical suffix S
Steven’s Collisions : Chosen Prefix
13
Different prefixes P, P’
different collision blocks NC, NC’
identical suffix S
SHA-0 Attack
14
1998 Possible collisions attack with 261 operations
2004 Full collisions found with 251 operations 80,000 CPU hours with Itanium2
2004 Collisions with 240 operations for SHA-0, MD5 and other
2005 Collisions with 239 operations
SHA-1 Attack
15
2005 Collisons found in 280 operatons of reduced version of SHA-1--
53 out of 80 rounds 2006
SHA-1-64 with 235 operations 2010
SHA-1-73 with 235 operations Project HashClash : claim fully near collision attack with
estimated complexity of 257.5
Progress of Collision Attacks
16
Attack complexities for MD5, SHA-1 and SHA-2
Topics
17
Overview of attacks
MD5, SHA-0 and SHA-1 attack
Attack Demo
SHA-0 Vectors
18
$ openssl sha s1 s2 result : c9f160777d4086fe8095fba58b7e20c228a4006b
a766a602 b65cffe7 73bcf258 26b322b3 d01b1a97 2684ef53 3e3b4b7f 53fe376224c08e47 e959b2bc 3b519880 b9286568 247d110f 70f5c5e2 b4590ca3 f55f52feeffd4c8f e68de835 329e603c c51e7f02 545410d1 671d108d f5a4000d cf20a4394949d72c d14fbb03 45cf3a29 5dcda89f 998f8755 2c9a58b1 bdc38483 5e477185f96e68be bb0025d2 d2b69edf 21724198 f688b41d eb9b4913 fbe696b5 457ab39921e1d759 1f89de84 57e8613c 6c9e3b24 2879d4d8 783b2d9c a9935ea5 26a729c06edfc501 37e69330 be976012 cc5dfe1c 14c4c68b d1db3ecb 24438a59 a09b5db435563e0d 8bdf572f 77b53065 cef31f32 dc9dbaa0 4146261e 9994bd5c d0758e3d
a766a602 b65cffe7 73bcf258 26b322b1 d01b1ad7 2684ef51 be3b4b7f d3fe3762a4c08e45 e959b2fc 3b519880 39286528 a47d110d 70f5c5e0 34590ce3 755f52fc6ffd4c8d 668de875 329e603e 451e7f02 d45410d1 e71d108d f5a4000d cf20a4394949d72c d14fbb01 45cf3a69 5dcda89d 198f8755 ac9a58b1 3dc38481 5e4771c5796e68fe bb0025d0 52b69edd a17241d8 7688b41f 6b9b4911 7be696f5 c57ab399a1e1d719 9f89de86 57e8613c ec9e3b26 a879d498 783b2d9e 29935ea7 a6a729806edfc503 37e69330 3e976010 4c5dfe5c 14c4c689 51db3ecb a4438a59 209b5db435563e0d 8bdf572f 77b53065 cef31f30 dc9dbae0 4146261c 1994bd5c 50758e3d
MD5 vectors
d1 31 dd 02 c5 e6 ee c4 69 3d 9a 06 98 af f9 5c 2f ca b5 87 12 46 7e ab 40 04 58 3e b8 fb 7f 89 55 ad 34 06 09 f4 b3 02 83 e4 88 83 25 71 41 5a 08 51 25 e8 f7 cd c9 9f d9 1d bd f2 80 37 3c 5b d8 82 3e 31 56 34 8f 5b ae 6d ac d4 36 c9 19 c6 dd 53 e2 b4 87 da 03 fd 02 39 63 06 d2 48 cd a0 e9 9f 33 42 0f 57 7e e8 ce 54 b6 70 80 a8 0d 1e c6 98 21 bc b6 a8 83 93 96 f9 65 2b 6f f7 2a 70
d1 31 dd 02 c5 e6 ee c4 69 3d 9a 06 98 af f9 5c 2f ca b5 07 12 46 7e ab 40 04 58 3e b8 fb 7f 89 55 ad 34 06 09 f4 b3 02 83 e4 88 83 25 f1 41 5a 08 51 25 e8 f7 cd c9 9f d9 1d bd 72 80 37 3c 5b d8 82 3e 31 56 34 8f 5b ae 6d ac d4 36 c9 19 c6 dd 53 e2 34 87 da 03 fd 02 39 63 06 d2 48 cd a0 e9 9f 33 42 0f 57 7e e8 ce 54 b6 70 80 28 0d 1e c6 98 21 bc b6 a8 83 93 96 f9 65 ab 6f f7 2a 70
Each of these blocks has MD5 hash 79054025255fb1a26e4bc422aef54eb4
MD5 Collision demo
$ ls -al
total 16
drwxr-xr-x 4 admin staff 136 Jul 16 17:05 .
drwxr-xr-x 9 admin staff 306 Jul 16 16:40 ..
-rwxr--r-- 1 admin staff 128 Jul 14 11:34 v1
-rwxr--r-- 1 admin staff 128 Jul 14 11:35 v2
$ md5 v*; openssl dgst -sha1 v*
MD5 (v1) = 79054025255fb1a26e4bc422aef54eb4
MD5 (v2) = 79054025255fb1a26e4bc422aef54eb4
SHA1(v1)= a34473cf767c6108a5751a20971f1fdfba97690a
SHA1(v2)= 4283dd2d70af1ad3c2d5fdc917330bf502035658
Concat File Equivalence
21
$ ls >f1
$ cat v1 f1 >w1
$ cat v2 f1 >w2
$ ls -al
total 40
drwxr-xr-x 7 admin staff 238 Jul 16 17:07 .
drwxr-xr-x 9 admin staff 306 Jul 16 16:40 ..
-rw-r--r-- 1 admin staff 9 Jul 16 17:06 f1
-rwxr--r-- 1 admin staff 128 Jul 14 11:34 v1
-rwxr--r-- 1 admin staff 128 Jul 14 11:35 v2
-rw-r--r-- 1 admin staff 137 Jul 16 17:07 w1
-rw-r--r-- 1 admin staff 137 Jul 16 17:07 w2
$ md5 w*; openssl dgst -sha1 w*
MD5 (w1) = e9dc7f025001005370d9140168895489
MD5 (w2) = e9dc7f025001005370d9140168895489
SHA1(w1)= d867ab657437652d1cd9df9b4c89d9810f35fc24
SHA1(w2)= 2e05a71ff6c16f57d6ca935a47360de6aefcfad5
But how’s about
22
$ md5 -s windows
MD5 ("windows") = 0f4137ed1502b5045d6083aa258b5c42
http://md5.rednoize.com/
Conclusions The Internet is not completely broken
The affected CAs are switching to SHA-1
