MD5 Collisions

Isabelle Stanton

Chalermpong Worawannotai

Description of MD5

Takes any message and outputs an 128-bit hash.

A message is padded so the length is a multiple of 512 by concatenating a 1 then 0’s and it’s length as a 64 bit number.

Each 512 bit block is compressed individually

Continued Description

The 512-bit block is divided into 16 32-bit words

There are 4 32-bit registers a, b, c and d. These are initially loaded with IV0 and carry the hash values from one 512-bit block to the next

It works in an iterative (chaining) process:

Hi+1 = f(Hi,Mi) IV0=H0

where Mi is a 512 bit block.

Hash Chaining

f H0=IV0

fixed

M1

H1

f

H2

… f

Hn = H

M2 Mn

Mi 512 bitsHi 128 bits

One small step

For each f there are 4 rounds and each round has 16 steps

Ti and Si are fixed constant and depend only on the steps.

Courtesy of www.wikipedia.org

The Rounds

Mi=(w0,…,w15) For fixed i, 4 consecutive steps will yield

ai+4 =bi +((ai +Fi (bi,ci,di)+wi+ti)<<<si)

di+4=ai+((di+Fi+1 (ai,bi,ci)+wi+1+ti+1)<<<si+1)

ci+4=di+((ci+Fi+2 (di,ai,bi)+wi+2+ti+2)<<<si+2)

bi+4=ci+((bi+Fi+3 (ci,di,ai)+wi+3+ti+3)<<<si+3)

ti and si are predefined step dependant constants

The Non-Linear Functions

Fi changes every 16 steps

Fi(X,Y,Z)=(X^Y)ν(~X^Z) 0≤i ≤15

Fi(X,Y,Z)=(X^Z) ν(Y^~Z) 16 ≤i ≤31

Fi(X,Y,Z)=X Y Z 32 ≤i ≤47

Fi(X,Y,Z)=Y (X ν ~Z) 48 ≤i ≤63

This provides non-linearity so you can not extract the message from the hash

Finding Collisions

MD5 has a 128 bit hash so a brute force attack to find a collision requires at most 2128 applications of MD5 and 264 by the birthday paradox

Xiaoyun Wang and Hongbo Yu have an attack that requires 239 operations

This attack takes at most an hour and 5 minutes on a IBM P690 (supercomputer)

Recall: Differential Cryptanalysis Find a particular ∆M such that a particular ∆H

occurs with high probability In collision case, want ∆H = 0.

Differentials

The attack uses two types of differentials XOR differential: ΔX=X X’ Modular differential: ΔX=X-X’ mod 232

For M=(m0,…,mn-1) and M’=(m’0,…m’n-1) the full hash differential is for a message of length 512n bits

ΔH0 -> ΔH1 ->…-> ΔHn= ΔH

If M and M’ are a collision pair ΔH=0

Round differentials

ΔHi -> ΔHi+1 can be split into round differentials as well

ΔHi ΔR0 ΔR1 ΔR2 ΔR3=ΔHi+1P0 P1 P2

P3

Probability

Each of these differentials has a probabilistic relationship with the next.

Ideally, we’d like to be able to set up 2 messages where we can guarantee with probability 1 that ΔH=0

This can be assured by modifying M so the first round differential will be what you want

More modifications will improve the probability for the second, third and fourth round differentials

ΔM0 has been picked to improve this as well

The Attack Find M=(M0,M1 ) and M’=(M’0,M’1) ΔM0=M’0-M0=(0,0,0,0,231,0,0,0,0,0,0,215,0,0,231,0) ΔM1=M’1-M1=(0,0,0,0,231,0,0,0,0,0,0,-215,0,0,231,0) ΔH1=(231,231+225,231+225,231+225)

i.e. M0 and messages that does this is not a collision ΔM0 has been picked to improve the probability that the round

differentials will hold M’0 differ in the 5th, 12th and 15th words only Same for M1 and M’1. Every set of messages that does this is not a collision ΔM0 has been picked to improve this as well

Message Modification

It is easy to modify a message word so that the first non-zero step differential (after the 5th step) is anything you want with probability 1

Modify multiple words to guarantee the round differentials with high probability

Each modification to make one condition hold may make another not hold

Sufficient Conditions

Δw5 is first non-zero differential At the 8th step Δw5 has affected a, d and c so

(Δc2, Δd2, Δa2, Δb1 )-> Δb2 since Δb1=0 There are 13 conditions on a2, c2 and d2 that

will guarantee Δb2 to be whatever you like with high probability

Each characteristic has between 1 and 28 conditions for 30 characteristics for M0 and 29 characteristics with between 2 and 25 conditions for M1 for well over 200 conditions

Conditions for bi

b1,7 = 0 b1,8 = c1,8 b1,9 = c1,9

b1,10 = c1,10 b1,11 = c1,11 b1,12 = 1

b1,13 = c1,13 b1,14 = c1,14 b1,15 = c1,15 b1,16 = c1,16

b1,17 = c1,17 b1,18 = c1,18

b1,19 = c1,19 b1,20 = 1 b1,21 = c1,21 b1,22 = c1,22 b1,23 = c1,23 b1,24 = 0

b1,32 = 1

Technique for M0

Select random M0

Modify M0 so as many of the conditions hold as possible

Create M0’=M0+ ΔM0

This will result in ΔH1 with probability 2-37

Test this works

This doesn’t require more then 239 MD5 operations

Technique for M1

Select a random message M1 Modify M1 so it meets the conditions

M1’ =M1+ ΔM0

Starting with ΔH1 as IV the probability that H(M1)=H(M1’) is 2-30

Test the pair of messages for collisions

Creating More Collisions

There are many M1s that will collide with any properly crafted M0

You can also change the last two words of M0 and maintain the conditions

This reduces the amount of work needed

Actual Collisions

M0 = 2dd31d1 c4eee6c5 69a3d69 5cf9af98 87b5ca2f ab7e4612 3e580440 897ffbb8 634ad55 2b3f409 8388e483 5a417125 e8255108 9fc9cdf7 f2bd1dd9 5b3c3780

M1=d11d0b96 9c7b41dc f497d8e4 d555655a c79a7335 cfdebf0 66f12930 8fb109d1 797f2775 eb5cd530 baade822 5c15cc79 ddcb74ed 6dd3c55f d80a9bb1 e3a7cc35

M0’=2dd31d1 c4eee6c5 69a3d69 5cf9af98 7b5ca2f ab7e4612 3e580440 897ffbb8 634ad55 2b3f409 8388e483 5a41f125 e8255108 9fc9cdf7 72bd1dd9 5b3c3780

M1’=d11d0b96 9c7b41dc f497d8e4 d555655a 479a7335 cfdebf0 66f12930 8fb109d1 797f2775 eb5cd530 baade822 5c154c79 ddcb74ed 6dd3c55f 580a9bb1 e3a7cc35

Hash: 9603161f a30f9dbf 9f65ffbc f41fc7ef

References

How To Break MD5 and Other Hash Functions – Xiaoyun Wang and Hongbo Yu (they did the SHA-1 break as well)

Guide to Hash Functions http://unixwiz.net/techtips/iguide-crypto-hashes.html

Cryptographic Hash Lounge (lists what functions have been broken and links to how) http://planeta.terra.com.br/informatica/paulobarreto/hflounge.html

Questions?