How to Break MD5 and Other Hash Functions How to Break MD5 and Other Hash Functions Xiaoyun Wang(王小雲) and Hongbo Yu(於紅波) Cryptography & Information.
Download ReportTranscript How to Break MD5 and Other Hash Functions How to Break MD5 and Other Hash Functions Xiaoyun Wang(王小雲) and Hongbo Yu(於紅波) Cryptography & Information.
How to Break MD5 and Other Hash Functions How to Break MD5 and Other Hash Functions Xiaoyun Wang(王小雲) and Hongbo Yu(於紅波) Cryptography & Information Security Shandong University China Advances in Cryptology - EUROCRYPT 2005, 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, May 22-26, 2005, Proceedings. Presented by: Henrry, C.Y. Chiang (江政祐) 2015/11/6 OPLAB, Dep. of Information Management, NTU 1 / 67 How to Break MD5 and Other Hash Functions EUROCRYPT (1/1) • Eurocrypt (or EUROCRYPT) is an important conference for cryptography research. • The full name of the conference is currently the Annual International Conference on the Theory and Applications of Cryptographic Techniques, but this has not always been its name. • Eurocrypt is held annually in the spring in various locations throughout Europe. • The first workshop in the series of conferences that became known as Eurocrypt was held in 1982. • In 1984, the name "Eurocrypt" was first used. Generally, there have been published proceedings including all papers at the conference every year. 2015/11/6 OPLAB, Dep. of Information Management, NTU 2 / 67 How to Break MD5 and Other Hash Functions About The Author (1/2) • Xiaoyun Wang (Simplified Chinese: 王小云; Traditional Chinese: 王小雲) (born 1966) is a researcher and professor in the Department of Mathematics and System Science, Shandong University, Shandong, China. 2015/11/6 OPLAB, Dep. of Information Management, NTU 3 / 67 How to Break MD5 and Other Hash Functions About The Author (2/2) • At the rump session of CRYPTO 2004, she and co-authors demonstrated collision attacks against MD5, SHA-0 and other related hash functions. They received a standing ovation for their work. • In February 2005 it was reported that Wang and co-authors had found a method to find collisions in the SHA-1 hash function, which is used in many of today's mainstream security products. • She gained bachelors (1987), masters (1990) and doctorate (1993) degrees at Shandong University, and subsequently lectured in the mathematics department from 1993. Wang was appointed assistant professor in 1995, and full professor in 2001. 2015/11/6 OPLAB, Dep. of Information Management, NTU 4 / 67 How to Break MD5 and Other Hash Functions OUTLINE 1. 2. 3. 4. 5. 2015/11/6 Introduction Description of MD5 Differential Attack for Hash Functions Differential Attack on MD5 Summary OPLAB, Dep. of Information Management, NTU 5 / 67 How to Break MD5 and Other Hash Functions OUTLINE 1. 2. 3. 4. 5. 2015/11/6 Introduction Description of MD5 Differential Attack for Hash Functions Differential Attack on MD5 Summary OPLAB, Dep. of Information Management, NTU 6 / 67 How to Break MD5 and Other Hash Functions 1. Introduction (1/6) • People know that digital signatures are very important in information security. • The security of digital signatures depends on the cryptographic strength of the underlying hash functions. • Hash functions also have many other applications such as data integrity, group signature, e-cash and many other cryptographic protocols. • Nowadays, there are two widely used hash functions – MD5 and SHA-1. 2015/11/6 OPLAB, Dep. of Information Management, NTU 7 / 67 How to Break MD5 and Other Hash Functions 1. Introduction (2/6) • MD5 is one of the most widely used cryptographic hash functions nowadays. • It was designed in 1992 as an improvement of MD4. • In this paper we present a new powerful attack on MD5 which allows us to find collisions efficiently. • We used this attack to find collision of MD5 in about 15 minutes up to an hour computation time. 2015/11/6 OPLAB, Dep. of Information Management, NTU 8 / 67 How to Break MD5 and Other Hash Functions 1. Introduction (3/6) • The attack is a differential attack, which unlike most differential attack, does not use the exclusive-or as a measure of difference, but instead uses modular integer subtraction as the measure. • An application of this attack to MD4 can find collision in less than a fraction of a second. • This attack is also applicable to other hash functions, such as RIPEMD and HAVAL. 2015/11/6 OPLAB, Dep. of Information Management, NTU 9 / 67 How to Break MD5 and Other Hash Functions 1. Introduction (4/6) • In this paper, we want to find a pair (M0, M1) and (M0’, M1’) such that • We show that such collisions of MD5 can be found efficiently, where finding the first blocks (M0, M0’) takes about 2 39 MD5 operations, and finding the 32 second blocks (M1, M1’) takes about 2 MD5 operations. 2015/11/6 OPLAB, Dep. of Information Management, NTU 10 / 67 How to Break MD5 and Other Hash Functions 1. Introduction (5/6) 2015/11/6 OPLAB, Dep. of Information Management, NTU 11 / 67 How to Break MD5 and Other Hash Functions 1. Introduction (6/6) Birthday Attack ( 2015/11/6 2 64 MD5 operations) OPLAB, Dep. of Information Management, NTU 12 / 67 How to Break MD5 and Other Hash Functions OUTLINE 1. 2. 3. 4. 5. 2015/11/6 Introduction Description of MD5 Differential Attack for Hash Functions Differential Attack on MD5 Summary OPLAB, Dep. of Information Management, NTU 13 / 67 How to Break MD5 and Other Hash Functions 2. Description of MD5 (1/5) • Generally a hash function is iterated by a compression function X = f( Z ) which compress l-bit message block Z to s-bit hash value X where l > s. • For MD5, l = 512, and s = 128. • For a padded message M with multiples of l-bit length, the iterating process is as follows: 2015/11/6 OPLAB, Dep. of Information Management, NTU 14 / 67 How to Break MD5 and Other Hash Functions 2. Description of MD5 (2/5) • In the above iterating process, we omit the padding method because it has no influence on our attack. 2015/11/6 OPLAB, Dep. of Information Management, NTU 15 / 67 How to Break MD5 and Other Hash Functions 2. Description of MD5 (3/5) 2015/11/6 OPLAB, Dep. of Information Management, NTU 16 / 67 How to Break MD5 and Other Hash Functions 2. Description of MD5 (4/5) 2015/11/6 OPLAB, Dep. of Information Management, NTU 17 / 67 How to Break MD5 and Other Hash Functions 2. Description of MD5 (5/5) 2015/11/6 OPLAB, Dep. of Information Management, NTU 18 / 67 How to Break MD5 and Other Hash Functions OUTLINE 1. 2. 3. 4. 5. 2015/11/6 Introduction Description of MD5 Differential Attack for Hash Functions Differential Attack on MD5 Summary OPLAB, Dep. of Information Management, NTU 19 / 67 How to Break MD5 and Other Hash Functions OUTLINE 1. Introduction 2. Description of MD5 3. Differential Attack for Hash Functions 3.1 The Modular Differential and the XOR Differential 3.2 Differential Attacks on Hash Functions 3.3 Optimized Collision Differentials for Hash Functions 4. Differential Attack on MD5 5. Summary 2015/11/6 OPLAB, Dep. of Information Management, NTU 20 / 67 How to Break MD5 and Other Hash Functions 3. Differential Attack for Hash Functions 3.1 The Modular Differential and the XOR Differential (1/7) • The most important analysis method for hash functions is differential attack which is also one of most important methods for analyzing block ciphers. • In general, the differential attack especially in block ciphers is a kind of XOR differential attack which uses exclusive-or as the difference. • Differential cryptanalysis is a method which analyzes the effect of particular differences in plain text pairs on the differences of the resultant cipher text pairs. 2015/11/6 OPLAB, Dep. of Information Management, NTU 21 / 67 How to Break MD5 and Other Hash Functions 3. Differential Attack for Hash Functions 3.1 The Modular Differential and the XOR Differential (2/7) • The differential definition in this paper is a kind of precise differential which uses the difference in term of integer modular subtraction. • We also use integer modular subtraction and the differences in term of XOR. • The combination of both kinds of differences give us more information than each of them keep by itself. 2015/11/6 OPLAB, Dep. of Information Management, NTU 22 / 67 How to Break MD5 and Other Hash Functions 3. Differential Attack for Hash Functions 3.1 The Modular Differential and the XOR Differential (3/7) • For example, when the modular integer subtraction difference is for some value X, the XOR difference can have many possibilities, which are 1. One-bit difference in bit 7, i.e., 0x00000040. In this case means that bit 7 in X’ is 1 and bit 7 in X is 0. X’ = 0100 0000 X = 0000 0000 which 2. Two-bit difference, in which a different carry is transferred from bit 7 to bit 8, i.e., 0x000000C0. X’ = 1000 0000 X = 0100 0000 2015/11/6 OPLAB, Dep. of Information Management, NTU 23 / 67 How to Break MD5 and Other Hash Functions 3. Differential Attack for Hash Functions 3.1 The Modular Differential and the XOR Differential (4/7) 3. Three-bit difference, in which a different carry is transferred from bit 7 to bit 8 and then to bit 9, i.e., 0x000001C0. X’ = 0001 0000 0000 X = 0000 1100 0000 4. Similarly, there can be more carries to further bits, and the binary form of X’ is 1000…, and of X is 0111…. 5. In case the former difference is negative, the XOR differences still look the same, but the values of X and X’ are exchanged (i.e., X is of the form 1000…, and X’ of the form 0111… ). 2015/11/6 OPLAB, Dep. of Information Management, NTU 24 / 67 How to Break MD5 and Other Hash Functions 3. Differential Attack for Hash Functions 3.1 The Modular Differential and the XOR Differential (5/7) 2015/11/6 OPLAB, Dep. of Information Management, NTU 25 / 67 How to Break MD5 and Other Hash Functions 3. Differential Attack for Hash Functions 3.1 The Modular Differential and the XOR Differential (6/7) 2015/11/6 OPLAB, Dep. of Information Management, NTU 26 / 67 How to Break MD5 and Other Hash Functions 3. Differential Attack for Hash Functions 3.1 The Modular Differential and the XOR Differential (7/7) • Compared with earlier modular differential attacks, our attack has the following advantages: 1. Our attack is to find collisions with two iterations, i. e., each message in the collision includes two message blocks (1024-bit). Our attack is a precise differential attack in which the characteristics are more restrictive than used, and that they gives values of bits in addition to the differences. Our attack gives a set of sufficient conditions which ensure the differential to occur. Our attack use a message modification technique to greatly improve the collision probability. 2. 3. 4. 2015/11/6 OPLAB, Dep. of Information Management, NTU 27 / 67 How to Break MD5 and Other Hash Functions 3. Differential Attack for Hash Functions 3.2 Differential Attacks on Hash Functions (1/2) • The difference for two parameters X and X’ is defined as • For any two messages M and M’ with l-bit multiples, a full differential for a hash function is defined as follows: where is the initial value difference which equals to zero. is the output difference for the two messages. is the output difference for the i-th iteration, and also is the initial difference for the next iteration. 2015/11/6 OPLAB, Dep. of Information Management, NTU 28 / 67 How to Break MD5 and Other Hash Functions 3. Differential Attack for Hash Functions 3.2 Differential Attacks on Hash Functions (2/2) j 2015/11/6 OPLAB, Dep. of Information Management, NTU 29 / 67 How to Break MD5 and Other Hash Functions 3. Differential Attack for Hash Functions 3.3 Optimized Collision Differentials for Hash Functions (1/2) • Our attack uses a message modification technique to improve the collision probability. • According to the modification technique, we can get a rough method to search for optimized differentials of a hash function. 2015/11/6 OPLAB, Dep. of Information Management, NTU 30 / 67 How to Break MD5 and Other Hash Functions 3. Differential Attack for Hash Functions 3.3 Optimized Collision Differentials for Hash Functions (2/2) • There are two kinds of message modifications: 2015/11/6 OPLAB, Dep. of Information Management, NTU 31 / 67 How to Break MD5 and Other Hash Functions OUTLINE 1. 2. 3. 4. 5. 2015/11/6 Introduction Description of MD5 Differential Attack for Hash Functions Differential Attack on MD5 Summary OPLAB, Dep. of Information Management, NTU 32 / 67 How to Break MD5 and Other Hash Functions OUTLINE 1. 2. 3. 4. Introduction Description of MD5 Differential Attack for Hash Functions Differential Attack on MD5 4.1 Notation 4.2 Collision Differentials for MD5 4.3 Sufficient Conditions for the Characteristics to Hold 4.4 Message Modification 4.5 The Differential Attack on MD5 5. 2015/11/6 Summary OPLAB, Dep. of Information Management, NTU 33 / 67 How to Break MD5 and Other Hash Functions 4. Differential Attack on MD5 4.1 Notation (1/1) 2015/11/6 OPLAB, Dep. of Information Management, NTU 34 / 67 How to Break MD5 and Other Hash Functions 4. Differential Attack on MD5 4.2 Collision Differentials for MD5 (1/5) • Our attack can find many real collisions which are composed of two 1024-bit messages and with the original initial value of MD5: • We select a collision differential with two iterations as follows: 2015/11/6 OPLAB, Dep. of Information Management, NTU 35 / 67 How to Break MD5 and Other Hash Functions 4. Differential Attack on MD5 4.2 Collision Differentials for MD5 (2/5) 2015/11/6 OPLAB, Dep. of Information Management, NTU 36 / 67 How to Break MD5 and Other Hash Functions 4. Differential Attack on MD5 4.2 Collision Differentials for MD5 (3/5) Why does the author choose this collision differential? 2015/11/6 OPLAB, Dep. of Information Management, NTU 37 / 67 How to Break MD5 and Other Hash Functions 4. Differential Attack on MD5 4.2 Collision Differentials for MD5 (4/5) Step Chaining Variable for M0 Message Word for M0 Shift Rotation Message Word Difference Chaining Variable Difference Chaining Variable for M0’ Especially, the empty items both in sixth and fifth columns denotes zero differences, and steps those aren’t listed in the table have zero differences both for message words and chaining variables. 2015/11/6 OPLAB, Dep. of Information Management, NTU 38 / 67 How to Break MD5 and Other Hash Functions 4. Differential Attack on MD5 4.2 Collision Differentials for MD5 (5/5) 2015/11/6 OPLAB, Dep. of Information Management, NTU 39 / 67 How to Break MD5 and Other Hash Functions 4. Differential Attack on MD5 4.3 Sufficient Conditions for the Characteristics to Hold (1/9) • How to derive a set of sufficient conditions that guarantee the differential characteristic in Step 8 of MD5 (Table 3) to hold. Other conditions can be derived similarly. • The differential characteristic in Step 8 of MD5 is: • Each chaining variable satisfies one of the following equations. 2015/11/6 OPLAB, Dep. of Information Management, NTU 40 / 67 How to Break MD5 and Other Hash Functions 4. Differential Attack on MD5 4.3 Sufficient Conditions for the Characteristics to Hold (2/9) 2015/11/6 OPLAB, Dep. of Information Management, NTU 41 / 67 How to Break MD5 and Other Hash Functions 4. Differential Attack on MD5 4.3 Sufficient Conditions for the Characteristics to Hold (3/9) • According to the operations in the 8-th step, we have 2015/11/6 OPLAB, Dep. of Information Management, NTU 42 / 67 How to Break MD5 and Other Hash Functions 4. Differential Attack on MD5 4.3 Sufficient Conditions for the Characteristics to Hold (4/9) • We get a set of sufficient conditions that ensure the differential characteristic holds: 2015/11/6 OPLAB, Dep. of Information Management, NTU 43 / 67 How to Break MD5 and Other Hash Functions 4. Differential Attack on MD5 4.3 Sufficient Conditions for the Characteristics to Hold (5/9) 2015/11/6 OPLAB, Dep. of Information Management, NTU 44 / 67 How to Break MD5 and Other Hash Functions 4. Differential Attack on MD5 4.3 Sufficient Conditions for the Characteristics to Hold (6/9) 2015/11/6 OPLAB, Dep. of Information Management, NTU 45 / 67 How to Break MD5 and Other Hash Functions 4. Differential Attack on MD5 4.3 Sufficient Conditions for the Characteristics to Hold (7/9) 2015/11/6 OPLAB, Dep. of Information Management, NTU 46 / 67 How to Break MD5 and Other Hash Functions 4. Differential Attack on MD5 4.3 Sufficient Conditions for the Characteristics to Hold (8/9) By the similar method, we can derive a set of sufficient conditions (Table 4 and Table 6) which guarantee all the differential characteristics in the collision differential to hold 2015/11/6 OPLAB, Dep. of Information Management, NTU 47 / 67 How to Break MD5 and Other Hash Functions 4. Differential Attack on MD5 4.3 Sufficient Conditions for the Characteristics to Hold (9/9) 2015/11/6 OPLAB, Dep. of Information Management, NTU 48 / 67 How to Break MD5 and Other Hash Functions 4. Differential Attack on MD5 4.4 Message Modification (1/9) Single-Message Modification • In order to make the attack efficient, it is very attractive to improve over the probabilistic method, by fixing some of the message words to a prior fulfilling some of the conditions • We observe that it is very easy to generate messages that fulfill all the conditions of the first 16 steps of MD5. We call it single-message modification. • For each message block M0 (or similarly M1) and intermediate values (H0, or for the second block H1 and H1’), we apply the following procedures to modify M0 (or M1), so that all the conditions of round 1 (the first 16 steps) in Table 4 and Table 6 hold. 2015/11/6 OPLAB, Dep. of Information Management, NTU 49 / 67 How to Break MD5 and Other Hash Functions 4. Differential Attack on MD5 4.4 Message Modification (2/9) Single-Message Modification (cont.) • It is easy to modify M0 such that the conditions of round 1 in Table 4 hold with probability 1. • For example, to ensure that 3 conditions for c1 in Table 4 hold, we modify m2 as follows: 2015/11/6 OPLAB, Dep. of Information Management, NTU 50 / 67 How to Break MD5 and Other Hash Functions 4. Differential Attack on MD5 4.4 Message Modification (3/9) 2015/11/6 OPLAB, Dep. of Information Management, NTU 51 / 67 How to Break MD5 and Other Hash Functions 4. Differential Attack on MD5 4.4 Message Modification (4/9) 2015/11/6 OPLAB, Dep. of Information Management, NTU 52 / 67 How to Break MD5 and Other Hash Functions 4. Differential Attack on MD5 4.4 Message Modification (5/9) Single-Message Modification (cont.) • By modifying each message word of message M0, all the conditions in round 1 of 43 Table 4 hold. The first iterations differential hold with probability 2 . • The same modification is applied to M1. After modification, the second iteration differential hold with probability 2 37 . 2015/11/6 OPLAB, Dep. of Information Management, NTU 53 / 67 How to Break MD5 and Other Hash Functions 4. Differential Attack on MD5 4.4 Message Modification (6/9) Multi-Message Modification • It is even possible to fulfill a part of the conditions of the first 32 steps by an multimessage modification. • For example, a5,32 = 1, we correct it into a5,32 = 0 by modifying m1, m2, m3, m4, m5 such that the modification generates a partial collision from 2-6 steps, and remains that all the conditions in round 1 hold. 2015/11/6 OPLAB, Dep. of Information Management, NTU 54 / 67 How to Break MD5 and Other Hash Functions 4. Differential Attack on MD5 4.4 Message Modification (7/9) Multi-Message Modification (cont.) 2015/11/6 OPLAB, Dep. of Information Management, NTU 55 / 67 How to Break MD5 and Other Hash Functions 4. Differential Attack on MD5 4.4 Message Modification (8/9) 2015/11/6 OPLAB, Dep. of Information Management, NTU 56 / 67 How to Break MD5 and Other Hash Functions 4. Differential Attack on MD5 4.4 Message Modification (9/9) Multi-Message Modification (cont.) • By our modification, 37 conditions in round 2-4 are undetermined in the table 4, and 30 conditions in round 2-4 are undetermined in the table 6. • So, the 1-st iteration differential holds with probability 2 differential holds with probability 2 30 . 2015/11/6 37 , and the second iteration OPLAB, Dep. of Information Management, NTU 57 / 67 How to Break MD5 and Other Hash Functions 4. Differential Attack on MD5 4.5 The Differential Attack on MD5 (1/5) 2015/11/6 OPLAB, Dep. of Information Management, NTU 58 / 67 How to Break MD5 and Other Hash Functions 4. Differential Attack on MD5 4.5 The Differential Attack on MD5 (2/5) 2015/11/6 OPLAB, Dep. of Information Management, NTU 59 / 67 How to Break MD5 and Other Hash Functions 4. Differential Attack on MD5 4.5 The Differential Attack on MD5 (3/5) 2 39 MD5 • The complexity of finding (M0, M0’) doesn’t exceed the time of running operations. • To select another message M0 is only to change the last two words from the previous selected message M0. • So, finding (M0, M0’) only needs about one-time single-message modification for the first 14 words. This time can be neglected. 2015/11/6 OPLAB, Dep. of Information Management, NTU 60 / 67 How to Break MD5 and Other Hash Functions 4. Differential Attack on MD5 4.5 The Differential Attack on MD5 (4/5) • For each selected message M0, it is only needs two-time single-message modifications for the last two words and 7-time multi-message modifications for correcting 7 conditions in the second round, and each multi-message modification only needs about a few step operations. • According to the probability of the first iteration differential, it is easy to know that the complexity of finding (M0, M0’) is not exceeds 2 39 MD5 operations. • Similarly, we can show that the complexity of finding (M1, M1’) is not exceeds 2 32 MD5 operations. 2015/11/6 OPLAB, Dep. of Information Management, NTU 61 / 67 How to Break MD5 and Other Hash Functions 4. Differential Attack on MD5 4.5 The Differential Attack on MD5 (5/5) 2015/11/6 OPLAB, Dep. of Information Management, NTU 62 / 67 How to Break MD5 and Other Hash Functions OUTLINE 1. 2. 3. 4. 5. 2015/11/6 Introduction Description of MD5 Differential Attack for Hash Functions Differential Attack on MD5 Summary OPLAB, Dep. of Information Management, NTU 63 / 67 How to Break MD5 and Other Hash Functions 5. Summary(1/3) • This paper described a powerful attack against hash functions, and in particular showed that finding a collision of MD5 is easily feasible. • This attack is also able to break efficiently other hash functions, such as HAVAL-128, MD4, RIPEMD, and SHA-0. 2015/11/6 OPLAB, Dep. of Information Management, NTU 64 / 67 How to Break MD5 and Other Hash Functions 5. Summary(2/3) The analysis results for these hash functions are as follows 23 1. The time complexity for finding a collision for MD4 is about 2 MD4 operations without the multi-message modification, and is 28 about MD4 operations with the multi-message modification. 2. The time complexity for finding a collision for HAVAL-128 is about 213 HAVAL-128 operations without the multi-message modification, and is 27 HAVAL-128 operations with the multi-message modification. 2015/11/6 OPLAB, Dep. of Information Management, NTU 65 / 67 How to Break MD5 and Other Hash Functions 5. Summary(3/3) The analysis results for these hash functions are as follows 30 3. The time complexity for finding a collision for RIPEMD is about 2 RIPEMD operations without the multi-message modification, and is 218 RIPEMD operations with the multi-message modification. 4. The time complexity for finding a collision for SHA-0 is about 2 61 SHA-0 operations without the multi-message modification, and is 2 45 SHA-0 operations with the multi-message modification. 2015/11/6 OPLAB, Dep. of Information Management, NTU 66 / 67 How to Break MD5 and Other Hash Functions 結束了 Thanks A Lot 政祐のPresentation 2015/11/6 OPLAB, Dep. of Information Management, NTU 67 / 67