Chosen-Prefix Collisions for MD5 and Colliding X.509 Certificates for Different Identities

  • Marc Stevens
  • Arjen Lenstra
  • Benne de Weger
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4515)

Abstract

We present a novel, automated way to find differential paths for MD5. As an application we have shown how, at an approximate expected cost of 250 calls to the MD5 compression function, for any two chosen message prefixes P and P′, suffixes S and S′ can be constructed such that the concatenated values P||S and P′||S′ collide under MD5. Although the practical attack potential of this construction of chosen-prefix collisions is limited, it is of greater concern than random collisions for MD5. To illustrate the practicality of our method, we constructed two MD5 based X.509 certificates with identical signatures but different public keys and different Distinguished Name fields, whereas our previous construction of colliding X.509 certificates required identical name fields. We speculate on other possibilities for abusing chosen-prefix collisions. More details than can be included here can be found on www.win.tue.nl/hashclash/ChosenPrefixCollisions/.

References

  1. 1.
    de Cannière, C., Rechberger, C.: Finding SHA-1 Characteristics: General results and applications. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 1–20. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  2. 2.
    Daum, M., Lucks, S.: Attacking Hash Functions by Poisoned Messages, ”The Story of Alice and her Boss” (June 2005), http://www.cits.rub.de/MD5Collisions/
  3. 3.
    Gauravaram, P., McCullagh, A., Dawson, E.: Collision Attacks on MD5 and SHA-1: Is this the “Sword of Damocles” for Electronic Commerce? AusSCERT 2006 R&D Stream (May 2006), http://www.isi.qut.edu.au/people/subramap/AusCert-6.pdf
  4. 4.
    Gebhardt, M., Illies, G., Schindler, W.: A Note on Practical Value of Single Hash Collisions for Special File Formats. In: NIST First Cryptographic Hash Workshop (October/November 2005), csrc.nist.gov/pki/HashWorkshop/2005/Oct31%5FPresentations/Illies%5FNIST%5F05.pdf
  5. 5.
    Housley, R., Polk, W., Ford, W., Solo, D.: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. IETF RFC 3280 (April 2002), http://www.ietf.org/rfc/rfc3280.txt
  6. 6.
    Hawkes, P., Paddon, M., Rose, G.G.: Musings on the Wang et al. MD5 Collision. Cryptology ePrint Archive, Report 2004/264 (2004), http://eprint.iacr.org/2004/264
  7. 7.
    Hoffman, P., Schneier, B.: Attacks on Cryptographic Hashes in Internet Protocols. IETF RFC 4270 (November 2005), http://www.ietf.org/rfc/rfc4270.txt
  8. 8.
    Kaminsky, D.: MD5 to be considered harmful someday (December 2004), http://www.doxpara.com/md5
  9. 9.
    Klima, V.: Tunnels in Hash Functions: MD5 Collisions Within a Minute. Cryptology ePrint Archive, Report 2006/105 (2006), http://eprint.iacr.org/2006/105
  10. 10.
    Lenstra, A.K., Wang, X., de Weger, B.M.M.: Colliding X.509 certificates. Cryptology ePrint Archive, Report 2005/067 (2005), http://eprint.iacr.org/2005/067; An updated version has been published as an appendix to: Lenstra, A.K., de Weger, B.M.M.: On the possibility of constructing meaningful hash collisions for public keys. In: Boyd, C., González Nieto, J.M. (eds.) ACISP 2005. LNCS, vol. 3574, pp. 267–279. Springer, Heidelberg (2005)
  11. 11.
    Lenstra, A.K., de Weger, B.M.M.: On the possibility of constructing meaningful hash collisions for public keys. In: Boyd, C., González Nieto, J.M. (eds.) ACISP 2005. LNCS, vol. 3574, pp. 267–279. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  12. 12.
    Mikle, O.: Practical Attacks on Digital Signatures Using MD5 Message Digest. Cryptology ePrint Archive, Report 2004/356 (2004), http://eprint.iacr.org/2004/356
  13. 13.
    van Oorschot, P.C., Wiener, M.J.: Parallel collision search with cryptanalytic applications. Journal of Cryptology 12(1), 1–28 (1999)MATHCrossRefMathSciNetGoogle Scholar
  14. 14.
    Stevens, M., Lenstraand, A., de Weger, B.: Target Collisions for MD5 and Colliding X.509 Certificates for Different Identities. Cryptology ePrint Archive, Report 2006/360 (2006), http://eprint.iacr.org/2006/360
  15. 15.
    Stevens, M.: Fast Collision Attack on MD5. Cryptology ePrint Archive, Report 2006/104 (2006), http://eprint.iacr.org/2006/104
  16. 16.
    Stevens, M.: TU Eindhoven MSc thesis, in preparation. See http://www.win.tue.nl/hashclash/
  17. 17.
    Wang, X., Yu, H.: How to Break MD5 and Other Hash Functions. In: Cramer, R.J.F. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19–35. Springer, Heidelberg (2005)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2007

Authors and Affiliations

  • Marc Stevens
    • 1
  • Arjen Lenstra
    • 2
  • Benne de Weger
    • 1
  1. 1.Faculty of Mathematics and Computer ScienceTU EindhovenEindhovenThe Netherlands
  2. 2.EPFL IC LACAL, Station 14, and Bell LaboratoriesLausanneSwitzerland

Personalised recommendations