Reverse-Engineering of the Cryptanalytic Attack Used in the Flame Super-Malware

  • Max Fillinger
  • Marc Stevens
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9453)


In May 2012, a highly advanced malware for espionage dubbed Flame was found targeting the Middle-East. As it turned out, it used a forged signature to infect Windows machines by MITM-ing Windows Update. Using counter-cryptanalysis, Stevens found that the forged signature was made possible by a chosen-prefix attack on MD5 [25]. He uncovered some details that prove that this attack differs from collision attacks in the public literature, yet many questions about techniques and complexity remained unanswered.

In this paper, we demonstrate that significantly more information can be deduced from the example collision. Namely, that these details are actually sufficient to reconstruct the collision attack to a great extent using some weak logical assumptions. In particular, we contribute an analysis of the differential path family for each of the four near-collision blocks, the chaining value differences elimination procedure and a complexity analysis of the near-collision block attacks and the associated birthday search for various parameter choices. Furthermore, we were able to prove a lower-bound for the attack’s complexity.

This reverse-engineering of a non-academic cryptanalytic attack exploited in the real world seems to be without precedent. As it allegedly was developed by some nation-state(s) [11, 12, 19], we discuss potential insights to their cryptanalytic knowledge and capabilities.


MD5 Hash function Cryptanalysis Reverse engineering Signature forgery 

Supplementary material


  1. 1.
    Biham, E., Shamir, A.: Differential Cryptanalysis of the Data Encryption Standard. Springer-Verlag, London (1993)zbMATHCrossRefGoogle Scholar
  2. 2.
    den Boer, B., Bosselaers, A.: Collisions for the compression function of MD-5. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 293–304. Springer, Heidelberg (1994) CrossRefGoogle Scholar
  3. 3.
    Brassard, G. (ed.): CRYPTO 1989. LNCS, vol. 435. Springer, Heidelberg (1990) zbMATHGoogle Scholar
  4. 4.
    De Cannière, C., Rechberger, C.: Finding SHA-1 characteristics: general results and applications. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 1–20. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  5. 5.
    Damgård, I.: A design principle for hash functions. In: Brassard [3], pp. 416–427Google Scholar
  6. 6.
    Dobbertin, H.: The Status of MD5 After a Recent Attack. RSA CryptoBytes, 2(2) (1996)Google Scholar
  7. 7.
    Hawkes, P., Paddon, M., Rose, G.G.: Musings on the Wang et al. MD5 Collision. Cryptology ePrint Archive, Report 2004/264 (2004)Google Scholar
  8. 8.
    Hashclash project webpage.
  9. 9.
    Klima, V.: Finding MD5 Collisions on a Notebook PC Using Multi-message Modifications. Cryptology ePrint Archive, Report 2005/102 (2005)Google Scholar
  10. 10.
    Klima, V.: Tunnels in Hash Functions: MD5 Collisions Within a Minute. Cryptology ePrint Archive, Report 2006/105 (2006)Google Scholar
  11. 11.
    CrySyS Lab: sKyWIper (a.k.a. Flame a.k.a. Flamer): A complex malware for targeted attacks. Laboratory of Cryptography and System Security, Budapest University of Technology and Economics, 31 May 2012Google Scholar
  12. 12.
    Kaspersky Lab: The Flame: Questions and Answers. Securelist blog, 28 May 2012Google Scholar
  13. 13.
    Liang, J., Lai, X.: Improved Collision Attack on Hash Function MD5. Cryptology ePrint Archive, Report 2005/425 (2005)Google Scholar
  14. 14.
    Mendel, F., Rechberger, C., Schläffer, M.: MD5 is weaker than weak: attacks on concatenated combiners. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 144–161. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  15. 15.
    Merkle, R.C.: One Way Hash Functions and DES. In: Brassard [3], pp. 428–446Google Scholar
  16. 16.
    Microsoft: Flame malware collision attack explained. Security Research and Defense, Microsoft TechNet Blog, 6 June 2012Google Scholar
  17. 17.
    Microsoft: Microsoft certification authority signing certificates added to the Untrusted Certificate Store. Security Research and Defense, Microsoft TechNet Blog, 3 June 2012Google Scholar
  18. 18.
    van Oorschot, P.C., Wiener, M.J.: Parallel collision search with cryptanalytic applications. J. Cryptol. 12(1), 1–28 (1999)zbMATHCrossRefGoogle Scholar
  19. 19.
    Nakashima, E., Miller, G., Tate, J.: U.S., Israel developed Flame computer virus to slow Iranian nuclear efforts, officials say. The Washington Post, June 2012Google Scholar
  20. 20.
    Ray, M.: Flame’s Windows Update Certificate Chain. Randombit Cryptography Mailing List, June 2012.
  21. 21.
    Rivest, R.L.: The MD5 Message-Digest Algorithm. Internet Request for Comments, RFC 1321, April 1992Google Scholar
  22. 22.
    Sasaki, Y., Naito, Y., Kunihiro, N., Ohta, K.: Improved Collision Attack on MD5. Cryptology ePrint Archive, Report 2005/400 (2005)Google Scholar
  23. 23.
    Sotirov, A.: Analyzing the MD5 collision in Flame, June 2012Google Scholar
  24. 24.
    Stevens, M.: Fast Collision Attack on MD5. Cryptology ePrint Archive, Report 2006/104 (2006)Google Scholar
  25. 25.
    Stevens, M.: Counter-cryptanalysis. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 129–146. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  26. 26.
    Stevens, M., Lenstra, A.K., de Weger, B.: Chosen-prefix collisions for MD5 and colliding X.509 certificates for different identities. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 1–22. Springer, Heidelberg (2007) CrossRefGoogle Scholar
  27. 27.
    Stevens, M., Sotirov, A., Appelbaum, J., Lenstra, A., Molnar, D., Osvik, D.A., de Weger, B.: Short chosen-prefix collisions for MD5 and the creation of a rogue CA certificate. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 55–69. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  28. 28.
    Wang, X., Feng, D., Lai, X., Yu, H.: Collisions for Hash Functions MD4, MD5, HAVAL-128 and RIPEMD. Cryptology ePrint Archive, Report 2004/199 (2004)Google Scholar
  29. 29.
    Wang, X., Yu, H.: How to break MD5 and other Hash functions. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19–35. Springer, Heidelberg (2005) CrossRefGoogle Scholar
  30. 30.
    Xie, T., Feng, D.: How To Find Weak Input Differences for MD5 Collision Attacks. Cryptology ePrint Archive, Report 2009/223 (2009)Google Scholar
  31. 31.
    Yajima, J., Shimoyama, T.: Wang’s sufficient conditions of MD5 are not sufficient. Cryptology ePrint Archive, Report 2005/263 (2005)Google Scholar

Copyright information

© International Association for Cryptologc Research 2015

Authors and Affiliations

  1. 1.CWIAmsterdamThe Netherlands

Personalised recommendations