Abstract
We present a novel, automated way to find differential paths for MD5. As an application we have shown how, at an approximate expected cost of 250 calls to the MD5 compression function, for any two chosen message prefixes P and P′, suffixes S and S′ can be constructed such that the concatenated values P||S and P′||S′ collide under MD5. Although the practical attack potential of this construction of chosen-prefix collisions is limited, it is of greater concern than random collisions for MD5. To illustrate the practicality of our method, we constructed two MD5 based X.509 certificates with identical signatures but different public keys and different Distinguished Name fields, whereas our previous construction of colliding X.509 certificates required identical name fields. We speculate on other possibilities for abusing chosen-prefix collisions. More details than can be included here can be found on www.win.tue.nl/hashclash/ChosenPrefixCollisions/ .
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
de Cannière, C., Rechberger, C.: Finding SHA-1 Characteristics: General results and applications. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 1–20. Springer, Heidelberg (2006)
Daum, M., Lucks, S.: Attacking Hash Functions by Poisoned Messages, ”The Story of Alice and her Boss” (June 2005), http://www.cits.rub.de/MD5Collisions/
Gauravaram, P., McCullagh, A., Dawson, E.: Collision Attacks on MD5 and SHA-1: Is this the “Sword of Damocles” for Electronic Commerce? AusSCERT 2006 R&D Stream (May 2006), http://www.isi.qut.edu.au/people/subramap/AusCert-6.pdf
Gebhardt, M., Illies, G., Schindler, W.: A Note on Practical Value of Single Hash Collisions for Special File Formats. In: NIST First Cryptographic Hash Workshop (October/November 2005), csrc.nist.gov/pki/HashWorkshop/2005/Oct31%5FPresentations/Illies%5FNIST%5F05.pdf
Housley, R., Polk, W., Ford, W., Solo, D.: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. IETF RFC 3280 (April 2002), http://www.ietf.org/rfc/rfc3280.txt
Hawkes, P., Paddon, M., Rose, G.G.: Musings on the Wang et al. MD5 Collision. Cryptology ePrint Archive, Report 2004/264 (2004), http://eprint.iacr.org/2004/264
Hoffman, P., Schneier, B.: Attacks on Cryptographic Hashes in Internet Protocols. IETF RFC 4270 (November 2005), http://www.ietf.org/rfc/rfc4270.txt
Kaminsky, D.: MD5 to be considered harmful someday (December 2004), http://www.doxpara.com/md5
Klima, V.: Tunnels in Hash Functions: MD5 Collisions Within a Minute. Cryptology ePrint Archive, Report 2006/105 (2006), http://eprint.iacr.org/2006/105
Lenstra, A.K., Wang, X., de Weger, B.M.M.: Colliding X.509 certificates. Cryptology ePrint Archive, Report 2005/067 (2005), http://eprint.iacr.org/2005/067 ; An updated version has been published as an appendix to: Lenstra, A.K., de Weger, B.M.M.: On the possibility of constructing meaningful hash collisions for public keys. In: Boyd, C., González Nieto, J.M. (eds.) ACISP 2005. LNCS, vol. 3574, pp. 267–279. Springer, Heidelberg (2005)
Lenstra, A.K., de Weger, B.M.M.: On the possibility of constructing meaningful hash collisions for public keys. In: Boyd, C., González Nieto, J.M. (eds.) ACISP 2005. LNCS, vol. 3574, pp. 267–279. Springer, Heidelberg (2005)
Mikle, O.: Practical Attacks on Digital Signatures Using MD5 Message Digest. Cryptology ePrint Archive, Report 2004/356 (2004), http://eprint.iacr.org/2004/356
van Oorschot, P.C., Wiener, M.J.: Parallel collision search with cryptanalytic applications. Journal of Cryptology 12(1), 1–28 (1999)
Stevens, M., Lenstraand, A., de Weger, B.: Target Collisions for MD5 and Colliding X.509 Certificates for Different Identities. Cryptology ePrint Archive, Report 2006/360 (2006), http://eprint.iacr.org/2006/360
Stevens, M.: Fast Collision Attack on MD5. Cryptology ePrint Archive, Report 2006/104 (2006), http://eprint.iacr.org/2006/104
Stevens, M.: TU Eindhoven MSc thesis, in preparation. See http://www.win.tue.nl/hashclash/
Wang, X., Yu, H.: How to Break MD5 and Other Hash Functions. In: Cramer, R.J.F. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19–35. Springer, Heidelberg (2005)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2007 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Stevens, M., Lenstra, A., de Weger, B. (2007). Chosen-Prefix Collisions for MD5 and Colliding X.509 Certificates for Different Identities. In: Naor, M. (eds) Advances in Cryptology - EUROCRYPT 2007. EUROCRYPT 2007. Lecture Notes in Computer Science, vol 4515. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-72540-4_1
Download citation
DOI: https://doi.org/10.1007/978-3-540-72540-4_1
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-72539-8
Online ISBN: 978-3-540-72540-4
eBook Packages: Computer ScienceComputer Science (R0)