A Meaningful MD5 Hash Collision Attack

It is now proved by Wang et al., that MD5 hash is no more secure, after they proposed an attack that would generate two different messages that gives the same MD5 sum. Many conditions need to be satisfied to attain this collision. Vlastimil Klima then proposed a more efficient and faster technique to implement this attack. We use these techniques to first create a collision attack and then use these collisions to implement meaningful collisions by creating two different packages that give identical MD5 hash, but when extracted, each gives out different files with contents specified by the atacker

Tunnels in Hash Functions: MD5 Collisions Within a Minute

In this paper we introduce a new idea of tunneling of hash functions. In some sense tunnels replace multi-message modification methods and exponentially accelerate collision search. We describe several tunnels in hash function MD5. Using it we find a MD5 collision roughly in one minute on a standard notebook PC (Intel Pentium, 1.6 GHz). The method works for any initializing value. Tunneling is a general idea, which can be used for finding collisions of other hash functions, such as SHA-1, 2. We show several capabilities of tunnels. A program, which source code is available on a project homepage, experimentally verified the method. Revised version of this paper contains the appendix with the description of more tunnels. These tunnels further decrease the average time of MD5 collision to 31 seconds. On PC Intel Pentium 4 (3,2 GHz) it is 17 seconds in average

Криптоанализ MD5

В статті розглядаються сучасні методи кріптоаналізу хеш-функції MD5 з метою розкриття паролю та підробки цифрового підпису документу. Зроблені висновки відповідно до перспектив кріптоаналізу на сучасному технічному рівні та наведені рекомендації до подальшого використання MD5 з урахуванням знайдених вразливостей.In present article were overviewed methods of MD hash-function cryptanalysis for document digital signature falsification and password disclosing purposes. Conclusions regarding cryptanalysis aspects on modern technical level are given. Adducted recommendations for further MD using with taking in consideration of found weaknesses are given

Seeing Is Not Always Believing: Invisible Collision Attack and Defence on Pre-Trained Models

Large-scale pre-trained models (PTMs) such as BERT and GPT have achieved great success in diverse fields. The typical paradigm is to pre-train a big deep learning model on large-scale data sets, and then fine-tune the model on small task-specific data sets for downstream tasks. Although PTMs have rapidly progressed with wide real-world applications, they also pose significant risks of potential attacks. Existing backdoor attacks or data poisoning methods often build up the assumption that the attacker invades the computers of victims or accesses the target data, which is challenging in real-world scenarios. In this paper, we propose a novel framework for an invisible attack on PTMs with enhanced MD5 collision. The key idea is to generate two equal-size models with the same MD5 checksum by leveraging the MD5 chosen-prefix collision. Afterwards, the two ``same" models will be deployed on public websites to induce victims to download the poisoned model. Unlike conventional attacks on deep learning models, this new attack is flexible, covert, and model-independent. Additionally, we propose a simple defensive strategy for recognizing the MD5 chosen-prefix collision and provide a theoretical justification for its feasibility. We extensively validate the effectiveness and stealthiness of our proposed attack and defensive method on different models and data sets

Reverse-Engineering of the Cryptanalytic Attack Used in the Flame Super-Malware

In May 2012, a highly advanced malware for espionage dubbed Flame was found targeting the Middle-East. As it turned out, it used a forged signature to infect Windows machines by MITM-ing Windows Update. Using counter-cryptanalysis, Stevens found that the forged signature was made possible by a chosen-prefix attack on MD5 \cite{DBLP:conf/crypto/Stevens13}. He uncovered some details that prove that this attack differs from collision attacks in the public literature, yet many questions about techniques and complexity remained unanswered. In this paper, we demonstrate that significantly more information can be deduced from the example collision. Namely, that these details are actually sufficient to reconstruct the collision attack to a great extent using some weak logical assumptions. In particular, we contribute an analysis of the differential path family for each of the four near-collision blocks, the chaining value differences elimination procedure and a complexity analysis of the near-collision block attacks and the associated birthday search for various parameter choices. Furthermore, we were able to prove a lower-bound for the attack's complexity. This reverse-engineering of a non-academic cryptanalytic attack exploited in the real world seems to be without precedent. As it allegedly was developed by some nation-state(s), we discuss potential insights to their cryptanalytic knowledge and capabilities

Reverse-Engineering of the Cryptanalytic Attack Used in the Flame Super-Malware

In May 2012, a highly advanced malware for espionage dubbed Flame was found targeting the Middle-East. As it turned out, it used a forged signature to infect Windows machines by MITM-ing Windows Update. Using counter-cryptanalysis, Stevens found that the forged signature was made possible by a chosen-prefix attack on MD5 \cite{DBLP:conf/crypto/Stevens13}. He uncovered some details that prove that this attack differs from collision attacks in the public literature, yet many questions about techniques and complexity remained unanswered. In this paper, we demonstrate that significantly more information can be deduced from the example collision. Namely, that these details are actually sufficient to reconstruct the collision attack to a great extent using some weak logical assumptions. In particular, we contribute an analysis of the differential path family for each of the four near-collision blocks, the chaining value differences elimination procedure and a complexity analysis of the near-collision block attacks and the associated birthday search for various parameter choices. Furthermore, we were able to prove a lower-bound for the attack's complexity. This reverse-engineering of a non-academic cryptanalytic attack exploited in the real world seems to be without precedent. As it allegedly was developed by some nation-state(s) \cite{WashingtonPost_Flame,kaspersky_flame,crysis_flame}, we discuss potential insights to their cryptanalytic knowledge and capabilities

Chosen-Prefix Collisions for MD5 and Applications

We present a novel, automated way to find differential paths for MD5. Its main application is in the construction of \emph{chosen-prefix collisions}. We have shown how, at an approximate expected cost of $2^{39}$ calls to the MD5 compression function, for any two chosen message prefixes $P$ and $P'$, suffixes $S$ and $S'$ can be constructed such that the concatenated values $P\|S$ and $P'\|S'$ collide under MD5. The practical attack potential of this construction of chosen-prefix collisions is of greater concern than the MD5-collisions that were published before. This is illustrated by a pair of MD5-based X.509 certificates one of which was signed by a commercial Certification Authority (CA) as a legitimate website certificate, while the other one is a certificate for a rogue CA that is entirely under our control (cf.\ \url{http://www.win.tue.nl/hashclash/rogue-ca/}). Other examples, such as MD5-colliding executables, are presented as well. More details can be found on \url{http://www.win.tue.nl/hashclash/ChosenPrefixCollisions/}

A New Collision Differential For MD5 With Its Full Differential Path

Since the first collision differential with its full differential path was presented for MD5 function by Wang et al. in 2004, renewed interests on collision attacks for the MD family of hash functions have surged over the world of cryptology. To date, however, no cryptanalyst can give a second computationally feasible collision differential for MD5 with its full differential path, even no improved differential paths based on Wangs MD5 collision differential have appeared in literature. Firstly in this paper, a new differential cryptanalysis called signed difference is defined, and some principles or recipes on finding collision differentials and designing differential paths are proposed, the signed difference generation or elimination rules which are implicit in the auxiliary functions, are derived. Then, based on these newly found properties and rules, this paper comes up with a new computationally feasible collision differential for MD5 with its full differential path, which is simpler thus more understandable than Wangs, and a set of sufficient conditions considering carries that guarantees a full collision is derived from the full differential path. Finally, a multi-message modification-based fast collision attack algorithm for searching collision messages is specialized for the full differential path, resulting in a computational complexity of 2 to the power of 36 and 2 to the power of 32 MD5 operations, respectively for the first and second blocks. As for examples, two collision message pairs with different first blocks are obtained

Computação massivamente paralela para identificação de marcadores RFID

Mestrado em Engenharia de Computadores e TelemáticaNos dias que correm, tem-se assistido a uma grande evolução dos sistemas de identificação através de marcadores RFID, frequentemente sem se dar a devida importância à componente de privacidade nos mesmos. A presente dissertação pretende explorar um paradigma de identificação de marcadores com o intuito de colmatar esta lacuna, recorrendo à utilização de uma função dificilmente invertível, criptográfica ou de síntese, para a geração no marcador de um identificador pseudo-aleatório a partir do identificador real do mesmo, bem como de um conjunto de números aleatórios gerados pelo marcador e pelo leitor. Contudo, torna-se necessária uma pesquisa ao longo de todos os identificadores atribuídos, que por questões de desempenho é realizado de uma forma massivamente paralela. Desta forma, impede-se o seguimento de objectos ou pessoas associados ao marcador por entidades Ilegítimas, que não tenham acesso a uma base de dados de todos os identificadores atribuídos.In recent years, there has been a large evolution of identification systems through the use of RFID tags, often with some disregard for privacy concerns. In this dissertation a paradigm will be explored focusing on the use of a well known cryptographic standard or hashing function to generate a pseudo-random identifier from the real identifier as well as a set of random nonces from the tag and reader. However, a search is required along the set of assigned identifiers, which for the sake of performance shall be done resorting to a massively parallel approach. This way, it becomes unfeasible for an illegitimate reader to relate two activation sessions of the same tag without access to the database of all the assigned identifiers