60 research outputs found
A Meaningful MD5 Hash Collision Attack
It is now proved by Wang et al., that MD5 hash is no more secure, after they proposed an attack that would generate two different messages that gives the same MD5 sum. Many conditions need to be satisfied to attain this collision. Vlastimil Klima then proposed a more efficient and faster technique to implement this attack. We use these techniques to first create a collision attack and then use these collisions to implement meaningful collisions by creating two different packages that give identical MD5 hash, but when extracted, each gives out different files with contents specified by the atacker
Tunnels in Hash Functions: MD5 Collisions Within a Minute
In this paper we introduce a new idea of tunneling of hash functions. In some sense tunnels replace multi-message modification methods and exponentially accelerate collision search. We describe several tunnels in hash function MD5. Using it we find a MD5 collision roughly in one minute on a standard notebook PC (Intel Pentium, 1.6 GHz). The method works for any initializing value. Tunneling is a general idea, which can be used for finding collisions of other hash functions, such as SHA-1, 2. We show several capabilities of tunnels. A program, which source code is available on a project homepage, experimentally verified the method.
Revised version of this paper contains the appendix with the description of more tunnels. These tunnels further decrease the average time of MD5 collision to 31 seconds. On PC Intel Pentium 4 (3,2 GHz) it is 17 seconds in average
Криптоанализ MD5
В статті розглядаються сучасні методи кріптоаналізу хеш-функції MD5 з метою розкриття паролю та підробки цифрового підпису документу. Зроблені висновки відповідно до перспектив кріптоаналізу на сучасному технічному рівні та наведені рекомендації до подальшого використання MD5 з урахуванням знайдених вразливостей.In present article were overviewed methods of MD hash-function cryptanalysis for document digital signature falsification and password disclosing purposes. Conclusions regarding cryptanalysis aspects on modern technical level are given. Adducted recommendations for further MD using with taking in consideration of found weaknesses are given
Seeing Is Not Always Believing: Invisible Collision Attack and Defence on Pre-Trained Models
Large-scale pre-trained models (PTMs) such as BERT and GPT have achieved
great success in diverse fields. The typical paradigm is to pre-train a big
deep learning model on large-scale data sets, and then fine-tune the model on
small task-specific data sets for downstream tasks. Although PTMs have rapidly
progressed with wide real-world applications, they also pose significant risks
of potential attacks. Existing backdoor attacks or data poisoning methods often
build up the assumption that the attacker invades the computers of victims or
accesses the target data, which is challenging in real-world scenarios. In this
paper, we propose a novel framework for an invisible attack on PTMs with
enhanced MD5 collision. The key idea is to generate two equal-size models with
the same MD5 checksum by leveraging the MD5 chosen-prefix collision.
Afterwards, the two ``same" models will be deployed on public websites to
induce victims to download the poisoned model. Unlike conventional attacks on
deep learning models, this new attack is flexible, covert, and
model-independent. Additionally, we propose a simple defensive strategy for
recognizing the MD5 chosen-prefix collision and provide a theoretical
justification for its feasibility. We extensively validate the effectiveness
and stealthiness of our proposed attack and defensive method on different
models and data sets
Reverse-Engineering of the Cryptanalytic Attack Used in the Flame Super-Malware
In May 2012, a highly advanced malware for espionage dubbed Flame was found targeting the Middle-East. As it turned out, it used a forged signature to infect Windows machines by MITM-ing Windows Update. Using counter-cryptanalysis, Stevens found that the forged signature was made possible by a chosen-prefix attack on MD5 \cite{DBLP:conf/crypto/Stevens13}. He uncovered some details that prove that this attack differs from collision attacks in the public literature, yet many questions about techniques and complexity remained unanswered.
In this paper, we demonstrate that significantly more information can be deduced from the example collision. Namely, that these details are actually sufficient to reconstruct the collision attack to a great extent using some weak logical assumptions. In particular, we contribute an analysis of the differential path family for each of the four near-collision blocks, the chaining value differences elimination procedure and a complexity analysis of the near-collision block attacks and the associated birthday search for various parameter choices. Furthermore, we were able to prove a lower-bound for the attack's complexity.
This reverse-engineering of a non-academic cryptanalytic attack exploited in the real world seems to be without precedent. As it allegedly was developed by some nation-state(s), we discuss potential insights to their cryptanalytic knowledge and capabilities
Reverse-Engineering of the Cryptanalytic Attack Used in the Flame Super-Malware
In May 2012, a highly advanced malware for espionage dubbed Flame was found targeting the Middle-East.
As it turned out, it used a forged signature to infect Windows machines by MITM-ing Windows Update.
Using counter-cryptanalysis, Stevens found that the forged signature was made possible by a chosen-prefix attack on MD5
\cite{DBLP:conf/crypto/Stevens13}.
He uncovered some details that prove that this attack differs from collision attacks in the public literature, yet many questions about techniques and complexity remained unanswered.
In this paper, we demonstrate that significantly more information can be deduced from the example collision.
Namely, that these details are actually sufficient to reconstruct the collision attack to a great extent using some weak logical assumptions.
In particular, we contribute an analysis of the differential path family for each of the four near-collision blocks, the chaining value differences elimination procedure and a complexity analysis of the near-collision block attacks and the associated birthday search for various parameter choices.
Furthermore, we were able to prove a lower-bound for the attack's complexity.
This reverse-engineering of a non-academic cryptanalytic attack exploited in the real world seems to be without precedent.
As it allegedly was developed by some nation-state(s) \cite{WashingtonPost_Flame,kaspersky_flame,crysis_flame},
we discuss potential insights to their cryptanalytic knowledge and capabilities
Chosen-Prefix Collisions for MD5 and Applications
We present a novel, automated way to find differential paths for MD5.
Its main application is in the construction of \emph{chosen-prefix collisions}.
We have shown how, at an approximate expected cost of
calls to the MD5 compression function, for any two chosen message
prefixes and , suffixes and can be constructed such that
the concatenated values and collide under MD5.
The practical attack potential of this construction
of chosen-prefix collisions is of greater concern
than the MD5-collisions that were published before. This is illustrated by
a pair of MD5-based X.509 certificates one of which was signed by a
commercial Certification Authority (CA) as a legitimate website certificate,
while the other one is a certificate for a rogue CA that is entirely
under our control (cf.\ \url{http://www.win.tue.nl/hashclash/rogue-ca/}).
Other examples, such as MD5-colliding executables, are presented as well.
More details can be found on
\url{http://www.win.tue.nl/hashclash/ChosenPrefixCollisions/}
A New Collision Differential For MD5 With Its Full Differential Path
Since the first collision differential with its full differential path was presented for MD5 function by Wang et al. in 2004, renewed interests on collision attacks for the MD family of hash functions have surged over the world of cryptology. To date, however, no cryptanalyst can give a second computationally feasible collision differential for MD5 with its full differential path, even no improved differential paths based on Wangs MD5 collision differential have appeared in literature. Firstly in this paper, a new differential cryptanalysis called signed difference is defined, and some principles or recipes on finding collision differentials and designing differential paths are proposed, the signed difference generation or elimination rules which are implicit in the auxiliary functions, are derived. Then, based on these newly found properties and rules, this paper comes up with a new computationally feasible collision differential for MD5 with its full differential path, which is simpler thus more understandable than Wangs, and a set of sufficient conditions considering carries that guarantees a full collision is derived from the full differential path. Finally, a multi-message modification-based fast collision attack algorithm for searching collision messages is specialized for the full differential path, resulting in a computational complexity of 2 to the power of 36 and 2 to the power of 32 MD5 operations, respectively for the first and second blocks. As for examples, two collision message pairs with different first blocks are obtained
Computação massivamente paralela para identificação de marcadores RFID
Mestrado em Engenharia de Computadores e TelemáticaNos dias que correm, tem-se assistido a uma grande evolução dos sistemas
de identificação através de marcadores RFID, frequentemente sem se dar a
devida importância à componente de privacidade nos mesmos. A presente
dissertação pretende explorar um paradigma de identificação de marcadores
com o intuito de colmatar esta lacuna, recorrendo à utilização de uma
função dificilmente invertível, criptográfica ou de síntese, para a geração no
marcador de um identificador pseudo-aleatório a partir do identificador real
do mesmo, bem como de um conjunto de números aleatórios gerados pelo
marcador e pelo leitor. Contudo, torna-se necessária uma pesquisa ao longo
de todos os identificadores atribuídos, que por questões de desempenho é
realizado de uma forma massivamente paralela. Desta forma, impede-se o
seguimento de objectos ou pessoas associados ao marcador por entidades
Ilegítimas, que não tenham acesso a uma base de dados de todos os identificadores atribuídos.In recent years, there has been a large evolution of identification systems
through the use of RFID tags, often with some disregard for privacy concerns.
In this dissertation a paradigm will be explored focusing on the use
of a well known cryptographic standard or hashing function to generate a
pseudo-random identifier from the real identifier as well as a set of random
nonces from the tag and reader. However, a search is required along the
set of assigned identifiers, which for the sake of performance shall be done
resorting to a massively parallel approach. This way, it becomes unfeasible
for an illegitimate reader to relate two activation sessions of the same tag
without access to the database of all the assigned identifiers
- …