Chosen-Prefix Collisions for MD5 and Colliding X.509 Certificates for Different Identities

We present a novel, automated way to find differential paths for MD5. As an application we have shown how, at an approximate expected cost of 250calls to the MD5 compression function, for any two chosen message prefixes Pand P?, suffixes Sand S? can be constructed such that the concatenated values P||Sand P?||S? collide under MD5. Although the practical attack potential of this construction of chosen-prefix collisionsis limited, it is of greater concern than random collisions for MD5. To illustrate the practicality of our method, we constructed two MD5 based X.509 certificates with identical signatures but different public keys anddifferent Distinguished Name fields, whereas our previous construction of colliding X.509 certificates required identical name fields. We speculate on other possibilities for abusing chosen-prefix collisions. More details than can be included here can be found on www.win.tue.nl/hashclash/ChosenPrefixCollisions/ .

[1]  Ronald Cramer,et al.  Advances in Cryptology - EUROCRYPT 2005, 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, May 22-26, 2005, Proceedings , 2005, EUROCRYPT.

[2]  Christophe De Cannière,et al.  Finding SHA-1 Characteristics: General Results and Applications , 2006, ASIACRYPT.

[3]  Kefei Chen,et al.  Advances in Cryptology - ASIACRYPT 2006, 12th International Conference on the Theory and Application of Cryptology and Information Security, Shanghai, China, December 3-7, 2006, Proceedings , 2006, ASIACRYPT.

[4]  Dan Kaminsky,et al.  MD5 To Be Considered Harmful Someday , 2004, IACR Cryptol. ePrint Arch..

[5]  Information Security and Privacy , 1996, Lecture Notes in Computer Science.

[6]  Vlastimil Klíma,et al.  Tunnels in Hash Functions: MD5 Collisions Within a Minute , 2006, IACR Cryptol. ePrint Arch..

[7]  Aaas News,et al.  Book Reviews , 1893, Buffalo Medical and Surgical Journal.

[8]  Arjen K. Lenstra,et al.  On the Possibility of Constructing Meaningful Hash Collisions for Public Keys , 2005, ACISP.

[9]  Ondrej Mikle,et al.  Practical Attacks on Digital Signatures Using MD5 Message Digest , 2004, IACR Cryptol. ePrint Arch..

[10]  Philip Hawkes,et al.  Musings on the Wang et al. MD5 Collision , 2004, IACR Cryptol. ePrint Arch..

[11]  Paul E. Hoffman,et al.  Attacks on Cryptographic Hashes in Internet Protocols , 2005, RFC.

[12]  Xiaoyun Wang,et al.  Colliding X.509 Certificates , 2005, IACR Cryptol. ePrint Arch..

[13]  Ed Dawson,et al.  Attacks on MD5 and SHA-1: Is this the "Sword of Damocles" for Electronic Commerce? , 2006 .

[14]  Marc Stevens,et al.  Fast Collision Attack on MD5 , 2006, IACR Cryptol. ePrint Arch..

[15]  Xiaoyun Wang,et al.  How to Break MD5 and Other Hash Functions , 2005, EUROCRYPT.

[16]  Marc Stevens,et al.  Target Collisions for MD5 and Colliding X.509 Certificates for Different Identities , 2006, IACR Cryptol. ePrint Arch..