Short Chosen-Prefix Collisions for MD5 and the Creation of a Rogue CA Certificate

We present a refined chosen-prefix collision construction for MD5 that allowed creation of a rogue Certification Authority (CA) certificate, based on a collision with a regular end-user website certificate provided by a commercial CA. Compared to the previous construction from Eurocrypt 2007, this paper describes a more flexible family of differential paths and a new variable birthdaying search space. Combined with a time-memory trade-off, these improvements lead to just three pairs of near-collision blocks to generate the collision, enabling construction of RSA moduli that are sufficiently short to be accepted by current CAs. The entire construction is fast enough to allow for adequate prediction of certificate serial number and validity period: it can be made to require about 249 MD5 compression function calls. Finally, we improve the complexity of identical-prefix collisions for MD5 to about 216 MD5 compression function calls and use it to derive a practical single-block chosen-prefix collision construction of which an example is given.

[1]  Arjen K. Lenstra,et al.  Predicting the winner of the 2008 US Presidential Elections using a Sony PlayStation 3 , 2007 .

[2]  Vlastimil Klíma,et al.  Finding MD5 Collisions on a Notebook PC Using Multi-message Modifications , 2005, IACR Cryptol. ePrint Arch..

[3]  Tao Xie,et al.  Could The 1-MSB Input Difference Be The Fastest Collision Attack For MD5 ? , 2008, IACR Cryptol. ePrint Arch..

[4]  Marc Stevens On Collisions for MD5 , 2007 .

[5]  Hans Dobbertin Cryptanalysis of MD4 , 1996, FSE.

[6]  Xiaoyun Wang,et al.  Finding Collisions in the Full SHA-1 , 2005, CRYPTO.

[7]  Vlastimil Klíma,et al.  Tunnels in Hash Functions: MD5 Collisions Within a Minute , 2006, IACR Cryptol. ePrint Arch..

[8]  Xiaoyun Wang,et al.  Efficient Collision Search Attacks on SHA-0 , 2005, CRYPTO.

[9]  Hans Dobbertin Cryptanalysis of MD5 Compress , 1996 .

[10]  Vincent Rijmen,et al.  Update on SHA-1 , 2005, CT-RSA.

[11]  Marc Stevens,et al.  Fast Collision Attack on MD5 , 2006, IACR Cryptol. ePrint Arch..

[12]  Xiaoyun Wang,et al.  How to Break MD5 and Other Hash Functions , 2005, EUROCRYPT.

[13]  Antoon Bosselaers,et al.  Collisions for the Compressin Function of MD5 , 1994, EUROCRYPT.

[14]  Dengguo Feng,et al.  Collisions for Hash Functions MD4, MD5, HAVAL-128 and RIPEMD , 2004, IACR Cryptol. ePrint Arch..

[15]  Marc Stevens,et al.  Chosen-Prefix Collisions for MD5 and Colliding X.509 Certificates for Different Identities , 2007, EUROCRYPT.

[16]  Hugo Krawczyk,et al.  Strengthening Digital Signatures Via Randomized Hashing , 2006, CRYPTO.