1

Message Authentication using Message Digests and the MD5 Algorithm

Message authentication is important where undetected manipulation of messages can have

disastrous effects.

2

Message authentication is important where undetected manipulation of messages can have disastrous effects.

Examples include Internet Commerce and Network Management.

Why Message Authentication?

3

Message Authentication Using Plain Encryption

4

Use of Encryption for MAC

5

Message Authentication with Hash Functions using Conventional Encryption

6

Message Authentication with Hash Functions using Public Key Encryption

7

A hash function H is a transformation that takes an input m and returns a fixed-size string, which is called the hash value h (that is, h = H(m)).

Hash functions with just this property have a variety of general computational uses, but when employed in cryptography, the hash functions are usually chosen to have some additional properties.

What is a hash function?

8

The basic requirements for a cryptographic hash function are as follows.◦ The input can be of any length.◦ The output has a fixed length.◦ H(x) is relatively easy to compute for any given x.◦ H(x) is one-way.◦ H(x) is collision-free.

Requirements for Cryptographic Hash Functions

9

A hash function H is said to be one-way if it is hard to invert, where ``hard to invert'' means that given a hash value h, it is computationally infeasible to find some input x such that H(x) = h.

H(x) is one-way ...

10

The hash value represents concisely the longer message or document from which it was computed; this value is called the message digest.

One can think of a message digest as a ``digital fingerprint'' of the larger document.

Examples of well known hash functions are MD2 and MD5 and SHA

Hash Functions as Message Digests

11

Damgard and Merkle greatly influenced cryptographic hash function design by defining a hash function in terms of what is called a compression function.

A compression function takes a fixed-length input and returns a shorter, fixed-length output.

Given a compression function, a hash function can be defined by repeated applications of the compression function until the entire message has been processed.

Compression Function

12

In this process, a message of arbitrary length is broken into blocks whose length depends on the compression function, and “padded” (for security reasons) so the size of the message is a multiple of the block size. The blocks are then processed sequentially, taking as input the result of the hash so far and the current message block, with the final output being the hash value for the message.

Compression Function

13

The following five steps are performed to compute the message digest of the message.

Step 1. Append Padding Bits Step 2. Append Length Step 3. Initialize MD Buffer Step 4. Process Message in 16-Word Blocks Step 5. Output

MD5 Steps

14

The message is "padded" (extended) so that its length (in bits) is congruent to 448, modulo 512. That is, the message is extended so that it is just 64 bits shy of being a multiple of 512 bits long. Padding is always performed, even if the length of the message is already congruent to 448, modulo 512.

Padding is performed as follows: a single "1" bit is appended to the message, and then "0" bits are appended so that the length in bits of the padded message becomes congruent to 448, modulo 512. In all, at least one bit and at most 512 bits are appended.

Step 1. Append Padding Bits

15

A 64-bit representation of b (the length of the message before the padding bits were added) is appended to the result of the previous step. In the unlikely event that b is greater than 2^64, then only the low-order 64 bits of b are used. (These bits are appended as two 32-bit words and appended low-order word first in accordance with the previous conventions.)

Step 2. Append Length

16

A four-word buffer (A,B,C,D) is used to compute the message digest.

Here each of A, B, C, D is a 32-bit register.

These registers are initialized to the following values in hexadecimal, low-order bytes first):

Step 3. Initialize MD Buffer

17

Step 4. Process Message in 16-Word Blocks (4 Rounds)

18

Step 4. Continued (4 Rounds)

19

Step 4. Round 1 and 2

20

Step 4. Round 3 and 4

21

Step 4. Continued

22

Step 4. Continued

23

The MD5 Boolean Functions

The functions G, H, and I are similar to the function F, in that they act in "bitwise parallel" to produce their output from the bits of X, Y, and Z, in such a manner that if the corresponding bits of X, Y, and Z are independent and unbiased, then each bit of G(X,Y,Z), H(X,Y,Z), and I(X,Y,Z) will be independent and unbiased. Note that the function H is the bit-wise "xor" or "parity" function of its inputs.

24

Table T, constructed from the sine function

This step uses a 64-element table T[1 ... 64] constructed from the sine function. Let T[i] denote the i-th element of the table, which is equal to the integer part of 4294967296 times abs(sin(i)), where i is in radians. The elements of the table are given in the following slide.

25

Table T, constructed from the sine function

26

The message digest produced as output is A, B, C, D.

That is, we begin with the low-order byte of A, and end with the high-order byte of D.

Step 5. Output

27

MD4 SHA-1 RIPEMD-160

Other Message Digest Algorithms

28

A Comparison of MD5, SHA-1, and RIPEMD-160

29

Relative Performance of Several Hash Functions (coded in C++ on a 266 MHz Pentium)

MD5 Collisions in 2004 2004: First MD5 collision attack

◦ Only difference between messages in random looking 128 collision bytes

◦ Currently < 1 second on PC

MD5( ) = MD5( )

MD5 Collisions in 2004

Attack scenarios◦ Generate specific collision blocks◦ Use document format IF…THEN…ELSE◦ Both payloads present in both files◦ Colliding PostScript files with different contents◦ Similar examples with other formats: DOC, PDF◦ Colliding executables with different execution

flows

MD5 Collisions in 2007 2007: Stronger collision attack

◦ Chosen-Prefix Collisions◦ Messages can differ freely

up to the random looking 716 collision bytes◦ Currently approx. 1 day on PS3+PC

MD5( ) = MD5( )

MD5 Collisions in 2007 Second generation attack scenarios

◦ Using chosen-prefix collisions◦ No IF…THEN…ELSE necessary

Each file contains single payload instead of both Collision blocks not actively used in format

◦ Colliding executables Malicious payload cannot be scanned

in harmless executable

◦ Colliding documents (PDF, DOC, …) Collision blocks put inside hidden raw image data

History of colliding certificatesCertificates with colliding to-be-signed parts

◦ generate a pair of certificates◦ sign the legitimate certificate◦ copy the signature into the rogue cert

Previous work◦ Different RSA public keys in 2005

using 2004 collision attack◦ Different identities in 2006

using chosen-prefix collisions the theory is well known since 2007

Colliding certificates in 2006

serial number

validity period

real certdomain name

real certRSA key

X.509 extensions

signature

identical bytes(copied from real cert)

collision bits(computed)

chosen prefix(difference)

serial number

validity period

rogue certdomain name

real certRSA key

X.509 extensions

signature

set bythe CA

Vulnerable CAs in 2008◦ We collected 30,000 website certificates

9,000 of them were signed with MD5 97% of those were issued by RapidSSL

◦ CAs still using MD5 in 2008: RapidSSL FreeSSL TrustCenter RSA Data Security Thawte verisign.co.jp

Predicting the validity period

◦ RapidSSL uses a fully automated system◦ The certificate is issued exactly 6 seconds after

we click the button and expires in one year.

Predicting the serial numberRapidSSL uses sequential serial numbers:

Nov 3 07:42:02 2008 GMT 643004Nov 3 07:43:02 2008 GMT 643005Nov 3 07:44:08 2008 GMT 643006Nov 3 07:45:02 2008 GMT 643007Nov 3 07:46:02 2008 GMT 643008Nov 3 07:47:03 2008 GMT 643009Nov 3 07:48:02 2008 GMT 643010Nov 3 07:49:02 2008 GMT 643011Nov 3 07:50:02 2008 GMT 643012Nov 3 07:51:12 2008 GMT 643013Nov 3 07:51:29 2008 GMT 643014Nov 3 07:52:02 2008 GMT ?

Predicting the serial number

◦ Remote counter increases only when people buy certs we can do a query-and-increment operation at a cost

of buying one certificate◦ Cost

$69 for a new certificate renewals are only $45 up to 20 free reissues of a certificate $2.25/query-and-increment operation

Certificates issued per weekend

Predicting the serial number1. Get the serial number S on Friday2. Predict the value for time T on Sunday to be

S+10003. Generate the collision bits4. Shortly before time T buy enough certs to

increment the counter to S+9995. Send colliding request at time T and get serial

number S+1000

Collision generation

Based on the 2007 chosen-prefix collisions paper with new improvements

1-2 days on a cluster of 200 PlayStation 3’s

Equivalent to 8000 desktop CPU cores or $20,000 on Amazon EC2

Creating an intermediate CA

serial number

validity period

real cert domainname

real certRSA key

X.509 extensions

signature

rogue CA cert

rogue CA RSA key

rogue CA X.509extensions

Netscape CommentExtension

(contents ignored bybrowsers)

signature

identical bytes(copied from real cert)

collision bits(computed)

chosen prefix(difference)

CA bit!

Real life execution of the attack

◦ 3 failed attempts problems with timing other CA requests stealing our serial number

◦ Finally success on the 4th attempt!◦ Total cost of certificates:

USD $657

Impact

Part IV

Man-In-The-Middle◦ We can sign fully trusted certificates◦ Perfect man-in-the-middle attacks

◦ A malicious attacker can pick a more realistic CA name and fool even experts

Connection hijackingMITM requires connection hijacking:

◦ Insecure wireless networks◦ ARP spoofing◦ Proxy autodiscovery◦ DNS spoofing◦ Owning routers

Countermeasures

Part V

Preventing harm from our cert

◦ We’re not releasing the private key◦ Our CA cert was backdated to Aug 2004

just for demo purposes, a real malicious attacker can get a cert that never expires

◦ Browser vendors can blacklist our cert we notified them in advance

◦ Users might be able to blacklist our cert

Revocation issuesOur CA cert is not easily revocable!

◦ CRL and OCSP get the revocation URL from the cert itself

◦ Our cert contains no such URL◦ Revocation checking is disabled in

Firefox 2 and IE6 anyways Possible fixes: Large organizations can set up their own custom OCSP server and force OCSP revocation checking.

EV certsExtended Validation (EV) certs:

◦ supported by all major browsers◦ EV CAs are not allowed to use MD5◦ safe against this attack

Do users really know how to tell the difference between EV and regular certs?

Repeating the attackWith optimizations the attack might be donefor $2000 on Amazon EC2 in 1 dayWe want to prevent malicious entities from repeating the attack:

◦ We are not releasing our collision finding implementation or improved methods until we feel it’s safe

◦ We’ve talked to the affected CAs: they will switch to SHA-1 very, very soon

Has this already been done?No way to tell.

◦ The theory has been public since 2007◦ Our legitimate certificate is completely innocuous,

the collision bits are hidden in the RSA key, but they look random

Can we still trust CA certs that have been used to sign anything with MD5 in the last few years?

Lessons for the future◦ We need defense in depth

random serial numbers random delay when signing certs

◦ Future challenges: second preimage against MD5 collisions in SHA-1

◦ Dropping support for a broken crypto primitive is very hard in practice but crypto can be broken overnight what do we do if SHA-1 or RSA falls tomorrow?

Conclusion

Part VI

Conclusion◦ No need to panic, the Internet is not completely

broken◦ The affected CAs are switching to SHA-1◦ Making the theoretical possible is sometimes the

only way you can affect change and secure the Internet