Chosen-prefix collisions for MD5 and applications

Authors:
Marc Stevens;Arjen K. Lenstra;Benne De Weger
Affiliations:
Cryptology Group, CWI, P.O. Box 94079, 1090 GB Amsterdam, The Netherlands.;Laboratory for Cryptologic Algorithms, École Polytechnique Fédérale de Lausanne, Station 14, CH-1015 Lausanne, Switzerland.;EiPSI, Faculty of Mathematics and Computer Science, TU Eindhoven, P.O. Box 513, 5600 MB Eindhoven, The Netherlands
Venue:
International Journal of Applied Cryptography
Year:
2012

Citing 11
Cited 0

Collisions for the compression function of MD5

EUROCRYPT '93 Workshop on the theory and application of cryptographic techniques on Advances in cryptology
Handbook of Applied Cryptography

Handbook of Applied Cryptography
Chosen-Prefix Collisions for MD5 and Colliding X.509 Certificates for Different Identities

EUROCRYPT '07 Proceedings of the 26th annual international conference on Advances in Cryptology
Short Chosen-Prefix Collisions for MD5 and the Creation of a Rogue CA Certificate

CRYPTO '09 Proceedings of the 29th Annual International Cryptology Conference on Advances in Cryptology
Finding SHA-1 characteristics: general results and applications

ASIACRYPT'06 Proceedings of the 12th international conference on Theory and Application of Cryptology and Information Security
On the possibility of constructing meaningful hash collisions for public keys

ACISP'05 Proceedings of the 10th Australasian conference on Information Security and Privacy
Finding collisions in the full SHA-1

CRYPTO'05 Proceedings of the 25th annual international conference on Advances in Cryptology
How to break MD5 and other hash functions

EUROCRYPT'05 Proceedings of the 24th annual international conference on Theory and Applications of Cryptographic Techniques
Strengthening digital signatures via randomized hashing

CRYPTO'06 Proceedings of the 26th annual international conference on Advances in Cryptology
Herding hash functions and the nostradamus attack

EUROCRYPT'06 Proceedings of the 24th annual international conference on The Theory and Applications of Cryptographic Techniques
On arithmetic weight for a general radix representation of integers (Corresp.)

IEEE Transactions on Information Theory

Quantified Score

Hi-index	0.00

Visualization

Abstract

We present a novel, automated way to find differential paths for MD5. Its main application is in the construction of chosen-prefix collisions. We have shown how, at an approximate expected cost of 239 calls to the MD5 compression function, for any two chosen message prefixes P and P′, suffixes S and S′ can be constructed such that the concatenated values P||S and P′||S′ collide under MD5. The practical attack potential of this construction of chosen-prefix collisions is of greater concern than the MD5-collisions that were published before. This is illustrated by a pair of MD5-based X.509 certificates one of which was signed by a commercial Certification Authority (CA) as a legitimate website certificate, while the other one is a certificate for a rogue CA that is entirely under our control (cf. http://www.win.tue.nl/hashclash/rogue-ca/). Other examples, such as MD5-colliding executables, are presented as well. More details can be found on http://www.win.tue.nl/hashclash/ChosenPrefixCollisions/.