and Elie Bursztein with the help of Marc Stevens (CWI), Pierre - - PowerPoint PPT Presentation

Elie Bursztein

with the help of Marc Stevens (CWI), Pierre Karpman (INRIA), Ange Albertini, Yarik Markov, Alex Petit-Bianco

and

2 42A9 1C4E 3CBE 3171 AC03 B186 File 1 File 2

Digest uniqueness One-way function

Attacking hash functions Finding a SHA-1 collision Post-collision world

https://shattered.io

Attacker file 1 Attacker file 2

3713ACE30E7ABBA

https://shattered.io

Unknown file Attacker file

42ACE13F0E93BAD

https://shattered.io

Known file Attacker file

BAD37ACE308E93D

https://shattered.io

https://shattered.io

Bruteforce is impractical Cryptanalysis to the rescue

Hash

R.C Merkle - Secrecy, authentication, and public key systems (1979)

SHA1compress() File 1st block

IV

SHA1compress() File 2nd block SHA1compress() File last block

F

Message block Chain value

+ F F ?

F + F F ?

Messages differential path Equation system

Message block Chain value

Near collision Collision Collision

!=

File 1 (block m) File 2 (block m)

=

Near collision

!=

File 1 (block 1) File 2 (block 1)

?

https://shattered.io

Collision blocks (C1) Fixed prefix (P) Arbitrary suffix (S) Collision blocks (C2) Fixed prefix (P) Arbitrary suffix (S)

P==P and C1!=C2 and S==S

Collision blocks (C1) Partial Suffix displayed (S) Collision blocks (C2) Specially crafted prefix Partial Suffix displayed (S) Specially crafted prefix

File 1 File 2

Collision blocks (C1) Fixed prefix (P1) Arbitrary suffix (S) Collision blocks (C2) Fixed prefix (P2) Arbitrary suffix (S)

P1!=P2 and C1!=C2 and S==S

https://shattered.io

MD5 SSL certificate forgery

Serial number X509 extensions CA=FALSE Validity period Real cert domain name Signature Signature RSA public key Netscape Comment X509 extension Serial number Validity period

Rogue signing certificate Victim certificate

X509 extensions CA=TRUE Rogue cert (* wildcard) RSA public key

Collision resistance Preimage resistance

Security Claim Fixed prefix Chosen attack Security claim Best attack

MD4 264 21 MD5 264 216 239 SHA-1 280 263 277

• 4. Compute

collision

• 3. Develop

full collision attack

• 1. Craft file

prefix

• 2. Compute

near-collision blocks

2015 2015 - 2016 2016 2017

PDF header JPEG header

JPEG comment

Image 1 collision File 1

length length

File 2 PDF header JPEG header

JPEG comment

Image 2

length 2 length

comment in comment

Work in small batches ~1h Refactor code to be stateless Factory paradigm not map-reduce

DV selection Craft non linear path Determine attack success conditions Find additional conditions Fix solvability Find speed-ups Write attack code Compute collision

Collision blocks (C1) Final collision check (CPU) Collision blocks (C1) Base solution (CPU)

Work step by step Always try to work at the highest step Parallelized: One thread / one solution

https://shattered.io

https://github.com/nneonneo/sha1collider

Fixed PDF header Variable JPEG start Image parsed as comment JPEG comment JPEG comment Visual Desync Comment length = 0x173 Image Comment length = 0x17F Collision block

https://shattered.io

Transition plan slowly in the making

Leverage how collisions are created Only requires one file to detect collision Negligible false positives

Trivial differences required for feasible attacks

JGit Github.com

Git 2.12.2 (Mar 2017)

~4.45%

MD MD 2128 Sponge 2128 2128 HAIFA 2128 2256

SHA-1 is dead long live to SHA-256 & SHA-3 Counter-cryptanalysis as a means of detection Hash diversity as a safeguard for the years to come