from collisions to chosen prefjx collisions
play

From Collisions to Chosen-Prefjx Collisions Application to Full - PowerPoint PPT Presentation

Sep 04, 2023 •555 likes •935 views

Introduction SHA-1 Cryptanalysis New chosen-prefjx collision techniques Conclusion From Collisions to Chosen-Prefjx Collisions Application to Full SHA-1 Gatan Leurent Thomas Peyrin Inria, France NTU, Singapour Eurocrypt 2019 Gatan

  1. Introduction SHA-1 Cryptanalysis New chosen-prefjx collision techniques Conclusion From Collisions to Chosen-Prefjx Collisions Application to Full SHA-1 Gaëtan Leurent Thomas Peyrin Inria, France NTU, Singapour Eurocrypt 2019 Gaëtan Leurent, Thomas Peyrin From Collisions to Chosen-Prefjx Collisions Eurocrypt 2019 1 / 21

  2. Introduction SHA-1 Cryptanalysis Eurocrypt 2019 From Collisions to Chosen-Prefjx Collisions Gaëtan Leurent, Thomas Peyrin 2 / 21 H n Hash functions Conclusion New chosen-prefjx collision techniques ▶ Hash function: public function { 0 , 1 } ∗ → { 0 , 1 } n ▶ Maps arbitrary-length message to fixed-length hash ▶ Hash function should behave like a random function ▶ Hard to find collisions, preimages ▶ Hash can be used as fingerprint, identifier ▶ Used in many difgerent contexts ▶ Signature: hash-and-sign ▶ MAC: hash-and-PRF ▶ Blockchain: Proof-of-work, …

  3. Introduction SHA-1 Cryptanalysis Eurocrypt 2019 From Collisions to Chosen-Prefjx Collisions Gaëtan Leurent, Thomas Peyrin IV x 3 n x 2 m 2 n x 1 m 1 n x 0 m 0 n SHA-1 Conclusion New chosen-prefjx collision techniques 3 / 21 ▶ Designed by NSA: SHA-0 [1993], then SHA-1 [1995] ▶ Standardized by NIST, ISO, IETF, ... Widely used until quite recently ▶ State size: n = 160 ▶ Expected collision security 2 80 ▶ Iterative structure: Merkle-Damgård construction ▶ Block cipher-based compression function: Davies-Meyer H ( M )

  4. Introduction SHA-1 Cryptanalysis Eurocrypt 2019 From Collisions to Chosen-Prefjx Collisions Gaëtan Leurent, Thomas Peyrin IV x 3 n x 2 m 2 n x 1 m 1 n x 0 m 0 n SHA-1 Conclusion New chosen-prefjx collision techniques 3 / 21 ▶ Designed by NSA: SHA-0 [1993], then SHA-1 [1995] ▶ Standardized by NIST, ISO, IETF, ... Widely used until quite recently ▶ State size: n = 160 ▶ Expected collision security 2 80 ▶ Iterative structure: Merkle-Damgård construction ▶ Block cipher-based compression function: Davies-Meyer H ( M )

  5. Introduction SHA-1 Cryptanalysis Eurocrypt 2019 From Collisions to Chosen-Prefjx Collisions Gaëtan Leurent, Thomas Peyrin 9ae6a4c80cadccbb7f0a 38762cf7f55934b34d17 SHA-1 = SHAttered attack: Colliding PDFs [Stevens & al., Crypto’17] [Stevens, Karpman & Peyrin, Crypto’15] 2015-10 Practical freestart collision (on GPU) [Stevens, EC’13] [Wang & al., Crypto’05] SHA-1 Cryptanalysis Conclusion New chosen-prefjx collision techniques 4 / 21 2005-02 Theoretical collision with 2 69 operations … Several unpublished collision attacks in the range 2 51 — 2 63 2010-11 Theoretical collision with 2 61 operations 2017-02 Practical collision with 2 64 . 7 operations (on GPU)

  6. Introduction SHA-1 Cryptanalysis Eurocrypt 2019 From Collisions to Chosen-Prefjx Collisions Gaëtan Leurent, Thomas Peyrin SSL Certificate: [...] $ sslscan mail.sim.informatik.tu-darmstadt.de:993 5 / 21 Conclusion SHA-1 today New chosen-prefjx collision techniques ▶ Modern web browsers reject SHA-1 certificates since 2017 ▶ SHA-1 certificates still exists ▶ CAs still sell legacy SHA-1 certificates ▶ SHA-1 certificates still accepted by modern non-browser TLS clients ▶ Until a few week ago, a mailserver in TU Darmsdtat used a SHA-1 certificate ▶ Windows 10 “Mail” app connects without error Signature Algorithm: sha1WithRSAEncryption ▶ SHA-1 also used in Git, TLS 1.2 handshake, ...

  7. Introduction SHA-1 Cryptanalysis Eurocrypt 2019 From Collisions to Chosen-Prefjx Collisions Gaëtan Leurent, Thomas Peyrin SSL Certificate: [...] $ sslscan mail.sim.informatik.tu-darmstadt.de:993 5 / 21 Conclusion SHA-1 today New chosen-prefjx collision techniques ▶ Modern web browsers reject SHA-1 certificates since 2017 ▶ SHA-1 certificates still exists ▶ CAs still sell legacy SHA-1 certificates ▶ SHA-1 certificates still accepted by modern non-browser TLS clients ▶ Until a few week ago, a mailserver in TU Darmsdtat used a SHA-1 certificate ▶ Windows 10 “Mail” app connects without error Signature Algorithm: sha1WithRSAEncryption ▶ SHA-1 also used in Git, TLS 1.2 handshake, ...

  8. Introduction P Eurocrypt 2019 From Collisions to Chosen-Prefjx Collisions Gaëtan Leurent, Thomas Peyrin ” suffjx prefix SHA-1 Cryptanalysis S C 2 C 1 6 / 21 IV Adding prefjx and suffjx New chosen-prefjx collision techniques C 2 Conclusion Exploiting collisions Collision attack IV C 1 ▶ Start from IV ▶ Add identical prefix and suffjx using iterative structure ▶ C 1 and C 2 collide ▶ Usually same diffjculty (just a difgerent IV) ▶ Issue: C 1 and C 2 look random (not controlled) ▶ Solution: hide in some ignored sections of the file ( e.g. comment) ▶ Issue: collision is not meaningful ▶ Solution: many file formats ( e.g. PDF) allow conditional branches M 1 = “ if ( C 1 == C 1 ) { good } else { evil } ” M 2 = “ if ( 􏿆 􏿌􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏿍􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏿎 C 2 == C 1 ) { good } else { evil }

  9. Introduction P Eurocrypt 2019 From Collisions to Chosen-Prefjx Collisions Gaëtan Leurent, Thomas Peyrin ” suffjx prefix SHA-1 Cryptanalysis S C 2 C 1 6 / 21 IV Adding prefjx and suffjx New chosen-prefjx collision techniques C 2 Conclusion Exploiting collisions Collision attack IV C 1 ▶ Start from IV ▶ Add identical prefix and suffjx using iterative structure ▶ C 1 and C 2 collide ▶ Usually same diffjculty (just a difgerent IV) ▶ Issue: C 1 and C 2 look random (not controlled) ▶ Solution: hide in some ignored sections of the file ( e.g. comment) ▶ Issue: collision is not meaningful ▶ Solution: many file formats ( e.g. PDF) allow conditional branches M 1 = “ if ( C 1 == C 1 ) { good } else { evil } ” M 2 = “ if ( 􏿆 􏿌􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏿍􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏿎 C 2 == C 1 ) { good } else { evil }

  10. Introduction Chosen-prefjx collision Eurocrypt 2019 From Collisions to Chosen-Prefjx Collisions Gaëtan Leurent, Thomas Peyrin [Bhargavan & L, NDSS’16] [Stevens & al, Crypto’09] S 2 C 2 1 C 1 P 2 P 1 IV SHA-1 Cryptanalysis 7 / 21 Identical-prefjx collision random collision blocks New chosen-prefjx collision techniques Conclusion S C 2 C 1 P Chosen-Prefjx Collisions IV [Stevens, Lenstra & de Weger, EC’07] ▶ Even with a prefix and prefix, many protocol seem unafgected by collision attacks ▶ Given IV, find M 1 ≠ M 2 s. t. ▶ Given P 1 , P 2 , find M 1 ≠ M 2 s. t. H ( M 1 ) = H ( M 2 ) H ( P 1 ‖ M 1 ) = H ( P 2 ‖ M 2 ) C ′ C ′ ▶ Arbitrary common prefix/suffjx, ▶ Breaks certificates ▶ Breaks integrity verification ▶ Breaks TLS, IKE, SSH ▶ Breaks signatures (in theory)

  11. Introduction Chosen-prefjx collision Eurocrypt 2019 From Collisions to Chosen-Prefjx Collisions Gaëtan Leurent, Thomas Peyrin [Bhargavan & L, NDSS’16] [Stevens & al, Crypto’09] S 2 C 2 1 C 1 P 2 P 1 IV SHA-1 Cryptanalysis 7 / 21 Identical-prefjx collision random collision blocks New chosen-prefjx collision techniques Conclusion S C 2 C 1 P Chosen-Prefjx Collisions IV [Stevens, Lenstra & de Weger, EC’07] ▶ Even with a prefix and prefix, many protocol seem unafgected by collision attacks ▶ Given IV, find M 1 ≠ M 2 s. t. ▶ Given P 1 , P 2 , find M 1 ≠ M 2 s. t. H ( M 1 ) = H ( M 2 ) H ( P 1 ‖ M 1 ) = H ( P 2 ‖ M 2 ) C ′ C ′ ▶ Arbitrary common prefix/suffjx, ▶ Breaks certificates ▶ Breaks integrity verification ▶ Breaks TLS, IKE, SSH ▶ Breaks signatures (in theory)

  12. Introduction koT02UA3eW6q Eurocrypt 2019 From Collisions to Chosen-Prefjx Collisions Gaëtan Leurent, Thomas Peyrin 3 Bob copies the signature to k A , impersonates Alice 2 Bob asks CA to certify his key k B Impersonation attack SHA-1 Cryptanalysis PKI Infrastructure IWFEWrrnxkK8 q5q9Hq09Tp5R The public [Stevens, Lenstra & de Weger, EC’07] Attacking key certifjcation Conclusion New chosen-prefjx collision techniques 8 / 21 key of Alice is: 1 Bob creates keys s.t. H ( Alice || k A ) = H ( Bob || k B ) ▶ Alice generates key ▶ Ask PKI to sign ▶ Certificate proves ID

  13. Introduction koT02UA3eW6q Eurocrypt 2019 From Collisions to Chosen-Prefjx Collisions Gaëtan Leurent, Thomas Peyrin 3 Bob copies the signature to k A , impersonates Alice 2 Bob asks CA to certify his key k B Impersonation attack SHA-1 Cryptanalysis PKI Infrastructure IWFEWrrnxkK8 q5q9Hq09Tp5R The public [Stevens, Lenstra & de Weger, EC’07] Attacking key certifjcation Conclusion New chosen-prefjx collision techniques 8 / 21 key of Alice is: 1 Bob creates keys s.t. H ( Alice || k A ) = H ( Bob || k B ) ▶ Alice generates key ▶ Ask PKI to sign ▶ Certificate proves ID

  14. Introduction YRfYal4ZFmiY Eurocrypt 2019 From Collisions to Chosen-Prefjx Collisions Gaëtan Leurent, Thomas Peyrin 3 Bob copies the signature to k A , impersonates Alice 2 Bob asks CA to certify his key k B Impersonation attack PKI Infrastructure collision prefix SHA-1 Cryptanalysis E7OhkirqNyfm 7+zvZNcjdxXx The public New chosen-prefjx collision techniques Conclusion Attacking key certifjcation [Stevens, Lenstra & de Weger, EC’07] 8 / 21 seJ+L6NRaT49 ZOt226BvLIO5 OE6p9TY2sW74 The public key of Alice is: key of Bob is: 1 Bob creates keys s.t. H ( Alice || k A ) = H ( Bob || k B ) ▶ Alice generates key ▶ Ask PKI to sign ▶ Certificate proves ID

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

collisions at = 200 GeV and U+U collisions at = 193 GeV with STAR

collisions at = 200 GeV and U+U collisions at = 193 GeV with STAR

Excess of J/ y yield at very low p T in Au+Au collisions at = 200 GeV and U+U collisions at = 193 GeV with STAR Wangmei Zha for the STAR Collaboration University of Science and Technology of China W. Zha etal.,

487 views • 22 slides
first PbPb collisions at LHC at s = 2.76 A TeV setup for ion collisions: November 4 already

first PbPb collisions at LHC at s = 2.76 A TeV setup for ion collisions: November 4 already

first PbPb collisions at LHC at s = 2.76 A TeV setup for ion collisions: November 4 already in Dec 2010 first collisions with stable beams: 5 publications in PRL and PLB November 8 until Dec 6 Johanna Stachel Heavy ion running at the LHC

615 views • 60 slides
Phenomenology of heavy-ion collisions How can one characterize what is created in a heavy-ion

Phenomenology of heavy-ion collisions How can one characterize what is created in a heavy-ion

Phenomenology of heavy-ion collisions How can one characterize what is created in a heavy-ion collision? Focus on collective phenomena present in nucleus-nucleus collisions, but absent in pp collisions (condensed matter physics of

879 views • 23 slides
MACAW IEEE 802.11 Standard 29 Reducing Cost of Collisions q Collisions are expensive

MACAW IEEE 802.11 Standard 29 Reducing Cost of Collisions q Collisions are expensive

12/9/15 MACAW IEEE 802.11 Standard 29 Reducing Cost of Collisions q Collisions are expensive How to reduce their cost? q Reserve the wireless channel before transmitting data Send short control packets for

237 views • 7 slides
MD5 Chosen-Prefix Collisions on GPUs Marc Bevand m.bevand@gmail.com marc.bevand@rapid7.com

MD5 Chosen-Prefix Collisions on GPUs Marc Bevand m.bevand@gmail.com marc.bevand@rapid7.com

MD5 Chosen-Prefix Collisions on GPUs Marc Bevand m.bevand@gmail.com marc.bevand@rapid7.com Black Hat USA 2009 - July 30, 2009 Agenda MD5 on GPUs Dec 2008: rogue CA certificate on PS3 cluster MD5 birthday search Results &

516 views • 19 slides
MD5 Chosen-Prefix Collisions on GPUs Marc Bevand m.bevand@gmail.com marc.bevand@rapid7.com

MD5 Chosen-Prefix Collisions on GPUs Marc Bevand m.bevand@gmail.com marc.bevand@rapid7.com

MD5 Chosen-Prefix Collisions on GPUs Marc Bevand m.bevand@gmail.com marc.bevand@rapid7.com Agenda MD5 on GPUs Dec 2008: rogue CA certificate on PS3 cluster MD5 birthday search Results & performance MD5 on GPUs MD5 is

448 views • 18 slides
Di Di-electron production in dp collisions at E kin kin =2.5 .5 GeV Jacek Biernat 2004 HADES re-

Di Di-electron production in dp collisions at E kin kin =2.5 .5 GeV Jacek Biernat 2004 HADES re-

Di Di-electron production in dp collisions at E kin kin =2.5 .5 GeV Jacek Biernat 2004 HADES re- measures C+C collisions 2003 N+N and pi-N collisions in HADES Phys. Lett B 750, 12 (2015) What have we learnt from inclusive spectra p p X e+

505 views • 24 slides
On Key -collisions in (EC)DSA Schemes (1) Let ( m , S ) be a message and its signature.

On Key -collisions in (EC)DSA Schemes (1) Let ( m , S ) be a message and its signature.

On Key -collisions in (EC)DSA Schemes CRYPTO 2002 Rump Session Tom Rosa tomas.rosa@i.cz, http://crypto.hyperlink.cz ICZ, a.s. Dept. of Computer Science, CTU in Prague CZECH REPUBLIC On Key -collisions in (EC)DSA Schemes (1) Let ( m

519 views • 5 slides
Gabriele Veneziano Outline I: String (p.particle) collisions (1987->) II: String-brane

Gabriele Veneziano Outline I: String (p.particle) collisions (1987->) II: String-brane

GGI, 18.04.2019 Transplanckian collisions of particles, strings and branes: results & challenges Gabriele Veneziano Outline I: String (p.particle) collisions (1987->) II: String-brane collisions (2010->) III: Gravitational

883 views • 67 slides
Work supported by Electron-molecule collisions in plasmas Elastic collisions affect electron

Work supported by Electron-molecule collisions in plasmas Elastic collisions affect electron

Electron-Molecule Collision Calculations on Vector and MPP Systems Carl Winstead Vincent McKoy Cray site: Work supported by Electron-molecule collisions in plasmas Elastic collisions affect electron transport and energy deposition

365 views • 23 slides
SHA-1 is a Shambles First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of

SHA-1 is a Shambles First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of

The SHA-1 Hash Function Chosen-prefix Collisions Our Results Conclusion Extra Materials SHA-1 is a Shambles First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust Ga etan Leurent (INRIA - France) Thomas Peyrin (NTU

650 views • 29 slides
Practical Near-Collisions and Collisions on Reduced-Round ECHO-256 Compression Function Jrmy

Practical Near-Collisions and Collisions on Reduced-Round ECHO-256 Compression Function Jrmy

Outline Attack Conclusion ECHO-256 Practical Near-Collisions and Collisions on Reduced-Round ECHO-256 Compression Function Jrmy Jean and Pierre-Alain Fouque Ecole Normale Suprieure FSE2011 February 14, 2011 FSE2011 Jrmy

562 views • 42 slides
Unit5: More Collisions Mike Chantler, 31/8/2008 See Peters ActionScript 3.0 Animation

Unit5: More Collisions Mike Chantler, 31/8/2008 See Peters ActionScript 3.0 Animation

Unit 5: More Collisions 3D Modelling & Animation Module F21MA Unit5: More Collisions Mike Chantler, 31/8/2008 See Peters ActionScript 3.0 Animation Unit contents Detecting collisions Springing off a fixed ball

460 views • 23 slides
October 2013 Show national trends in total Motorbus collisions, rear-ended collisions, and

October 2013 Show national trends in total Motorbus collisions, rear-ended collisions, and

Florida Public Transportation Association Annual Conference Florida Transit Safety Network October 2013 Show national trends in total Motorbus collisions, rear-ended collisions, and rear- ending collisions Show Florida transit Motorbus

443 views • 43 slides
Common Trends in Wildlife-Vehicle Collisions 89 percent of wildlife-vehicle collisions (WVCs)

Common Trends in Wildlife-Vehicle Collisions 89 percent of wildlife-vehicle collisions (WVCs)

Wildlife-vehicle Collision Mitigation in New Mexico Jim Hirsch Environmental Bureau - NMDOT Common Trends in Wildlife-Vehicle Collisions 89 percent of wildlife-vehicle collisions (WVCs) occur on two-lane low-volume roads. WVCs occur

201 views • 16 slides
Introduction to Quantum Collision Theory Pierre Capel 16 July 2015 1 / 30 Quantum Collisions

Introduction to Quantum Collision Theory Pierre Capel 16 July 2015 1 / 30 Quantum Collisions

Introduction to Quantum Collision Theory Pierre Capel 16 July 2015 1 / 30 Quantum Collisions Quantum Collisions Quantum collisions used to study the interaction between particles/nuclei/atoms. . . analyse the structure of

651 views • 30 slides
Cha pte r 15: Phe no me na he re a c tio n A(a q ) + B(a q ) C(a q ) wa s studie d a t two

Cha pte r 15: Phe no me na he re a c tio n A(a q ) + B(a q ) C(a q ) wa s studie d a t two

Cha pte r 15: Phe no me na he re a c tio n A(a q ) + B(a q ) C(a q ) wa s studie d a t two diffe re nt Phe no me na : T te mpe ra ture s (298 K a nd 350 K ). F o r e a c h te mpe ra ture the re a c tio n wa s sta rte d b y putting

450 views • 40 slides
Heavy-ion collisions: theory review Andrea Beraudo CERN, Theory Unit QCD at Cosmic

Heavy-ion collisions: theory review Andrea Beraudo CERN, Theory Unit QCD at Cosmic

Introduction Virtual experiments: lattice QCD Real experiments: heavy-ion collisions Heavy-ion collisions: theory review Andrea Beraudo CERN, Theory Unit QCD at Cosmic Energies, Paris, 11-15 June 2012 Andrea Beraudo Heavy-ion

1.26k views • 94 slides
Foundations of Chemical Kinetics Lecture 8: Simple collision theory Marc R. Roussel Department

Foundations of Chemical Kinetics Lecture 8: Simple collision theory Marc R. Roussel Department

Foundations of Chemical Kinetics Lecture 8: Simple collision theory Marc R. Roussel Department of Chemistry and Biochemistry Simple collision theory In a gas-phase bimolecular reaction, the reactants have to meet in order to react. A

546 views • 11 slides
Making electricity demand weather-sensitive? A French example... Since 1974: 63 GW of installed

Making electricity demand weather-sensitive? A French example... Since 1974: 63 GW of installed

Making electricity demand weather-sensitive? A French example... Since 1974: 63 GW of installed nuclear capacity (58 reactors) Electric heating: 36% of residential electricity consumption | 2001-2011: electric heating for more than 60% of

520 views • 10 slides
The 3rd Strangeness Workshop Warsaw 22-23 April 2016 Two identical pions correlations at small

The 3rd Strangeness Workshop Warsaw 22-23 April 2016 Two identical pions correlations at small

The 3rd Strangeness Workshop Warsaw 22-23 April 2016 Two identical pions correlations at small relative momenta in Two identical pions correlations at small relative momenta in collisions of Al+Al and Ni+Ni at 1.9A GeV collisions of Al+Al and

325 views • 16 slides
Zone based verification of timed automata revisited B. Srivathsan Joint work with F. Herbreteau

Zone based verification of timed automata revisited B. Srivathsan Joint work with F. Herbreteau

Zone based verification of timed automata revisited B. Srivathsan Joint work with F. Herbreteau and I. Walukiewicz LaBRI, Universit e de Bordeaux 1 Groupe de Travail Mod elisation et V erification LIF, Marseille - November 2011 Zone

1.51k views • 127 slides
High-speed cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische

High-speed cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische

1 High-speed cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven with some slides from: Tanja Lange Technische Universiteit Eindhoven 2 Do we care about speed? Almost all software is

1.36k views • 44 slides
A Trusted System DANIEL THORPE CETABC - MAY 2016 The mind is for having ideas, not for holding

A Trusted System DANIEL THORPE CETABC - MAY 2016 The mind is for having ideas, not for holding

GTD ONE A Trusted System DANIEL THORPE CETABC - MAY 2016 The mind is for having ideas, not for holding them. DAVID ALLEN: GETTING THINGS DONE Building A Trusted System Write Everything Down You need five To Do lists: Inbox

500 views • 27 slides

More recommend