md5 chosen prefix collisions on gpus
play

MD5 Chosen-Prefix Collisions on GPUs Marc Bevand - PowerPoint PPT Presentation

Sep 22, 2022 •257 likes •448 views

MD5 Chosen-Prefix Collisions on GPUs Marc Bevand m.bevand@gmail.com marc.bevand@rapid7.com Agenda MD5 on GPUs Dec 2008: rogue CA certificate on PS3 cluster MD5 birthday search Results & performance MD5 on GPUs MD5 is

  1. MD5 Chosen-Prefix Collisions on GPUs Marc Bevand m.bevand@gmail.com marc.bevand@rapid7.com

  2. Agenda  MD5 on GPUs  Dec 2008: rogue CA certificate on PS3 cluster  MD5 birthday search  Results & performance

  3. MD5 on GPUs  MD5 is optimized for 32-bit architectures  32-bit integer & logical instructions  GPGPU tech makes it possible to run arbitrary code  GPUs are massively parallel chips with lots of ALUs

  4. MD5 on GPUs (cont'd)  Let me repeat: ”massively parallel”  As in hundreds of instructions per clock  Why isn't everybody doing GPGPU ?! Lack of awareness

  5. Why ATI GPUs (cont'd)  ATI R700 GPU family (Radeon HD 4000 series):  Up to 800 Stream Processing Units per ASIC  Clocked up to 850 Mhz  Dual-GPU video cards  Best perf/W and perf/$ (May 2009): HD 4850 X2  2 nd fastest video card in the world  1 trillion 32-bit instructions/sec (2 TFLOPS)  TDP 230W, Price US$250  Can't wait to see next-gen R800

  6. Why not Nvidia  Top-of-the-line member of the Nvidia GT200 GPU family: GTX 295  596 billion 32-bit instructions/sec  TDP 290W, Price US$500  Raw perf/W and perf/$ respectively roughly 2 times and 4 times worse than HD 4850 X2  However Nvidia CUDA SDK is more mature  Next-gen GT300 will be better ?

  7. Rogue CA  When: Dec 2008, paper published in Mar 2009  Where: 25 th Chaos Communication Congress (25C3)  Who: 7 researchers (Sotirov, Stevens, Applebaum, Lenstra, Molnar, Osvik, Weger)  What: implemented an MD5 chosen-prefix collision attack on a cluster of 215 PlayStation 3s to create a rogue CA

  8. Rogue CA (cont'd)  Simplified explanation:  Create cert ”A” and rogue CA cert ”B” with same MD5 hash  Get a CA to sign a cert signing request that end up producing cert A  Steal A's signature and apply it to B  How to generate A and B with same MD5 hash:  ”Birthdaying” stage ← most computing intensive part  ”Near collision” stage

  9. MD5 ”Birthdaying”  We have 2 ”chosen-prefix” bitstrings (certs)  When processed through MD5, lead to 2 different MD5 states (8 32-bit variables):  A, B, C, D  A', B', C', D'  Goal of birthdaying is to append a small number of bits to find a state such as the 8 variables satisfy some conditions (see Mar 2009 paper)

  10. MD5 ”Birthdaying” (cont'd)  Technique to find these conditions: deterministic pseudo-random walk in search space using Pollard- Rho method  Same concept as a rainbow table chain ”walking” through the search space except we are looking for collisions !  Basically this search consists of running the MD5 compression function over and over  [TODO: schema]

  11. MD5 CAL IL Implementation  Therefore to optimize the attack, a fast MD5 implementation had to be developed  Hand-coded one in CAL IL (Compute Abstract Layer Intermediary Language) – a pseudo-assembly language for ATI GPUs

  12. MD5 in CAL IL  ”CAL IL”: looks as bad as it sounds :)

  13. Performance  1634 Mhash/sec on HD 4850 X2 (1.6 billion MD5 compression function calls per second) – IOW MD5 processes 105 GByte/s  Possible future optimization: due to a particularity of the birthday search, the first 14 out of 64 steps of the compression function can be pre-computed – should allow 2090 Mhash/sec

  14. Theoretical GPGPU cracking server  4 Radeon HD 4850 X2 in a single machine  8 GPUs total  About US$1500  Power draw: 950 W from the wall  Total of 6536 Mhash/s

  15. Here it is

  16. HW Implementation Details  QEMU/KVM PCI passthrough feature to work around ATI's fglrx.ko driver limitation of 4 GPUs  Flexible cut-out PCI-Express extenders to down- plug x16 cards on cheap motherboards with x1 slots  Undocumented secret: short pins A1 & B17 to work around down- plugging compatibility issues

  17. Comparison with PS3 cluster  215 PS3s:  28 kW (130 W each)  US$86k (US$400 each)  37600 Mhash/s (175 Mhash/s each)  6 GPGPU servers:  5.7 kW (950 W each) – 5 times less power  US$9k (US$1500 each) – 10 times cheaper  39200 Mhash/s (6536 Mhash/s each) – and a bit faster

  18. Conclusion  Another blow to MD5 – chosen-prefix collision attack now practical for anybody  Public CAs have stopped signing with MD5 – what about private/corporate CAs ?  If a workload can run on GPUs, do it. They are a commodity and so efficient that considering anything else does not make sense.  Code & tools will be open-sourced on the project page: [TBD]

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

MD5 Chosen-Prefix Collisions on GPUs Marc Bevand m.bevand@gmail.com marc.bevand@rapid7.com

MD5 Chosen-Prefix Collisions on GPUs Marc Bevand m.bevand@gmail.com marc.bevand@rapid7.com

MD5 Chosen-Prefix Collisions on GPUs Marc Bevand m.bevand@gmail.com marc.bevand@rapid7.com Black Hat USA 2009 - July 30, 2009 Agenda MD5 on GPUs Dec 2008: rogue CA certificate on PS3 cluster MD5 birthday search Results &

516 views • 19 slides
SHA-1 is a Shambles First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of

SHA-1 is a Shambles First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of

The SHA-1 Hash Function Chosen-prefix Collisions Our Results Conclusion Extra Materials SHA-1 is a Shambles First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust Ga etan Leurent (INRIA - France) Thomas Peyrin (NTU

650 views • 29 slides
From Collisions to Chosen-Prefjx Collisions Application to Full SHA-1 Gatan Leurent Thomas

From Collisions to Chosen-Prefjx Collisions Application to Full SHA-1 Gatan Leurent Thomas

Introduction SHA-1 Cryptanalysis New chosen-prefjx collision techniques Conclusion From Collisions to Chosen-Prefjx Collisions Application to Full SHA-1 Gatan Leurent Thomas Peyrin Inria, France NTU, Singapour Eurocrypt 2019 Gatan

935 views • 37 slides
Prefix sums on GPUs Motivating Problem Definitions Other Applications Parallel Algorithms

Prefix sums on GPUs Motivating Problem Definitions Other Applications Parallel Algorithms

Prefix sums on GPUs Bruce Merry Definition and Applications Prefix sums on GPUs Motivating Problem Definitions Other Applications Parallel Algorithms Bruce Merry Kogge-Stone Brent-Kung GPU Strategies Department of Computer Science,

1.13k views • 88 slides
SHA-1 is a Shambles First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust

SHA-1 is a Shambles First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust

Introduction Record computation PGP/GPG Impersonation Conclusion SHA-1 is a Shambles First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust Gatan Leurent Thomas Peyrin Inria, France NTU, Singapore Real World Crypto

1.29k views • 25 slides
for GPUs Sepideh Maleki*, Annie Yang, and Martin Burtscher Department of Computer Science

for GPUs Sepideh Maleki*, Annie Yang, and Martin Burtscher Department of Computer Science

A New Parallel Prefix-Scan Algorithm for GPUs Sepideh Maleki*, Annie Yang, and Martin Burtscher Department of Computer Science Highlights GPU-friendly algorithm for prefix scans called SAM Novelties and features Higher-order support

313 views • 29 slides
Breaking the Myths of Extended Validation SSL Certificates Alexander Sotirov phmsecurity.com

Breaking the Myths of Extended Validation SSL Certificates Alexander Sotirov phmsecurity.com

BlackHat Briefings, 2009 Breaking the Myths of Extended Validation SSL Certificates Alexander Sotirov phmsecurity.com Mike Zusman intrepidusgroup.com Introduction Chosen-prefix MD5 collisions allowed us to create a rogue Certificate

493 views • 37 slides
This week, we are going to look again at another prefix. What is a prefix? Click on the right

This week, we are going to look again at another prefix. What is a prefix? Click on the right

This week, we are going to look again at another prefix. What is a prefix? Click on the right answer. A prefix is a word or A prefix is a group group of words that A prefix is a group of letters that goes comes at the start of of letters

462 views • 21 slides
This week, we are going to look at another prefix. What is a prefix? Choose the right answer. A

This week, we are going to look at another prefix. What is a prefix? Choose the right answer. A

This week, we are going to look at another prefix. What is a prefix? Choose the right answer. A prefix is a word or A prefix is a group group of words that A prefix is a group of letters that goes comes at the start of of letters that goes

317 views • 21 slides
collisions at = 200 GeV and U+U collisions at = 193 GeV with STAR

collisions at = 200 GeV and U+U collisions at = 193 GeV with STAR

Excess of J/ y yield at very low p T in Au+Au collisions at = 200 GeV and U+U collisions at = 193 GeV with STAR Wangmei Zha for the STAR Collaboration University of Science and Technology of China W. Zha etal.,

487 views • 22 slides
Parallel prefix adders Kostas Vitoroulis, 2006. Presented to Dr. A. J. Al-Khalili. Concordia

Parallel prefix adders Kostas Vitoroulis, 2006. Presented to Dr. A. J. Al-Khalili. Concordia

Parallel prefix adders Kostas Vitoroulis, 2006. Presented to Dr. A. J. Al-Khalili. Concordia University. Overview of presentation Parallel prefix operations Binary addition as a parallel prefix operation Prefix graphs Adder

764 views • 35 slides
first PbPb collisions at LHC at s = 2.76 A TeV setup for ion collisions: November 4 already

first PbPb collisions at LHC at s = 2.76 A TeV setup for ion collisions: November 4 already

first PbPb collisions at LHC at s = 2.76 A TeV setup for ion collisions: November 4 already in Dec 2010 first collisions with stable beams: 5 publications in PRL and PLB November 8 until Dec 6 Johanna Stachel Heavy ion running at the LHC

615 views • 60 slides
IP Prefix Advertisement in EVPN draft-rabadan-l2vpn-evpn-prefix-advertisement-01 Jorge Rabadan

IP Prefix Advertisement in EVPN draft-rabadan-l2vpn-evpn-prefix-advertisement-01 Jorge Rabadan

IP Prefix Advertisement in EVPN draft-rabadan-l2vpn-evpn-prefix-advertisement-01 Jorge Rabadan Wim Hendericks Florin Balus Senad Palislamovic Aldrin Isaac IETF 88, November 2013 Vancouver, Canada The prefix-advertisement route (route-type

244 views • 8 slides
Recap: Prefix Sums Given A : set of n integers Find B : prefix sums A: 3 1 1 7 2 5

Recap: Prefix Sums Given A : set of n integers Find B : prefix sums A: 3 1 1 7 2 5

Recap: Prefix Sums Given A : set of n integers Find B : prefix sums A: 3 1 1 7 2 5 9 2 4 3 3 B: 3 4 5 12 14 19 28 30 34 37 40 1 / 86 Recap: Parallel Prefix Sums Recursive algorithm Recursively computes sums Use

3.11k views • 86 slides
Why use GPUs for graph processing? FOSDEM 2020 2 GPUs and Graphs Graphs GPUs Found

Why use GPUs for graph processing? FOSDEM 2020 2 GPUs and Graphs Graphs GPUs Found

Gunrock High-Performance Graph Analytics for the GPU Muhammad Osama University of California, Davis Why use GPUs for graph processing? FOSDEM 2020 2 GPUs and Graphs Graphs GPUs Found everywhere Found everywhere Road &

560 views • 23 slides
Finding good prefix networks using Haskell Mary Sheeran (Chalmers) 1 Prefix Given inputs x1,

Finding good prefix networks using Haskell Mary Sheeran (Chalmers) 1 Prefix Given inputs x1,

Finding good prefix networks using Haskell Mary Sheeran (Chalmers) 1 Prefix Given inputs x1, x2, x3 xn Compute x1, x1*x2, x1*x2*x3, , x1*x2** xn where * is an arbitrary associative (but not necessarily commutative)

745 views • 39 slides
Current status of MD5 and SHA-1 Eric Rescorla Network Resonance ekr@networkresonance.com Eric

Current status of MD5 and SHA-1 Eric Rescorla Network Resonance ekr@networkresonance.com Eric

Current status of MD5 and SHA-1 Eric Rescorla Network Resonance ekr@networkresonance.com Eric Rescorla SAAG, IETF 62 1 Review of hash function terminology Collision Find M , M st H ( M ) = H ( M ) 1st preimage Given X , find M st H (

149 views • 10 slides
Set theory and Hausdorff measures Mrton Elekes emarci@renyi.hu www.renyi.hu/ emarci Rnyi

Set theory and Hausdorff measures Mrton Elekes emarci@renyi.hu www.renyi.hu/ emarci Rnyi

Set theory and Hausdorff measures Mrton Elekes emarci@renyi.hu www.renyi.hu/ emarci Rnyi Institute and Etvs Lornd University, Budapest Warsaw 2012 Mrton Elekes emarci@renyi.hu www.renyi.hu/ emarci Set theory and Hausdorff

798 views • 66 slides
CSE 543 - Computer Security Lecture 4 - Cryptography September 6, 2007 URL:

CSE 543 - Computer Security Lecture 4 - Cryptography September 6, 2007 URL:

CSE 543 - Computer Security Lecture 4 - Cryptography September 6, 2007 URL: http://www.cse.psu.edu/~tjaeger/cse543-f07/ CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger 1 Hash Algorithms Hash algorithm

358 views • 22 slides
FAI The Universal Deployment Tool Thomas Lange, University of Cologne

FAI The Universal Deployment Tool Thomas Lange, University of Cologne

FAI The Universal Deployment Tool Thomas Lange, University of Cologne lange@informatik.uni-koeln.de FOSDEM, January 2016 1 / 13 What is FAI? FAI = Fully Automatic Installation Unattended mass deployment From empty disk to

177 views • 13 slides
SO FAR Revelation Principle Single parameter environments Second price auctions

SO FAR Revelation Principle Single parameter environments Second price auctions

T RUTH J USTICE A LGOS Mechanism Design: Recent Advances Teachers: Ariel Procaccia and Alex Psomas (this time) SO FAR Revelation Principle Single parameter environments Second price auctions Myersons lemma Myersons

478 views • 35 slides
Securing Your Data in Postgres Payal Singh DBA@OmniTI payal@omniti.com Contents Event

Securing Your Data in Postgres Payal Singh DBA@OmniTI payal@omniti.com Contents Event

Securing Your Data in Postgres Payal Singh DBA@OmniTI payal@omniti.com Contents Event Triggers Authentication ACLs Auditing Row-Level Security SSL / TLS Encryption Replication https://www.postgresql.org/support/security/ 1.

932 views • 50 slides
SHA-3 From: ! SHA3 where weve been, where were going written by John Kelsey (NIST) for the

SHA-3 From: ! SHA3 where weve been, where were going written by John Kelsey (NIST) for the

SHA-3 From: ! SHA3 where weve been, where were going written by John Kelsey (NIST) for the RSA Conference 2013 Origins Hash functions appeared as an important idea at the dawn of modern public crypto. Many ideas floating around to

879 views • 22 slides
Slinging the Hash (Function) What are hash functions good for? Hashing values to insert into

Slinging the Hash (Function) What are hash functions good for? Hashing values to insert into

Slinging the Hash (Function) What are hash functions good for? Hashing values to insert into arrays: hash tables Converting long strings into shorter strings in an irreversible way: one-way function Turn a 200 KB document into a 16

434 views • 5 slides

More recommend