sha 1 is a shambles
play

SHA-1 is a Shambles First Chosen-Prefix Collision on SHA-1 and - PowerPoint PPT Presentation

Nov 14, 2022 •341 likes •650 views

The SHA-1 Hash Function Chosen-prefix Collisions Our Results Conclusion Extra Materials SHA-1 is a Shambles First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust Ga etan Leurent (INRIA - France) Thomas Peyrin (NTU

  1. The SHA-1 Hash Function Chosen-prefix Collisions Our Results Conclusion Extra Materials SHA-1 is a Shambles First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust Ga¨ etan Leurent (INRIA - France) Thomas Peyrin (NTU - Singapore) USENIX 2020 Boston (USA) - August 14, 2020 https://sha-mbles.github.io/ G. Leurent, T. Peyrin (Inria & NTU) SHA-1 is a Shambles USENIX 2020 1 / 19

  2. The SHA-1 Hash Function Chosen-prefix Collisions Our Results Conclusion Extra Materials What is a Hash Function ? I, at any rate, am H 0x81fc4d81d3670b4e convinced that He does not throw dice. H maps an arbitrary length input (the message M ) to a fixed length n -bit output . Typically : ◮ n = 128 bits ( MD5 ) ◮ n = 160 bits ( SHA-1 ) ◮ n = 256 bits ( SHA-256 ) G. Leurent, T. Peyrin (Inria & NTU) SHA-1 is a Shambles USENIX 2020 2 / 19

  3. The SHA-1 Hash Function Chosen-prefix Collisions Our Results Conclusion Extra Materials The cryptographic hash functions security goals pre-image resistance : 2nd pre-image resistance : collision resistance : The attacker can not find two messages ( x , x ′ ) such that H ( x ) = H ( x ′ ), in less than θ (2 n / 2 ) operations (generic birthday paradox attack). x ? x' H H G. Leurent, T. Peyrin (Inria & NTU) SHA-1 is a Shambles USENIX 2020 3 / 19

  4. The SHA-1 Hash Function Chosen-prefix Collisions Our Results Conclusion Extra Materials General hash construction Most hash functions are composed of two elements : ◮ a compression function h : a function for which the input and output size is fixed. ◮ a domain extension algorithm : an iterative process that uses the compression function h so that the hash function H can handle inputs of arbitrary length. Fixed-size message h hash input H G. Leurent, T. Peyrin (Inria & NTU) SHA-1 is a Shambles USENIX 2020 4 / 19

  5. The SHA-1 Hash Function Chosen-prefix Collisions Our Results Conclusion Extra Materials The Merkle-Damg˚ ard domain extension algorithm The most famous domain extension algorithm used is called the Merkle-Damg˚ ard [MD-CRYPTO89] iterative algorithm. pad(M) = M 1 || M 2 || M 3 || ... || M n M 1 M 2 M 3 M n h h h h hash IV The compression function h now takes two fixed-size inputs, the incoming chaining variable CV i and the message block M i , and outputs a new chaining variable CV i +1 . G. Leurent, T. Peyrin (Inria & NTU) SHA-1 is a Shambles USENIX 2020 5 / 19

  6. The SHA-1 Hash Function Chosen-prefix Collisions Our Results Conclusion Extra Materials Current security of SHA-1 The (bad looking) current situation of SHA-1 : 1995 SHA-1 published ( SHA-0 (1993) with a slight twist) [NIST-FIPS-180-1] 2005 theoretical collision attack on the full hash - 2 69 [WYY-CRYPTO05] 2006-2011 lots of works computing collisions for reduced-round versions 2015 collision computed on the full compression function - 2 57 [SKP-EUROCR.16] 2017 computations of a collision on the full hash (identical-prefix collision) - 2 64 . 7 [SBK+-CRYPTO17] 2019 practical chosen-prefix collision attack on the full hash - 2 67 . 2 [LP-EUROCR.19] New computation of a chosen-prefix collision on the full hash - 2 63 . 7 PGP/GnuPG key-certification forgery G. Leurent, T. Peyrin (Inria & NTU) SHA-1 is a Shambles USENIX 2020 6 / 19

  7. The SHA-1 Hash Function Chosen-prefix Collisions Our Results Conclusion Extra Materials Motivations to study SHA-1 SHA-1 is not used anymore, right ? .... right ! ? ◮ SHA-1 certificates (X.509) still exists ◮ CAs sell legacy SHA-1 certificates for legacy clients ◮ Accepted by many non-web modern clients ◮ ICSI Certificate Notary : 1.3% SHA-1 certificates ◮ PGP signatures with SHA-1 are still trusted ◮ Default hash for key certification in GnuPGv1 (legacy branch) ◮ 1% of public certifications (Web-of-Trust) in 2019 use SHA-1 ◮ SHA-1 still allowed for in-protocol signatures in TLS, SSH (used by more than 3% of Alexa top 1M servers) ◮ HMAC-SHA-1 ciphersuites (TLS) still used by more than 8% of Alexa top 1M servers ◮ Probably a lot of more obscure protocols ... (EMV credit cards use weird SHA-1 signatures) Another push is needed to accelerate the retirement of SHA-1 G. Leurent, T. Peyrin (Inria & NTU) SHA-1 is a Shambles USENIX 2020 7 / 19

  8. The SHA-1 Hash Function Chosen-prefix Collisions Our Results Conclusion Extra Materials What are identical-prefix collisions ? Identical-prefix collision attack The attacker is first challenged with one prefix P and its goal is to compute two messages M and M ′ to create the collision H ( P || M ) = H ( P || M ′ ), where || denotes concatenation prefix M 1 M 2 M 3 M i h h h h IV no M 1 M 2 M' 3 M' i collision difference h h h h IV G. Leurent, T. Peyrin (Inria & NTU) SHA-1 is a Shambles USENIX 2020 8 / 19

  9. The SHA-1 Hash Function Chosen-prefix Collisions Our Results Conclusion Extra Materials What are identical-prefix collisions ? Identical-prefix collision attack The attacker is first challenged with one prefix P and its goal is to compute two messages M and M ′ to create the collision H ( P || M ) = H ( P || M ′ ), where || denotes concatenation prefix M 1 M 2 M 3 M i h h h h IV no M 1 M 2 M' 3 M' i collision difference h h h h IV G. Leurent, T. Peyrin (Inria & NTU) SHA-1 is a Shambles USENIX 2020 8 / 19

  10. The SHA-1 Hash Function Chosen-prefix Collisions Our Results Conclusion Extra Materials What are identical-prefix collisions ? Identical-prefix collision attack The attacker is first challenged with one prefix P and its goal is to compute two messages M and M ′ to create the collision H ( P || M ) = H ( P || M ′ ), where || denotes concatenation The colliding blocks will be almost random looking , but any prefix or suffix can be used (as long as no difference inserted) ◮ breaks integrity ◮ colliding PDFs (see SHAttered for SHA-1 [SBK+-CRYPTO17]) G. Leurent, T. Peyrin (Inria & NTU) SHA-1 is a Shambles USENIX 2020 8 / 19

  11. The SHA-1 Hash Function Chosen-prefix Collisions Our Results Conclusion Extra Materials What are chosen-prefix collisions ? Chosen-prefix collision attack The attacker is first challenged with two message prefixes P and P ′ , and its goal is to compute two messages M and M ′ to create the collision H ( P || M ) = H ( P ′ || M ′ ), where || denotes concatenation prefix M 1 M 2 M 3 M i h h h h IV random M' 1 M' 2 M' 3 M' i collision difference h h h h IV G. Leurent, T. Peyrin (Inria & NTU) SHA-1 is a Shambles USENIX 2020 9 / 19

  12. The SHA-1 Hash Function Chosen-prefix Collisions Our Results Conclusion Extra Materials What are chosen-prefix collisions ? Chosen-prefix collision attack The attacker is first challenged with two message prefixes P and P ′ , and its goal is to compute two messages M and M ′ to create the collision H ( P || M ) = H ( P ′ || M ′ ), where || denotes concatenation prefix M 1 M 2 M 3 M i h h h h IV random M' 1 M' 2 M' 3 M' i collision difference h h h h IV G. Leurent, T. Peyrin (Inria & NTU) SHA-1 is a Shambles USENIX 2020 9 / 19

  13. The SHA-1 Hash Function Chosen-prefix Collisions Our Results Conclusion Extra Materials What are chosen-prefix collisions ? Chosen-prefix collision attack The attacker is first challenged with two message prefixes P and P ′ , and its goal is to compute two messages M and M ′ to create the collision H ( P || M ) = H ( P ′ || M ′ ), where || denotes concatenation Much more powerful and much harder than an identical-prefix collision ◮ breaks certificates (Rogue CA [SSA+-CRYPTO09] ◮ breaks TLS, SSH (SLOTH attack [BL-NDSS16]) G. Leurent, T. Peyrin (Inria & NTU) SHA-1 is a Shambles USENIX 2020 9 / 19

  14. The SHA-1 Hash Function Chosen-prefix Collisions Our Results Conclusion Extra Materials Our results 1 - Complexity improvements (factor 8 ∼ 10) ◮ identical-prefix collision from 2 64 . 7 to 2 61 . 2 (11 kUS ✩ in GPU rental) ◮ chosen-prefix collision from 2 67 . 1 to 2 63 . 4 (45 kUS ✩ in GPU rental) 2 - Record computation ◮ implementation of the full (very technical) attack ◮ 2 months of computation using 900 GPU (GTX 1060) 3 - PGP Web-of-Trust impersonation ◮ 2 keys with different IDs and colliding certificates ◮ certification signature can be copied to the second key G. Leurent, T. Peyrin (Inria & NTU) SHA-1 is a Shambles USENIX 2020 10 / 19

  15. The SHA-1 Hash Function Chosen-prefix Collisions Our Results Conclusion Extra Materials Result 3 - PGP Web-of-Trust impersonation The Web of Trust is a trust model used for PGP that relies on users signing each other’s identity certificate, instead of using a central PKI. For compatibility reasons the legacy branch of GnuPG (version 1.4) still uses SHA-1 by default for identity certification. G. Leurent, T. Peyrin (Inria & NTU) SHA-1 is a Shambles USENIX 2020 11 / 19

  16. The SHA-1 Hash Function Chosen-prefix Collisions Our Results Conclusion Extra Materials Result 3 - PGP Web-of-Trust impersonation Idea : ◮ create a pair of keys with two different UserIDs : victim name (A) and attacker name (B) ◮ ◮ ◮ G. Leurent, T. Peyrin (Inria & NTU) SHA-1 is a Shambles USENIX 2020 11 / 19

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

SHA-1 is a Shambles First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust

SHA-1 is a Shambles First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust

Introduction Record computation PGP/GPG Impersonation Conclusion SHA-1 is a Shambles First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust Gatan Leurent Thomas Peyrin Inria, France NTU, Singapore Real World Crypto

1.29k views • 25 slides
FireSim Scale-Out System Simulation in the Public Cloud https://fires.im @firesimproject

FireSim Scale-Out System Simulation in the Public Cloud https://fires.im @firesimproject

FPGA-Accelerated Cycle-Exact FireSim Scale-Out System Simulation in the Public Cloud https://fires.im @firesimproject sagark@eecs.berkeley.edu Sagar Karandikar , Howard Mao, Donggyu Kim, David Biancolin, Alon Amid, Dayeol Lee, Nathan

1.01k views • 42 slides
Dr. J r. Jones has served as the Director, Geisinger Regional Laboratories since 1985 and

Dr. J r. Jones has served as the Director, Geisinger Regional Laboratories since 1985 and

Dr. J r. Jones has served as the Director, Geisinger Regional Laboratories since 1985 and established the Ancillary Testing Program for Geisinger Medical Centers Division of Laboratory Medicine in 1992. Concurrently, he has also held the

574 views • 34 slides
Spot me if you can: Uncovering spoken phrases in encrypted VoIP conversations C. Wright, L.

Spot me if you can: Uncovering spoken phrases in encrypted VoIP conversations C. Wright, L.

Spot me if you can: Uncovering spoken phrases in encrypted VoIP conversations C. Wright, L. Ballard, S. Coull, F. Monrose, G. Masson Talk held by Goran Doychev Selected Topics in Information Security and Cryptography Seminar 1 / 30 Overview 1

676 views • 42 slides
REVISED 10 CFR PART 35: MEDICAL USE OF BYPRODUCT MATERIAL Subpart H: Photon Emitting Remote

REVISED 10 CFR PART 35: MEDICAL USE OF BYPRODUCT MATERIAL Subpart H: Photon Emitting Remote

REVISED 10 CFR PART 35: MEDICAL USE OF BYPRODUCT MATERIAL Subpart H: Photon Emitting Remote Afterloader, Teletherapy, and Gamma Stereotactic Radiosurgery Units P Deleted old 35.643, Modification of teletherapy unit or room before beginning a

567 views • 32 slides
From the Structure and Function of the Ribosome to new Antibiotics Cricks central dogma of

From the Structure and Function of the Ribosome to new Antibiotics Cricks central dogma of

From the Structure and Function of the Ribosome to new Antibiotics Cricks central dogma of molecular biology: DNA makes DNA makes RNA makes protein Jim Watson, 1964 J.A. Lake, 1976 (J.M.B. 105, 131) J.A. Lake, 1976 (J.M.B. 105, 131) Nenad

1.3k views • 58 slides
Spatially resolved Raman spectroscopy on single- and few-layer graphene D. Graf, F. Molitor, and

Spatially resolved Raman spectroscopy on single- and few-layer graphene D. Graf, F. Molitor, and

Spatially resolved Raman spectroscopy on single- and few-layer graphene D. Graf, F. Molitor, and K. Ensslin Zrich Solid State Physics C. Stampfer, A. Jungen, and C. Hierold, Micro and Nanosystems, ETH Zrich L. Wirtz, Institute for

400 views • 21 slides
rst rts t

rst rts t

rst rts t r rtt rtr

526 views • 41 slides
Lecture 2.1: Cyclic and abelian groups Matthew Macauley Department of Mathematical Sciences

Lecture 2.1: Cyclic and abelian groups Matthew Macauley Department of Mathematical Sciences

Lecture 2.1: Cyclic and abelian groups Matthew Macauley Department of Mathematical Sciences Clemson University http://www.math.clemson.edu/~macaule/ Math 4120, Modern Algebra M. Macauley (Clemson) Lecture 2.1: Cyclic and abelian groups Math

340 views • 15 slides
MIT Relational Database GraphiQL Expensive! Graph Intuitive Query Language for Relational

MIT Relational Database GraphiQL Expensive! Graph Intuitive Query Language for Relational

GraphiQL Graph Intuitive Query Language for Relational Databases at Talking on IEEE BigData 2014 Alekh Jindal collaborate Supervisors Amol Deshpande Sam Madden work sabbatical Mike Stonebraker work University work of Maryland

514 views • 40 slides
Purchasing Power Parity Yee-Tien Ted Fu Course web pages: http://finance2010.pageout.net

Purchasing Power Parity Yee-Tien Ted Fu Course web pages: http://finance2010.pageout.net

Tuesdays 6:10-9:00 p.m. Commerce 260306 Wednesdays 9:10 a.m.-12 noon Commerce 260508 Handout #6 International Parity Conditions Purchasing Power Parity Yee-Tien Ted Fu Course web pages: http://finance2010.pageout.net ID:

1.92k views • 154 slides
CS 356 Lecture 29 Wireless Security Spring 2013 Review Chapter 1: Basic Concepts and

CS 356 Lecture 29 Wireless Security Spring 2013 Review Chapter 1: Basic Concepts and

CS 356 Lecture 29 Wireless Security Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists Chapter 5

469 views • 30 slides
2020 Census Program Management Review Decennial Census Programs U.S. Census Bureau August 3,

2020 Census Program Management Review Decennial Census Programs U.S. Census Bureau August 3,

2020 Census Program Management Review Decennial Census Programs U.S. Census Bureau August 3, 2018 The original version of slide 6, Where are We Now has been revised. 1 Welcome Albert E. Fontenot, Jr. Associate Director for Decennial

1.29k views • 99 slides
1 II.A. Extended Form Equations (contd.) Extended Form Equations (contd.) II.B. Reduced Form

1 II.A. Extended Form Equations (contd.) Extended Form Equations (contd.) II.B. Reduced Form

I. Motivation and Main Results Motivation and Main Results I. Multiple Equilibria and Sunspots in a Security Multiple Equilibria and Sunspots in a Security A. History of the project Market with Investment Restrictions Market with Investment

436 views • 5 slides
Mesh Basics Mesh Basics 1 Spring 2010 Definitions: Definitions: 1/2 Definitions:

Mesh Basics Mesh Basics 1 Spring 2010 Definitions: Definitions: 1/2 Definitions:

Mesh Basics Mesh Basics 1 Spring 2010 Definitions: Definitions: 1/2 Definitions: Definitions: 1/2 1/2 1/2 A polygonal mesh consists of three kinds of mesh elements : vertices, edges, and faces. The information describing the mesh

781 views • 45 slides
2019 Poll Book Training for Election Judges Hennepin County Elections 7/23/2019 1 Goal &

2019 Poll Book Training for Election Judges Hennepin County Elections 7/23/2019 1 Goal &

2019 Poll Book Training for Election Judges Hennepin County Elections 7/23/2019 1 Goal & trainers Goal: To learn about Poll Pad 3 and gain familiarity with (or review) Poll Book processes. Your trainer(s) Hennepin County Elections

1.12k views • 74 slides
Health-System Specialty Pharmacy Exchange: Solutions to Financial Toxicity in Specialty Pharmacy

Health-System Specialty Pharmacy Exchange: Solutions to Financial Toxicity in Specialty Pharmacy

Health-System Specialty Pharmacy Exchange: Solutions to Financial Toxicity in Specialty Pharmacy September 25, 2020 1 Todays Discussion Discussion Objectives Meeting Format and Flow Examine the impact of financial Casual sharing

613 views • 22 slides
Computer Graphics (CS 543) Lecture 6 (Part 1): Lighting, Shading and Materials (Part 1) Prof

Computer Graphics (CS 543) Lecture 6 (Part 1): Lighting, Shading and Materials (Part 1) Prof

Computer Graphics (CS 543) Lecture 6 (Part 1): Lighting, Shading and Materials (Part 1) Prof Emmanuel Agu Computer Science Dept. Worcester Polytechnic Institute (WPI) Why do we need Lighting & shading? Sphere without lighting & shading

607 views • 37 slides
2.6 Gradients and Directional Derivatives Prof. Tesler Math 20C Fall 2018 Prof. Tesler 2.6

2.6 Gradients and Directional Derivatives Prof. Tesler Math 20C Fall 2018 Prof. Tesler 2.6

2.6 Gradients and Directional Derivatives Prof. Tesler Math 20C Fall 2018 Prof. Tesler 2.6 Directional Derivatives Math 20C / Fall 2018 1 / 35 Hiking trail and chain rule Altitude z=f(x,y) x,y,z in feet, t in hours 40000 30000 5 4

542 views • 35 slides
Strategic bidding in electricity markets Pr Holmberg, Research Institute of Industrial Economics

Strategic bidding in electricity markets Pr Holmberg, Research Institute of Industrial Economics

Strategic bidding in electricity markets Pr Holmberg, Research Institute of Industrial Economics (IFN), Stockholm. Affiliated with Energy Policy Research Group (EPRG), Cambridge. Strategic bidding in electricity markets: Background

933 views • 67 slides
These are slides with a history. I found them on the web... They are apparently based on Dan

These are slides with a history. I found them on the web... They are apparently based on Dan

These are slides with a history. I found them on the web... They are apparently based on Dan Welds class at U. Washington, (who in turn based his slides on those by Jeff Dean, Sanjay Ghemawat, Google, Inc.) Motivation Large Scale Data

440 views • 42 slides
Brookhaven Laboratory Cloud Activities Update John Hover, Jose Caballero John Hover, Jose

Brookhaven Laboratory Cloud Activities Update John Hover, Jose Caballero John Hover, Jose

Brookhaven Laboratory Cloud Activities Update John Hover, Jose Caballero John Hover, Jose Caballero US ATLAS T2/3 Workshop US ATLAS T2/3 Workshop Indianapolis, Indiana Indianapolis, Indiana John Hover 11 March 2013 1 Outline Addendum to

365 views • 14 slides
International Web Sites Richard Ishida 1 Version: 9 October 2006 International Web Sites This

International Web Sites Richard Ishida 1 Version: 9 October 2006 International Web Sites This

International Web Sites Richard Ishida 1 Version: 9 October 2006 International Web Sites This presentation will look at three of the many aspects of designing internationalized web pages, and attempt (without, by any means, covering the topic

808 views • 58 slides
Vanderbilt University Poll: 2020 Nashville Edition April 9 th May 10 th , 2020 John G. Geer

Vanderbilt University Poll: 2020 Nashville Edition April 9 th May 10 th , 2020 John G. Geer

Vanderbilt University Poll: 2020 Nashville Edition April 9 th May 10 th , 2020 John G. Geer & Joshua D. Clinton, Co-Directors 1,036 residents of Nashville/Davidson County, TN MoE: +/- 4.3 percentage points Approval of Nashvilles

465 views • 21 slides

More recommend