and
play

and Elie Bursztein with the help of Marc Stevens (CWI), Pierre - PowerPoint PPT Presentation

Aug 20, 2022 •423 likes •962 views

and Elie Bursztein with the help of Marc Stevens (CWI), Pierre Karpman (INRIA), Ange Albertini, Yarik Markov, Alex Petit-Bianco Digest uniqueness 3171 AC03 B186 File 1 One-way function 42A9 1C4E 3CBE 2 File 2 Attacking hash functions

  1. and Elie Bursztein with the help of Marc Stevens (CWI), Pierre Karpman (INRIA), Ange Albertini, Yarik Markov, Alex Petit-Bianco

  2. Digest uniqueness 3171 AC03 B186 File 1 One-way function 42A9 1C4E 3CBE 2 File 2

  4. Attacking hash functions Finding a SHA-1 collision Post-collision world

  5. https://shattered.io

  7. Attacker file 1 Attacker file 2 3713ACE30E7ABBA https://shattered.io

  8. Unknown file Attacker file 42ACE13F0E93BAD https://shattered.io

  9. Known file Attacker file BAD37ACE308E93D https://shattered.io

  10. https://shattered.io

  11. Bruteforce is impractical Cryptanalysis to the rescue

  12. File File File 1st block 2nd block last block IV Hash SHA1compress() SHA1compress() SHA1compress() R.C Merkle - Secrecy, authentication, and public key systems (1979)

  13. ? + Message block F F F Chain value

  14. ? + Message Messages differential path block F F F Equation system Chain value

  15. File 1 (block 1) ? File 2 (block 1) Near collision Near collision != != Collision Collision File 1 (block m) = File 2 (block m)

  16. https://shattered.io

  17. Collision blocks Fixed prefix (P) Arbitrary suffix (S) (C1) Collision blocks Fixed prefix (P) Arbitrary suffix (S) (C2) P==P and C1!=C2 and S==S

  18. Specially crafted Specially crafted prefix prefix Collision blocks (C1) Collision blocks (C2) Partial Suffix displayed (S) Partial Suffix displayed (S) File 1 File 2

  19. Collision blocks Fixed prefix (P1) Arbitrary suffix (S) (C1) Collision blocks Fixed prefix (P2) Arbitrary suffix (S) (C2) P1!=P2 and C1!=C2 and S==S

  20. https://shattered.io

  21. MD5 SSL certificate forgery

  22. Victim certificate Rogue signing certificate Serial number Serial number Validity period Validity period Real cert Rogue cert domain name (* wildcard) RSA public key X509 extensions CA=TRUE RSA public key Netscape Comment X509 extension X509 extensions CA=FALSE Signature Signature

  24. Collision resistance Preimage resistance Security Fixed prefix Chosen attack Security claim Best attack Claim 2 64 2 1 MD4 2 64 2 16 2 39 MD5 2 80 2 63 2 77 SHA-1

  26. 2. Compute 3. Develop 1. Craft file 4. Compute near-collision full collision prefix collision blocks attack 2015 2015 - 2016 2016 2017

  27. PDF header PDF header JPEG header JPEG header JPEG comment JPEG comment length length length length 2 collision comment in comment Image 1 Image 2 File 1 File 2

  28. Work in small batches ~1h Refactor code to be stateless Factory paradigm not map-reduce

  29. Determine Craft non Find DV attack linear additional selection success path conditions conditions Write Compute Find Fix attack collision speed-ups solvability code

  30. Final collision check (CPU) Work step by step Collision blocks (C1) Always try to work at the highest step Collision blocks (C1) Parallelized: One thread / one solution Base solution (CPU)

  34. https://github.com/nneonneo/sha1collider https://shattered.io

  35. PDF header JPEG start JPEG comment Fixed Comment length = 0x173 Comment length = 0x17F Collision block JPEG comment Visual Desync Variable Image parsed Image as comment

  42. https://shattered.io

  43. Transition plan slowly in the making

  44. Leverage how collisions are created Only requires one file to detect collision Trivial Negligible false positives differences required for feasible attacks

  45. Github.com JGit

  46. Git 2.12.2 (Mar 2017)

  49. ~4.45%

  50. MD 2 128 MD 2 128 2 128 Sponge 2 128 2 256 HAIFA

  51. SHA-1 is dead Counter-cryptanalysis Hash diversity long live to as a means of as a safeguard for SHA-256 & SHA-3 detection the years to come

Recommend

More recommend