from collisions to chosen prefjx collisions
play

From Collisions to Chosen-Prefjx Collisions Application to Full - PowerPoint PPT Presentation

Sep 04, 2023 •555 likes •935 views

Introduction SHA-1 Cryptanalysis New chosen-prefjx collision techniques Conclusion From Collisions to Chosen-Prefjx Collisions Application to Full SHA-1 Gatan Leurent Thomas Peyrin Inria, France NTU, Singapour Eurocrypt 2019 Gatan

  1. Introduction SHA-1 Cryptanalysis New chosen-prefjx collision techniques Conclusion From Collisions to Chosen-Prefjx Collisions Application to Full SHA-1 Gaëtan Leurent Thomas Peyrin Inria, France NTU, Singapour Eurocrypt 2019 Gaëtan Leurent, Thomas Peyrin From Collisions to Chosen-Prefjx Collisions Eurocrypt 2019 1 / 21

  2. Introduction SHA-1 Cryptanalysis Eurocrypt 2019 From Collisions to Chosen-Prefjx Collisions Gaëtan Leurent, Thomas Peyrin 2 / 21 H n Hash functions Conclusion New chosen-prefjx collision techniques ▶ Hash function: public function { 0 , 1 } ∗ → { 0 , 1 } n ▶ Maps arbitrary-length message to fixed-length hash ▶ Hash function should behave like a random function ▶ Hard to find collisions, preimages ▶ Hash can be used as fingerprint, identifier ▶ Used in many difgerent contexts ▶ Signature: hash-and-sign ▶ MAC: hash-and-PRF ▶ Blockchain: Proof-of-work, …

  3. Introduction SHA-1 Cryptanalysis Eurocrypt 2019 From Collisions to Chosen-Prefjx Collisions Gaëtan Leurent, Thomas Peyrin IV x 3 n x 2 m 2 n x 1 m 1 n x 0 m 0 n SHA-1 Conclusion New chosen-prefjx collision techniques 3 / 21 ▶ Designed by NSA: SHA-0 [1993], then SHA-1 [1995] ▶ Standardized by NIST, ISO, IETF, ... Widely used until quite recently ▶ State size: n = 160 ▶ Expected collision security 2 80 ▶ Iterative structure: Merkle-Damgård construction ▶ Block cipher-based compression function: Davies-Meyer H ( M )

  4. Introduction SHA-1 Cryptanalysis Eurocrypt 2019 From Collisions to Chosen-Prefjx Collisions Gaëtan Leurent, Thomas Peyrin IV x 3 n x 2 m 2 n x 1 m 1 n x 0 m 0 n SHA-1 Conclusion New chosen-prefjx collision techniques 3 / 21 ▶ Designed by NSA: SHA-0 [1993], then SHA-1 [1995] ▶ Standardized by NIST, ISO, IETF, ... Widely used until quite recently ▶ State size: n = 160 ▶ Expected collision security 2 80 ▶ Iterative structure: Merkle-Damgård construction ▶ Block cipher-based compression function: Davies-Meyer H ( M )

  5. Introduction SHA-1 Cryptanalysis Eurocrypt 2019 From Collisions to Chosen-Prefjx Collisions Gaëtan Leurent, Thomas Peyrin 9ae6a4c80cadccbb7f0a 38762cf7f55934b34d17 SHA-1 = SHAttered attack: Colliding PDFs [Stevens & al., Crypto’17] [Stevens, Karpman & Peyrin, Crypto’15] 2015-10 Practical freestart collision (on GPU) [Stevens, EC’13] [Wang & al., Crypto’05] SHA-1 Cryptanalysis Conclusion New chosen-prefjx collision techniques 4 / 21 2005-02 Theoretical collision with 2 69 operations … Several unpublished collision attacks in the range 2 51 — 2 63 2010-11 Theoretical collision with 2 61 operations 2017-02 Practical collision with 2 64 . 7 operations (on GPU)

  6. Introduction SHA-1 Cryptanalysis Eurocrypt 2019 From Collisions to Chosen-Prefjx Collisions Gaëtan Leurent, Thomas Peyrin SSL Certificate: [...] $ sslscan mail.sim.informatik.tu-darmstadt.de:993 5 / 21 Conclusion SHA-1 today New chosen-prefjx collision techniques ▶ Modern web browsers reject SHA-1 certificates since 2017 ▶ SHA-1 certificates still exists ▶ CAs still sell legacy SHA-1 certificates ▶ SHA-1 certificates still accepted by modern non-browser TLS clients ▶ Until a few week ago, a mailserver in TU Darmsdtat used a SHA-1 certificate ▶ Windows 10 “Mail” app connects without error Signature Algorithm: sha1WithRSAEncryption ▶ SHA-1 also used in Git, TLS 1.2 handshake, ...

  7. Introduction SHA-1 Cryptanalysis Eurocrypt 2019 From Collisions to Chosen-Prefjx Collisions Gaëtan Leurent, Thomas Peyrin SSL Certificate: [...] $ sslscan mail.sim.informatik.tu-darmstadt.de:993 5 / 21 Conclusion SHA-1 today New chosen-prefjx collision techniques ▶ Modern web browsers reject SHA-1 certificates since 2017 ▶ SHA-1 certificates still exists ▶ CAs still sell legacy SHA-1 certificates ▶ SHA-1 certificates still accepted by modern non-browser TLS clients ▶ Until a few week ago, a mailserver in TU Darmsdtat used a SHA-1 certificate ▶ Windows 10 “Mail” app connects without error Signature Algorithm: sha1WithRSAEncryption ▶ SHA-1 also used in Git, TLS 1.2 handshake, ...

  8. Introduction P Eurocrypt 2019 From Collisions to Chosen-Prefjx Collisions Gaëtan Leurent, Thomas Peyrin ” suffjx prefix SHA-1 Cryptanalysis S C 2 C 1 6 / 21 IV Adding prefjx and suffjx New chosen-prefjx collision techniques C 2 Conclusion Exploiting collisions Collision attack IV C 1 ▶ Start from IV ▶ Add identical prefix and suffjx using iterative structure ▶ C 1 and C 2 collide ▶ Usually same diffjculty (just a difgerent IV) ▶ Issue: C 1 and C 2 look random (not controlled) ▶ Solution: hide in some ignored sections of the file ( e.g. comment) ▶ Issue: collision is not meaningful ▶ Solution: many file formats ( e.g. PDF) allow conditional branches M 1 = “ if ( C 1 == C 1 ) { good } else { evil } ” M 2 = “ if ( 􏿆 􏿌􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏿍􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏿎 C 2 == C 1 ) { good } else { evil }

  9. Introduction P Eurocrypt 2019 From Collisions to Chosen-Prefjx Collisions Gaëtan Leurent, Thomas Peyrin ” suffjx prefix SHA-1 Cryptanalysis S C 2 C 1 6 / 21 IV Adding prefjx and suffjx New chosen-prefjx collision techniques C 2 Conclusion Exploiting collisions Collision attack IV C 1 ▶ Start from IV ▶ Add identical prefix and suffjx using iterative structure ▶ C 1 and C 2 collide ▶ Usually same diffjculty (just a difgerent IV) ▶ Issue: C 1 and C 2 look random (not controlled) ▶ Solution: hide in some ignored sections of the file ( e.g. comment) ▶ Issue: collision is not meaningful ▶ Solution: many file formats ( e.g. PDF) allow conditional branches M 1 = “ if ( C 1 == C 1 ) { good } else { evil } ” M 2 = “ if ( 􏿆 􏿌􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏿍􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏻱􏿎 C 2 == C 1 ) { good } else { evil }

  10. Introduction Chosen-prefjx collision Eurocrypt 2019 From Collisions to Chosen-Prefjx Collisions Gaëtan Leurent, Thomas Peyrin [Bhargavan & L, NDSS’16] [Stevens & al, Crypto’09] S 2 C 2 1 C 1 P 2 P 1 IV SHA-1 Cryptanalysis 7 / 21 Identical-prefjx collision random collision blocks New chosen-prefjx collision techniques Conclusion S C 2 C 1 P Chosen-Prefjx Collisions IV [Stevens, Lenstra & de Weger, EC’07] ▶ Even with a prefix and prefix, many protocol seem unafgected by collision attacks ▶ Given IV, find M 1 ≠ M 2 s. t. ▶ Given P 1 , P 2 , find M 1 ≠ M 2 s. t. H ( M 1 ) = H ( M 2 ) H ( P 1 ‖ M 1 ) = H ( P 2 ‖ M 2 ) C ′ C ′ ▶ Arbitrary common prefix/suffjx, ▶ Breaks certificates ▶ Breaks integrity verification ▶ Breaks TLS, IKE, SSH ▶ Breaks signatures (in theory)

  11. Introduction Chosen-prefjx collision Eurocrypt 2019 From Collisions to Chosen-Prefjx Collisions Gaëtan Leurent, Thomas Peyrin [Bhargavan & L, NDSS’16] [Stevens & al, Crypto’09] S 2 C 2 1 C 1 P 2 P 1 IV SHA-1 Cryptanalysis 7 / 21 Identical-prefjx collision random collision blocks New chosen-prefjx collision techniques Conclusion S C 2 C 1 P Chosen-Prefjx Collisions IV [Stevens, Lenstra & de Weger, EC’07] ▶ Even with a prefix and prefix, many protocol seem unafgected by collision attacks ▶ Given IV, find M 1 ≠ M 2 s. t. ▶ Given P 1 , P 2 , find M 1 ≠ M 2 s. t. H ( M 1 ) = H ( M 2 ) H ( P 1 ‖ M 1 ) = H ( P 2 ‖ M 2 ) C ′ C ′ ▶ Arbitrary common prefix/suffjx, ▶ Breaks certificates ▶ Breaks integrity verification ▶ Breaks TLS, IKE, SSH ▶ Breaks signatures (in theory)

  12. Introduction koT02UA3eW6q Eurocrypt 2019 From Collisions to Chosen-Prefjx Collisions Gaëtan Leurent, Thomas Peyrin 3 Bob copies the signature to k A , impersonates Alice 2 Bob asks CA to certify his key k B Impersonation attack SHA-1 Cryptanalysis PKI Infrastructure IWFEWrrnxkK8 q5q9Hq09Tp5R The public [Stevens, Lenstra & de Weger, EC’07] Attacking key certifjcation Conclusion New chosen-prefjx collision techniques 8 / 21 key of Alice is: 1 Bob creates keys s.t. H ( Alice || k A ) = H ( Bob || k B ) ▶ Alice generates key ▶ Ask PKI to sign ▶ Certificate proves ID

  13. Introduction koT02UA3eW6q Eurocrypt 2019 From Collisions to Chosen-Prefjx Collisions Gaëtan Leurent, Thomas Peyrin 3 Bob copies the signature to k A , impersonates Alice 2 Bob asks CA to certify his key k B Impersonation attack SHA-1 Cryptanalysis PKI Infrastructure IWFEWrrnxkK8 q5q9Hq09Tp5R The public [Stevens, Lenstra & de Weger, EC’07] Attacking key certifjcation Conclusion New chosen-prefjx collision techniques 8 / 21 key of Alice is: 1 Bob creates keys s.t. H ( Alice || k A ) = H ( Bob || k B ) ▶ Alice generates key ▶ Ask PKI to sign ▶ Certificate proves ID

  14. Introduction YRfYal4ZFmiY Eurocrypt 2019 From Collisions to Chosen-Prefjx Collisions Gaëtan Leurent, Thomas Peyrin 3 Bob copies the signature to k A , impersonates Alice 2 Bob asks CA to certify his key k B Impersonation attack PKI Infrastructure collision prefix SHA-1 Cryptanalysis E7OhkirqNyfm 7+zvZNcjdxXx The public New chosen-prefjx collision techniques Conclusion Attacking key certifjcation [Stevens, Lenstra & de Weger, EC’07] 8 / 21 seJ+L6NRaT49 ZOt226BvLIO5 OE6p9TY2sW74 The public key of Alice is: key of Bob is: 1 Bob creates keys s.t. H ( Alice || k A ) = H ( Bob || k B ) ▶ Alice generates key ▶ Ask PKI to sign ▶ Certificate proves ID

Recommend

collisions at = 200 GeV and U+U collisions at = 193 GeV with STAR

collisions at = 200 GeV and U+U collisions at = 193 GeV with STAR

Excess of J/ y yield at very low p T in Au+Au collisions at = 200 GeV and U+U collisions at = 193 GeV with STAR Wangmei Zha for the STAR Collaboration University of Science and Technology of China W. Zha etal.,

487 views • 22 slides
first PbPb collisions at LHC at s = 2.76 A TeV setup for ion collisions: November 4 already

first PbPb collisions at LHC at s = 2.76 A TeV setup for ion collisions: November 4 already

first PbPb collisions at LHC at s = 2.76 A TeV setup for ion collisions: November 4 already in Dec 2010 first collisions with stable beams: 5 publications in PRL and PLB November 8 until Dec 6 Johanna Stachel Heavy ion running at the LHC

615 views • 60 slides
Phenomenology of heavy-ion collisions How can one characterize what is created in a heavy-ion

Phenomenology of heavy-ion collisions How can one characterize what is created in a heavy-ion

Phenomenology of heavy-ion collisions How can one characterize what is created in a heavy-ion collision? Focus on collective phenomena present in nucleus-nucleus collisions, but absent in pp collisions (condensed matter physics of

879 views • 23 slides
MACAW IEEE 802.11 Standard 29 Reducing Cost of Collisions q Collisions are expensive

MACAW IEEE 802.11 Standard 29 Reducing Cost of Collisions q Collisions are expensive

12/9/15 MACAW IEEE 802.11 Standard 29 Reducing Cost of Collisions q Collisions are expensive How to reduce their cost? q Reserve the wireless channel before transmitting data Send short control packets for

237 views • 7 slides
MD5 Chosen-Prefix Collisions on GPUs Marc Bevand m.bevand@gmail.com marc.bevand@rapid7.com

MD5 Chosen-Prefix Collisions on GPUs Marc Bevand m.bevand@gmail.com marc.bevand@rapid7.com

MD5 Chosen-Prefix Collisions on GPUs Marc Bevand m.bevand@gmail.com marc.bevand@rapid7.com Black Hat USA 2009 - July 30, 2009 Agenda MD5 on GPUs Dec 2008: rogue CA certificate on PS3 cluster MD5 birthday search Results &

516 views • 19 slides
MD5 Chosen-Prefix Collisions on GPUs Marc Bevand m.bevand@gmail.com marc.bevand@rapid7.com

MD5 Chosen-Prefix Collisions on GPUs Marc Bevand m.bevand@gmail.com marc.bevand@rapid7.com

MD5 Chosen-Prefix Collisions on GPUs Marc Bevand m.bevand@gmail.com marc.bevand@rapid7.com Agenda MD5 on GPUs Dec 2008: rogue CA certificate on PS3 cluster MD5 birthday search Results & performance MD5 on GPUs MD5 is

448 views • 18 slides
Di Di-electron production in dp collisions at E kin kin =2.5 .5 GeV Jacek Biernat 2004 HADES re-

Di Di-electron production in dp collisions at E kin kin =2.5 .5 GeV Jacek Biernat 2004 HADES re-

Di Di-electron production in dp collisions at E kin kin =2.5 .5 GeV Jacek Biernat 2004 HADES re- measures C+C collisions 2003 N+N and pi-N collisions in HADES Phys. Lett B 750, 12 (2015) What have we learnt from inclusive spectra p p X e+

505 views • 24 slides
On Key -collisions in (EC)DSA Schemes (1) Let ( m , S ) be a message and its signature.

On Key -collisions in (EC)DSA Schemes (1) Let ( m , S ) be a message and its signature.

On Key -collisions in (EC)DSA Schemes CRYPTO 2002 Rump Session Tom Rosa tomas.rosa@i.cz, http://crypto.hyperlink.cz ICZ, a.s. Dept. of Computer Science, CTU in Prague CZECH REPUBLIC On Key -collisions in (EC)DSA Schemes (1) Let ( m

519 views • 5 slides
Gabriele Veneziano Outline I: String (p.particle) collisions (1987->) II: String-brane

Gabriele Veneziano Outline I: String (p.particle) collisions (1987->) II: String-brane

GGI, 18.04.2019 Transplanckian collisions of particles, strings and branes: results & challenges Gabriele Veneziano Outline I: String (p.particle) collisions (1987->) II: String-brane collisions (2010->) III: Gravitational

883 views • 67 slides
Work supported by Electron-molecule collisions in plasmas Elastic collisions affect electron

Work supported by Electron-molecule collisions in plasmas Elastic collisions affect electron

Electron-Molecule Collision Calculations on Vector and MPP Systems Carl Winstead Vincent McKoy Cray site: Work supported by Electron-molecule collisions in plasmas Elastic collisions affect electron transport and energy deposition

365 views • 23 slides
SHA-1 is a Shambles First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of

SHA-1 is a Shambles First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of

The SHA-1 Hash Function Chosen-prefix Collisions Our Results Conclusion Extra Materials SHA-1 is a Shambles First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust Ga etan Leurent (INRIA - France) Thomas Peyrin (NTU

650 views • 29 slides
Practical Near-Collisions and Collisions on Reduced-Round ECHO-256 Compression Function Jrmy

Practical Near-Collisions and Collisions on Reduced-Round ECHO-256 Compression Function Jrmy

Outline Attack Conclusion ECHO-256 Practical Near-Collisions and Collisions on Reduced-Round ECHO-256 Compression Function Jrmy Jean and Pierre-Alain Fouque Ecole Normale Suprieure FSE2011 February 14, 2011 FSE2011 Jrmy

562 views • 42 slides
Unit5: More Collisions Mike Chantler, 31/8/2008 See Peters ActionScript 3.0 Animation

Unit5: More Collisions Mike Chantler, 31/8/2008 See Peters ActionScript 3.0 Animation

Unit 5: More Collisions 3D Modelling & Animation Module F21MA Unit5: More Collisions Mike Chantler, 31/8/2008 See Peters ActionScript 3.0 Animation Unit contents Detecting collisions Springing off a fixed ball

460 views • 23 slides
October 2013 Show national trends in total Motorbus collisions, rear-ended collisions, and

October 2013 Show national trends in total Motorbus collisions, rear-ended collisions, and

Florida Public Transportation Association Annual Conference Florida Transit Safety Network October 2013 Show national trends in total Motorbus collisions, rear-ended collisions, and rear- ending collisions Show Florida transit Motorbus

443 views • 43 slides
Common Trends in Wildlife-Vehicle Collisions 89 percent of wildlife-vehicle collisions (WVCs)

Common Trends in Wildlife-Vehicle Collisions 89 percent of wildlife-vehicle collisions (WVCs)

Wildlife-vehicle Collision Mitigation in New Mexico Jim Hirsch Environmental Bureau - NMDOT Common Trends in Wildlife-Vehicle Collisions 89 percent of wildlife-vehicle collisions (WVCs) occur on two-lane low-volume roads. WVCs occur

201 views • 16 slides
Introduction to Quantum Collision Theory Pierre Capel 16 July 2015 1 / 30 Quantum Collisions

Introduction to Quantum Collision Theory Pierre Capel 16 July 2015 1 / 30 Quantum Collisions

Introduction to Quantum Collision Theory Pierre Capel 16 July 2015 1 / 30 Quantum Collisions Quantum Collisions Quantum collisions used to study the interaction between particles/nuclei/atoms. . . analyse the structure of

651 views • 30 slides
Simulations of BH Collisions in AdS Spacetimes Paul Romatschke CU Boulder & CTQM & JET

Simulations of BH Collisions in AdS Spacetimes Paul Romatschke CU Boulder & CTQM & JET

Simulations of BH Collisions in AdS Spacetimes Paul Romatschke CU Boulder & CTQM & JET Collaboration Based on arXiv: 1410.4799 with Hans Ban8lan Outline Motivation Simulating BH Collisions

898 views • 69 slides
Dynamical description of heavy-ion collisions Elena Bratkovskaya (GSI, Darmstadt & Uni.

Dynamical description of heavy-ion collisions Elena Bratkovskaya (GSI, Darmstadt & Uni.

Dynamical description of heavy-ion collisions Elena Bratkovskaya (GSI, Darmstadt & Uni. Frankfurt) for the PHSD group COST Workshop on Interplay of hard and soft QCD probes for collectivity in heavy-ion collisions 25 February - 1 March

532 views • 36 slides
The ATLAS tracker upgrade towards the SLHC era 5 Collisions (0.2 x 10 34 cm -2 s -1 ) 400

The ATLAS tracker upgrade towards the SLHC era 5 Collisions (0.2 x 10 34 cm -2 s -1 ) 400

The ATLAS tracker upgrade towards the SLHC era 5 Collisions (0.2 x 10 34 cm -2 s -1 ) 400 Collisions (10 35 cm -2 s -1 ) G.Calderini (LPNHE, Paris) on behalf of the French Laboratories working for this effort Why working now for the upgrade?

638 views • 27 slides
Jet production in ultra-peripheral collisions with Pythia 8 COST workshop on collectivity in

Jet production in ultra-peripheral collisions with Pythia 8 COST workshop on collectivity in

Jet production in ultra-peripheral collisions with Pythia 8 COST workshop on collectivity in heavy-ion collisions Ilkka Helenius February 28th, 2019 In collaboration with Christine O. Rasmussen and Torbjrn Sjstrand Outline Motivation

493 views • 32 slides
Charmed hadrons from heavy ion collisions Hadron Interactions and Polarizations from Lattice QCD,

Charmed hadrons from heavy ion collisions Hadron Interactions and Polarizations from Lattice QCD,

Charmed hadrons from heavy ion collisions Hadron Interactions and Polarizations from Lattice QCD, Quark Model, and heavy ion collisions March 26 th 2019 Yukawa Institute for Theoretial Physics, Kyoto University Sungtae Cho Kangwon National

492 views • 24 slides
Space-time picture and bulk observables in relativistic heavy ion collisions (HydroKinetic

Space-time picture and bulk observables in relativistic heavy ion collisions (HydroKinetic

Space-time picture and bulk observables in relativistic heavy ion collisions (HydroKinetic approach) Yu.M. Sinyukov (BI TP, Kiev) Seminar BLTP 6 June , 201 019 The stages of the matter evolution in A+A collisions The initial huge kinetic

893 views • 85 slides
Measurements of jets in heavy ion collisions Christine Nattrass 1 , 1 University of Tennessee,

Measurements of jets in heavy ion collisions Christine Nattrass 1 , 1 University of Tennessee,

Measurements of jets in heavy ion collisions Christine Nattrass 1 , 1 University of Tennessee, Knoxville, TN, USA-37996 Abstract. The Quark Gluon Plasma (QGP) is created in high energy heavy ion collisions at the Relativistic Heavy Ion Collider

302 views • 6 slides
Quarkonium production in p A and d A collisions Patrick Robbe, LAL Orsay, for the ALICE, ATLAS,

Quarkonium production in p A and d A collisions Patrick Robbe, LAL Orsay, for the ALICE, ATLAS,

Quarkonium production in p A and d A collisions Patrick Robbe, LAL Orsay, for the ALICE, ATLAS, CMS, LHCb, PHENIX, STAR Collaborations, 24 May 2018 Study of quarkonium in p ( d )A collisions Quarkonium states reconstructed in di-lepton

966 views • 24 slides

More recommend