SlideShare une entreprise Scribd logo

Message Authentication using Message Digests and the MD5 Algorithm

Télécharger en tant que PPTX, PDF
Ajay Karri
Ajay Karri
TechnologieFormation
1  sur  56
Message authentication is important where undetected manipulation of messages can have disastrous effects. 1
 Message authentication is important where undetected manipulation of messages can have disastrous effects.  Examples include Internet Commerce and Network Management. 2
3
4
5
6
 A hash function H is a transformation that takes an input m and returns a fixed-size string, which is called the hash value h (that is, h = H(m)).  Hash functions with just this property have a variety of general computational uses, but when employed in cryptography, the hash functions are usually chosen to have some additional properties. 7
 The basic requirements for a cryptographic hash function are as follows. ◦ The input can be of any length. ◦ The output has a fixed length. ◦ H(x) is relatively easy to compute for any given x. ◦ H(x) is one-way. ◦ H(x) is collision-free. 8
 A hash function H is said to be one-way if it is hard to invert, where ``hard to invert'' means that given a hash value h, it is computationally infeasible to find some input x such that H(x) = h. 9
 The hash value represents concisely the longer message or document from which it was computed; this value is called the message digest.  One can think of a message digest as a ``digital fingerprint'' of the larger document.  Examples of well known hash functions are MD2 and MD5 and SHA 10
 Damgard and Merkle greatly influenced cryptographic hash function design by defining a hash function in terms of what is called a compression function.  A compression function takes a fixed-length input and returns a shorter, fixed-length output.  Given a compression function, a hash function can be defined by repeated applications of the compression function until the entire message has been processed. 11
 In this process, a message of arbitrary length is broken into blocks whose length depends on the compression function, and “padded” (for security reasons) so the size of the message is a multiple of the block size. The blocks are then processed sequentially, taking as input the result of the hash so far and the current message block, with the final output being the hash value for the message. 12
 The following five steps are performed to compute the message digest of the message.  Step 1. Append Padding Bits  Step 2. Append Length  Step 3. Initialize MD Buffer  Step 4. Process Message in 16-Word Blocks  Step 5. Output 13
 The message is "padded" (extended) so that its length (in bits) is congruent to 448, modulo 512. That is, the message is extended so that it is just 64 bits shy of being a multiple of 512 bits long. Padding is always performed, even if the length of the message is already congruent to 448, modulo 512.  Padding is performed as follows: a single "1" bit is appended to the message, and then "0" bits are appended so that the length in bits of the padded message becomes congruent to 448, modulo 512. In all, at least one bit and at most 512 bits are appended. 14
 A 64-bit representation of b (the length of the message before the padding bits were added) is appended to the result of the previous step. In the unlikely event that b is greater than 2^64, then only the low-order 64 bits of b are used. (These bits are appended as two 32-bit words and appended low-order word first in accordance with the previous conventions.) 15
 A four-word buffer (A,B,C,D) is used to compute the message digest.  Here each of A, B, C, D is a 32-bit register.  These registers are initialized to the following values in hexadecimal, low- order bytes first): 16
17
18
19
20
21
22
The functions G, H, and I are similar to the function F, in that they act in "bitwise parallel" to produce their output from the bits of X, Y, and Z, in such a manner that if the corresponding bits of X, Y, and Z are independent and unbiased, then each bit of G(X,Y,Z), H(X,Y,Z), and I(X,Y,Z) will be independent and unbiased. Note that the function H is the bit-wise "xor" or "parity" function of its inputs. 23
This step uses a 64-element table T[1 ... 64] constructed from the sine function. Let T[i] denote the i-th element of the table, which is equal to the integer part of 4294967296 times abs(sin(i)), where i is in radians. The elements of the table are given in the following slide. 24
25
 The message digest produced as output is A, B, C, D.  That is, we begin with the low-order byte of A, and end with the high-order byte of D. 26
 MD4  SHA-1  RIPEMD-160 27
28
29
 2004: First MD5 collision attack ◦ Only difference between messages in random looking 128 collision bytes ◦ Currently < 1 second on PC MD5( ) = MD5( )
 Attack scenarios ◦ Generate specific collision blocks ◦ Use document format IF…THEN…ELSE ◦ Both payloads present in both files ◦ Colliding PostScript files with different contents ◦ Similar examples with other formats: DOC, PDF ◦ Colliding executables with different execution flows
 2007: Stronger collision attack ◦ Chosen-Prefix Collisions ◦ Messages can differ freely up to the random looking 716 collision bytes ◦ Currently approx. 1 day on PS3+PC MD5( ) = MD5( )
 Second generation attack scenarios ◦ Using chosen-prefix collisions ◦ No IF…THEN…ELSE necessary  Each file contains single payload instead of both  Collision blocks not actively used in format ◦ Colliding executables  Malicious payload cannot be scanned in harmless executable ◦ Colliding documents (PDF, DOC, …)  Collision blocks put inside hidden raw image data
Certificates with colliding to-be-signed parts ◦ generate a pair of certificates ◦ sign the legitimate certificate ◦ copy the signature into the rogue cert Previous work ◦ Different RSA public keys in 2005  using 2004 collision attack ◦ Different identities in 2006  using chosen-prefix collisions  the theory is well known since 2007
set by serial number serial number the CA validity period validity period chosen prefix (difference) real cert rogue cert domain name domain name real cert real cert RSA key RSA key collision bits (computed) X.509 extensions identical bytes X.509 extensions (copied from real cert) signature signature
◦ We collected 30,000 website certificates  9,000 of them were signed with MD5  97% of those were issued by RapidSSL ◦ CAs still using MD5 in 2008:  RapidSSL  FreeSSL  TrustCenter  RSA Data Security  Thawte  verisign.co.jp
◦ RapidSSL uses a fully automated system ◦ The certificate is issued exactly 6 seconds after we click the button and expires in one year.
RapidSSL uses sequential serial numbers: Nov 3 07:42:02 2008 GMT 643004 Nov 3 07:43:02 2008 GMT 643005 Nov 3 07:44:08 2008 GMT 643006 Nov 3 07:45:02 2008 GMT 643007 Nov 3 07:46:02 2008 GMT 643008 Nov 3 07:47:03 2008 GMT 643009 Nov 3 07:48:02 2008 GMT 643010 Nov 3 07:49:02 2008 GMT 643011 Nov 3 07:50:02 2008 GMT 643012 Nov 3 07:51:12 2008 GMT 643013 Nov 3 07:51:29 2008 GMT 643014 Nov 3 07:52:02 2008 GMT ?
◦ Remote counter  increases only when people buy certs  we can do a query-and-increment operation at a cost of buying one certificate ◦ Cost  $69 for a new certificate  renewals are only $45  up to 20 free reissues of a certificate  $2.25/query-and-increment operation
1. Get the serial number S on Friday 2. Predict the value for time T on Sunday to be S+1000 3. Generate the collision bits 4. Shortly before time T buy enough certs to increment the counter to S+999 5. Send colliding request at time T and get serial number S+1000
Based on the 2007 chosen-prefix collisions paper with new improvements 1-2 days on a cluster of 200 PlayStation 3’s Equivalent to 8000 desktop CPU cores or $20,000 on Amazon EC2
serial number validity period rogue CA cert chosen prefix (difference) rogue CA RSA key real cert domain name rogue CA X.509 CA bit! extensions real cert collision bits Netscape Comment RSA key (computed) Extension (contents ignored by browsers) X.509 extensions identical bytes (copied from real cert) signature signature
◦ 3 failed attempts  problems with timing  other CA requests stealing our serial number ◦ Finally success on the 4th attempt! ◦ Total cost of certificates: USD $657
Part IV
◦ We can sign fully trusted certificates ◦ Perfect man-in-the-middle attacks ◦ A malicious attacker can pick a more realistic CA name and fool even experts
MITM requires connection hijacking: ◦ Insecure wireless networks ◦ ARP spoofing ◦ Proxy autodiscovery ◦ DNS spoofing ◦ Owning routers
Part V
◦ We’re not releasing the private key ◦ Our CA cert was backdated to Aug 2004  just for demo purposes, a real malicious attacker can get a cert that never expires ◦ Browser vendors can blacklist our cert  we notified them in advance ◦ Users might be able to blacklist our cert
Our CA cert is not easily revocable! ◦ CRL and OCSP get the revocation URL from the cert itself ◦ Our cert contains no such URL ◦ Revocation checking is disabled in Firefox 2 and IE6 anyways Possiblefixes: Large organizations can set up their own custom OCSP server and force OCSP revocation checking.
Extended Validation (EV) certs: ◦ supported by all major browsers ◦ EV CAs are not allowed to use MD5 ◦ safe against this attack Do users really know how to tell the difference between EV and regular certs?
With optimizations the attack might be done for $2000 on Amazon EC2 in 1 day We want to prevent malicious entities from repeating the attack: ◦ We are not releasing our collision finding implementation or improved methods until we feel it’s safe ◦ We’ve talked to the affected CAs: they will switch to SHA-1 very, very soon
No way to tell. ◦ The theory has been public since 2007 ◦ Our legitimate certificate is completely innocuous, the collision bits are hidden in the RSA key, but they look random Can we still trust CA certs that have been used to sign anything with MD5 in the last few years?
◦ We need defense in depth  random serial numbers  random delay when signing certs ◦ Future challenges:  second preimage against MD5  collisions in SHA-1 ◦ Dropping support for a broken crypto primitive is very hard in practice  but crypto can be broken overnight  what do we do if SHA-1 or RSA falls tomorrow?
Part VI
◦ No need to panic, the Internet is not completely broken ◦ The affected CAs are switching to SHA-1 ◦ Making the theoretical possible is sometimes the only way you can affect change and secure the Internet

Recommandé

SHA 1 Algorithm
SHA 1 AlgorithmSHA 1 Algorithm
SHA 1 AlgorithmShiva RamDam
 
Sha
ShaSha
Shaha123
 
SHA- Secure hashing algorithm
SHA- Secure hashing algorithmSHA- Secure hashing algorithm
SHA- Secure hashing algorithmRuchi Maurya
 
Principles of public key cryptography and its Uses
Principles of public key cryptography and its UsesPrinciples of public key cryptography and its Uses
Principles of public key cryptography and its UsesMohsin Ali
 
Message Authentication Code & HMAC
Message Authentication Code & HMACMessage Authentication Code & HMAC
Message Authentication Code & HMACKrishna Gehlot
 
An introduction to X.509 certificates
An introduction to X.509 certificatesAn introduction to X.509 certificates
An introduction to X.509 certificatesStephane Potier
 
Message authentication
Message authenticationMessage authentication
Message authenticationCAS
 
18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network SecurityKathirvel Ayyaswamy
 

Recommandé

SHA 1 Algorithm
SHA 1 AlgorithmSHA 1 Algorithm
SHA 1 AlgorithmShiva RamDam
 
Sha
ShaSha
Shaha123
 
SHA- Secure hashing algorithm
SHA- Secure hashing algorithmSHA- Secure hashing algorithm
SHA- Secure hashing algorithmRuchi Maurya
 
Principles of public key cryptography and its Uses
Principles of public key cryptography and its UsesPrinciples of public key cryptography and its Uses
Principles of public key cryptography and its UsesMohsin Ali
 
Message Authentication Code & HMAC
Message Authentication Code & HMACMessage Authentication Code & HMAC
Message Authentication Code & HMACKrishna Gehlot
 
An introduction to X.509 certificates
An introduction to X.509 certificatesAn introduction to X.509 certificates
An introduction to X.509 certificatesStephane Potier
 
Message authentication
Message authenticationMessage authentication
Message authenticationCAS
 
18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network SecurityKathirvel Ayyaswamy
 
Message Authentication
Message AuthenticationMessage Authentication
Message Authenticationchauhankapil
 
Hash Function
Hash FunctionHash Function
Hash Functionstalin rijal
 
Key management
Key managementKey management
Key managementSujata Regoti
 
Hash Function.pdf
Hash Function.pdfHash Function.pdf
Hash Function.pdfSantosh Gupta
 
Public Key Cryptography
Public Key CryptographyPublic Key Cryptography
Public Key CryptographyGopal Sakarkar
 
2. public key cryptography and RSA
2. public key cryptography and RSA2. public key cryptography and RSA
2. public key cryptography and RSADr.Florence Dayana
 
RC4&RC5
RC4&RC5RC4&RC5
RC4&RC5Mohamed El-Serngawy
 
Hash Function
Hash FunctionHash Function
Hash FunctionSiddharth Srivastava
 
Unit 2
Unit 2Unit 2
Unit 2KRAMANJANEYULU1
 
Hash function
Hash functionHash function
Hash functionHarry Potter
 
Rsa and diffie hellman algorithms
Rsa and diffie hellman algorithmsRsa and diffie hellman algorithms
Rsa and diffie hellman algorithmsdaxesh chauhan
 
MD-5 : Algorithm
MD-5 : AlgorithmMD-5 : Algorithm
MD-5 : AlgorithmSahil Kureel
 
MAC-Message Authentication Codes
MAC-Message Authentication CodesMAC-Message Authentication Codes
MAC-Message Authentication CodesDarshanPatil82
 
Diffie hellman key exchange algorithm
Diffie hellman key exchange algorithmDiffie hellman key exchange algorithm
Diffie hellman key exchange algorithmSunita Kharayat
 
Hash function
Hash function Hash function
Hash function Salman Memon
 
2. Stream Ciphers
2. Stream Ciphers2. Stream Ciphers
2. Stream CiphersSam Bowne
 
block ciphers
block ciphersblock ciphers
block ciphersAsad Ali
 
DES
DESDES
DESNaga Srimanyu Timmaraju
 
Design of Secure Hash Algorithm(SHA)
Design of Secure Hash Algorithm(SHA)Design of Secure Hash Algorithm(SHA)
Design of Secure Hash Algorithm(SHA)Saravanan T.M
 
Different types of Symmetric key Cryptography
Different types of Symmetric key CryptographyDifferent types of Symmetric key Cryptography
Different types of Symmetric key Cryptographysubhradeep mitra
 
lecture13.pdf
lecture13.pdflecture13.pdf
lecture13.pdfAlaaElhaddad3
 
Cs8792 cns - unit iv
Cs8792 cns - unit ivCs8792 cns - unit iv
Cs8792 cns - unit ivArthyR3
 

Contenu connexe

Tendances

Message Authentication
Message AuthenticationMessage Authentication
Message Authenticationchauhankapil
 
Public Key Cryptography
Public Key CryptographyPublic Key Cryptography
Public Key CryptographyGopal Sakarkar
 
2. public key cryptography and RSA
2. public key cryptography and RSA2. public key cryptography and RSA
2. public key cryptography and RSADr.Florence Dayana
 
Rsa and diffie hellman algorithms
Rsa and diffie hellman algorithmsRsa and diffie hellman algorithms
Rsa and diffie hellman algorithmsdaxesh chauhan
 
MAC-Message Authentication Codes
MAC-Message Authentication CodesMAC-Message Authentication Codes
MAC-Message Authentication CodesDarshanPatil82
 
Diffie hellman key exchange algorithm
Diffie hellman key exchange algorithmDiffie hellman key exchange algorithm
Diffie hellman key exchange algorithmSunita Kharayat
 
2. Stream Ciphers
2. Stream Ciphers2. Stream Ciphers
2. Stream CiphersSam Bowne
 
block ciphers
block ciphersblock ciphers
block ciphersAsad Ali
 
Design of Secure Hash Algorithm(SHA)
Design of Secure Hash Algorithm(SHA)Design of Secure Hash Algorithm(SHA)
Design of Secure Hash Algorithm(SHA)Saravanan T.M
 
Different types of Symmetric key Cryptography
Different types of Symmetric key CryptographyDifferent types of Symmetric key Cryptography
Different types of Symmetric key Cryptographysubhradeep mitra
 

Tendances (20)

Message Authentication
Message AuthenticationMessage Authentication
Message Authentication
 
Hash Function
Hash FunctionHash Function
Hash Function
 
Key management
Key managementKey management
Key management
 
Hash Function.pdf
Hash Function.pdfHash Function.pdf
Hash Function.pdf
 
Public Key Cryptography
Public Key CryptographyPublic Key Cryptography
Public Key Cryptography
 
2. public key cryptography and RSA
2. public key cryptography and RSA2. public key cryptography and RSA
2. public key cryptography and RSA
 
RC4&RC5
RC4&RC5RC4&RC5
RC4&RC5
 
Hash Function
Hash FunctionHash Function
Hash Function
 
Unit 2
Unit 2Unit 2
Unit 2
 
Hash function
Hash functionHash function
Hash function
 
Rsa and diffie hellman algorithms
Rsa and diffie hellman algorithmsRsa and diffie hellman algorithms
Rsa and diffie hellman algorithms
 
MD-5 : Algorithm
MD-5 : AlgorithmMD-5 : Algorithm
MD-5 : Algorithm
 
MAC-Message Authentication Codes
MAC-Message Authentication CodesMAC-Message Authentication Codes
MAC-Message Authentication Codes
 
Diffie hellman key exchange algorithm
Diffie hellman key exchange algorithmDiffie hellman key exchange algorithm
Diffie hellman key exchange algorithm
 
Hash function
Hash function Hash function
Hash function
 
2. Stream Ciphers
2. Stream Ciphers2. Stream Ciphers
2. Stream Ciphers
 
block ciphers
block ciphersblock ciphers
block ciphers
 
DES
DESDES
DES
 
Design of Secure Hash Algorithm(SHA)
Design of Secure Hash Algorithm(SHA)Design of Secure Hash Algorithm(SHA)
Design of Secure Hash Algorithm(SHA)
 
Different types of Symmetric key Cryptography
Different types of Symmetric key CryptographyDifferent types of Symmetric key Cryptography
Different types of Symmetric key Cryptography
 

Similaire à Message Authentication using Message Digests and the MD5 Algorithm

Cs8792 cns - unit iv
Cs8792 cns - unit ivCs8792 cns - unit iv
Cs8792 cns - unit ivArthyR3
 
Cs8792 cns - unit iv
Cs8792 cns - unit ivCs8792 cns - unit iv
Cs8792 cns - unit ivArthyR3
 
01204427-Hash_Crypto (1).ppt
01204427-Hash_Crypto (1).ppt01204427-Hash_Crypto (1).ppt
01204427-Hash_Crypto (1).pptGnanalakshmiV
 
Dnssec tutorial-crypto-defs
Dnssec tutorial-crypto-defsDnssec tutorial-crypto-defs
Dnssec tutorial-crypto-defsAFRINIC
 
Cryptography and Network Security Principles and Practice.docx
Cryptography and Network Security Principles and Practice.docxCryptography and Network Security Principles and Practice.docx
Cryptography and Network Security Principles and Practice.docxrichardnorman90310
 
Cryptography
CryptographyCryptography
CryptographyRohan04
 
Message authentication and hash function
Message authentication and hash functionMessage authentication and hash function
Message authentication and hash functionomarShiekh1
 

Similaire à Message Authentication using Message Digests and the MD5 Algorithm (20)

lecture13.pdf
lecture13.pdflecture13.pdf
lecture13.pdf
 
Cs8792 cns - unit iv
Cs8792 cns - unit ivCs8792 cns - unit iv
Cs8792 cns - unit iv
 
Cs8792 cns - unit iv
Cs8792 cns - unit ivCs8792 cns - unit iv
Cs8792 cns - unit iv
 
Cns
CnsCns
Cns
 
01204427-Hash_Crypto (1).ppt
01204427-Hash_Crypto (1).ppt01204427-Hash_Crypto (1).ppt
01204427-Hash_Crypto (1).ppt
 
Hash_Crypto.ppt
Hash_Crypto.pptHash_Crypto.ppt
Hash_Crypto.ppt
 
Hash crypto
Hash cryptoHash crypto
Hash crypto
 
Hash crypto
Hash cryptoHash crypto
Hash crypto
 
Hash crypto
Hash cryptoHash crypto
Hash crypto
 
Hash crypto
Hash cryptoHash crypto
Hash crypto
 
Hash crypto
Hash cryptoHash crypto
Hash crypto
 
Hash crypto
Hash cryptoHash crypto
Hash crypto
 
Hash crypto
Hash cryptoHash crypto
Hash crypto
 
Cryptographic hash function md5
Cryptographic hash function md5Cryptographic hash function md5
Cryptographic hash function md5
 
Dnssec tutorial-crypto-defs
Dnssec tutorial-crypto-defsDnssec tutorial-crypto-defs
Dnssec tutorial-crypto-defs
 
Cryptography and Network Security Principles and Practice.docx
Cryptography and Network Security Principles and Practice.docxCryptography and Network Security Principles and Practice.docx
Cryptography and Network Security Principles and Practice.docx
 
Cryptography
CryptographyCryptography
Cryptography
 
Mj2521372142
Mj2521372142Mj2521372142
Mj2521372142
 
Moein
MoeinMoein
Moein
 
Message authentication and hash function
Message authentication and hash functionMessage authentication and hash function
Message authentication and hash function
 

Dernier

Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 

Dernier (20)

Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 

Message Authentication using Message Digests and the MD5 Algorithm

  • 1. Message authentication is important where undetected manipulation of messages can have disastrous effects. 1
  • 2. Message authentication is important where undetected manipulation of messages can have disastrous effects.  Examples include Internet Commerce and Network Management. 2
  • 3. 3
  • 4. 4
  • 5. 5
  • 6. 6
  • 7. A hash function H is a transformation that takes an input m and returns a fixed-size string, which is called the hash value h (that is, h = H(m)).  Hash functions with just this property have a variety of general computational uses, but when employed in cryptography, the hash functions are usually chosen to have some additional properties. 7
  • 8. The basic requirements for a cryptographic hash function are as follows. ◦ The input can be of any length. ◦ The output has a fixed length. ◦ H(x) is relatively easy to compute for any given x. ◦ H(x) is one-way. ◦ H(x) is collision-free. 8
  • 9. A hash function H is said to be one-way if it is hard to invert, where ``hard to invert'' means that given a hash value h, it is computationally infeasible to find some input x such that H(x) = h. 9
  • 10. The hash value represents concisely the longer message or document from which it was computed; this value is called the message digest.  One can think of a message digest as a ``digital fingerprint'' of the larger document.  Examples of well known hash functions are MD2 and MD5 and SHA 10
  • 11. Damgard and Merkle greatly influenced cryptographic hash function design by defining a hash function in terms of what is called a compression function.  A compression function takes a fixed-length input and returns a shorter, fixed-length output.  Given a compression function, a hash function can be defined by repeated applications of the compression function until the entire message has been processed. 11
  • 12. In this process, a message of arbitrary length is broken into blocks whose length depends on the compression function, and “padded” (for security reasons) so the size of the message is a multiple of the block size. The blocks are then processed sequentially, taking as input the result of the hash so far and the current message block, with the final output being the hash value for the message. 12
  • 13. The following five steps are performed to compute the message digest of the message.  Step 1. Append Padding Bits  Step 2. Append Length  Step 3. Initialize MD Buffer  Step 4. Process Message in 16-Word Blocks  Step 5. Output 13
  • 14. The message is "padded" (extended) so that its length (in bits) is congruent to 448, modulo 512. That is, the message is extended so that it is just 64 bits shy of being a multiple of 512 bits long. Padding is always performed, even if the length of the message is already congruent to 448, modulo 512.  Padding is performed as follows: a single "1" bit is appended to the message, and then "0" bits are appended so that the length in bits of the padded message becomes congruent to 448, modulo 512. In all, at least one bit and at most 512 bits are appended. 14
  • 15. A 64-bit representation of b (the length of the message before the padding bits were added) is appended to the result of the previous step. In the unlikely event that b is greater than 2^64, then only the low-order 64 bits of b are used. (These bits are appended as two 32-bit words and appended low-order word first in accordance with the previous conventions.) 15
  • 16. A four-word buffer (A,B,C,D) is used to compute the message digest.  Here each of A, B, C, D is a 32-bit register.  These registers are initialized to the following values in hexadecimal, low- order bytes first): 16
  • 17. 17
  • 18. 18
  • 19. 19
  • 20. 20
  • 21. 21
  • 22. 22
  • 23. The functions G, H, and I are similar to the function F, in that they act in "bitwise parallel" to produce their output from the bits of X, Y, and Z, in such a manner that if the corresponding bits of X, Y, and Z are independent and unbiased, then each bit of G(X,Y,Z), H(X,Y,Z), and I(X,Y,Z) will be independent and unbiased. Note that the function H is the bit-wise "xor" or "parity" function of its inputs. 23
  • 24. This step uses a 64-element table T[1 ... 64] constructed from the sine function. Let T[i] denote the i-th element of the table, which is equal to the integer part of 4294967296 times abs(sin(i)), where i is in radians. The elements of the table are given in the following slide. 24
  • 25. 25
  • 26. The message digest produced as output is A, B, C, D.  That is, we begin with the low-order byte of A, and end with the high-order byte of D. 26
  • 27. MD4  SHA-1  RIPEMD-160 27
  • 28. 28
  • 29. 29
  • 30. 2004: First MD5 collision attack ◦ Only difference between messages in random looking 128 collision bytes ◦ Currently < 1 second on PC MD5( ) = MD5( )
  • 31. Attack scenarios ◦ Generate specific collision blocks ◦ Use document format IF…THEN…ELSE ◦ Both payloads present in both files ◦ Colliding PostScript files with different contents ◦ Similar examples with other formats: DOC, PDF ◦ Colliding executables with different execution flows
  • 32. 2007: Stronger collision attack ◦ Chosen-Prefix Collisions ◦ Messages can differ freely up to the random looking 716 collision bytes ◦ Currently approx. 1 day on PS3+PC MD5( ) = MD5( )
  • 33. Second generation attack scenarios ◦ Using chosen-prefix collisions ◦ No IF…THEN…ELSE necessary  Each file contains single payload instead of both  Collision blocks not actively used in format ◦ Colliding executables  Malicious payload cannot be scanned in harmless executable ◦ Colliding documents (PDF, DOC, …)  Collision blocks put inside hidden raw image data
  • 34. Certificates with colliding to-be-signed parts ◦ generate a pair of certificates ◦ sign the legitimate certificate ◦ copy the signature into the rogue cert Previous work ◦ Different RSA public keys in 2005  using 2004 collision attack ◦ Different identities in 2006  using chosen-prefix collisions  the theory is well known since 2007
  • 35. set by serial number serial number the CA validity period validity period chosen prefix (difference) real cert rogue cert domain name domain name real cert real cert RSA key RSA key collision bits (computed) X.509 extensions identical bytes X.509 extensions (copied from real cert) signature signature
  • 36. ◦ We collected 30,000 website certificates  9,000 of them were signed with MD5  97% of those were issued by RapidSSL ◦ CAs still using MD5 in 2008:  RapidSSL  FreeSSL  TrustCenter  RSA Data Security  Thawte  verisign.co.jp
  • 37. ◦ RapidSSL uses a fully automated system ◦ The certificate is issued exactly 6 seconds after we click the button and expires in one year.
  • 38. RapidSSL uses sequential serial numbers: Nov 3 07:42:02 2008 GMT 643004 Nov 3 07:43:02 2008 GMT 643005 Nov 3 07:44:08 2008 GMT 643006 Nov 3 07:45:02 2008 GMT 643007 Nov 3 07:46:02 2008 GMT 643008 Nov 3 07:47:03 2008 GMT 643009 Nov 3 07:48:02 2008 GMT 643010 Nov 3 07:49:02 2008 GMT 643011 Nov 3 07:50:02 2008 GMT 643012 Nov 3 07:51:12 2008 GMT 643013 Nov 3 07:51:29 2008 GMT 643014 Nov 3 07:52:02 2008 GMT ?
  • 39. ◦ Remote counter  increases only when people buy certs  we can do a query-and-increment operation at a cost of buying one certificate ◦ Cost  $69 for a new certificate  renewals are only $45  up to 20 free reissues of a certificate  $2.25/query-and-increment operation
  • 40.
  • 41. 1. Get the serial number S on Friday 2. Predict the value for time T on Sunday to be S+1000 3. Generate the collision bits 4. Shortly before time T buy enough certs to increment the counter to S+999 5. Send colliding request at time T and get serial number S+1000
  • 42. Based on the 2007 chosen-prefix collisions paper with new improvements 1-2 days on a cluster of 200 PlayStation 3’s Equivalent to 8000 desktop CPU cores or $20,000 on Amazon EC2
  • 43. serial number validity period rogue CA cert chosen prefix (difference) rogue CA RSA key real cert domain name rogue CA X.509 CA bit! extensions real cert collision bits Netscape Comment RSA key (computed) Extension (contents ignored by browsers) X.509 extensions identical bytes (copied from real cert) signature signature
  • 44. ◦ 3 failed attempts  problems with timing  other CA requests stealing our serial number ◦ Finally success on the 4th attempt! ◦ Total cost of certificates: USD $657
  • 46. ◦ We can sign fully trusted certificates ◦ Perfect man-in-the-middle attacks ◦ A malicious attacker can pick a more realistic CA name and fool even experts
  • 47. MITM requires connection hijacking: ◦ Insecure wireless networks ◦ ARP spoofing ◦ Proxy autodiscovery ◦ DNS spoofing ◦ Owning routers
  • 49. ◦ We’re not releasing the private key ◦ Our CA cert was backdated to Aug 2004  just for demo purposes, a real malicious attacker can get a cert that never expires ◦ Browser vendors can blacklist our cert  we notified them in advance ◦ Users might be able to blacklist our cert
  • 50. Our CA cert is not easily revocable! ◦ CRL and OCSP get the revocation URL from the cert itself ◦ Our cert contains no such URL ◦ Revocation checking is disabled in Firefox 2 and IE6 anyways Possiblefixes: Large organizations can set up their own custom OCSP server and force OCSP revocation checking.
  • 51. Extended Validation (EV) certs: ◦ supported by all major browsers ◦ EV CAs are not allowed to use MD5 ◦ safe against this attack Do users really know how to tell the difference between EV and regular certs?
  • 52. With optimizations the attack might be done for $2000 on Amazon EC2 in 1 day We want to prevent malicious entities from repeating the attack: ◦ We are not releasing our collision finding implementation or improved methods until we feel it’s safe ◦ We’ve talked to the affected CAs: they will switch to SHA-1 very, very soon
  • 53. No way to tell. ◦ The theory has been public since 2007 ◦ Our legitimate certificate is completely innocuous, the collision bits are hidden in the RSA key, but they look random Can we still trust CA certs that have been used to sign anything with MD5 in the last few years?
  • 54. ◦ We need defense in depth  random serial numbers  random delay when signing certs ◦ Future challenges:  second preimage against MD5  collisions in SHA-1 ◦ Dropping support for a broken crypto primitive is very hard in practice  but crypto can be broken overnight  what do we do if SHA-1 or RSA falls tomorrow?
  • 56. ◦ No need to panic, the Internet is not completely broken ◦ The affected CAs are switching to SHA-1 ◦ Making the theoretical possible is sometimes the only way you can affect change and secure the Internet