Chosen-Prefix Collisions for MD5 and Colliding X.509 Certificates for Different Identities

Stevens, Marc; Lenstra, Arjen K.; Weger, Benne de

doi:10.1007/978-3-540-72540-4_1

Cited by 128 publications

(97 citation statements)

References 8 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…We describe, roughly, what was achieved in the Eurocrypt 2007 paper [13] and why those methods were believed to have limited impact. Given any two chosen message prefixes P and P , it was shown how suffixes S and S can be constructed such that the concatenations P S and P S collide under MD5.…”

Section: Introductionmentioning

confidence: 99%

“…[13]). Actual realization of the threat in question was considered to be hard due to a combination of difficulties, some related to the construction, others to the way certificates are produced by CAs.…”

Section: Introductionmentioning

confidence: 99%

“…We also feel that this should indeed be done to give others the opportunity to further build on them and to develop a better understanding of the lack of strength of currently popular cryptographic hash functions. Fully appreciating the details presented here requires a full understanding of the approach from [13].…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Short Chosen-Prefix Collisions for MD5 and the Creation of a Rogue CA Certificate

Stevens

Sotirov

Appelbaum

et al. 2009

Advances in Cryptology - CRYPTO 2009

Self Cite

124

View full text Add to dashboard Cite

Abstract. We present a refined chosen-prefix collision construction for MD5 that allowed creation of a rogue Certification Authority (CA) certificate, based on a collision with a regular end-user website certificate provided by a commercial CA. Compared to the previous construction from Eurocrypt 2007, this paper describes a more flexible family of differential paths and a new variable birthdaying search space. Combined with a time-memory trade-off, these improvements lead to just three pairs of near-collision blocks to generate the collision, enabling construction of RSA moduli that are sufficiently short to be accepted by current CAs. The entire construction is fast enough to allow for adequate prediction of certificate serial number and validity period: it can be made to require about 2 49 MD5 compression function calls. Finally, we improve the complexity of identical-prefix collisions for MD5 to about 2 16 MD5 compression function calls and use it to derive a practical single-block chosen-prefix collision construction of which an example is given.

show abstract

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Short Chosen-Prefix Collisions for MD5 and the Creation of a Rogue CA Certificate

Stevens

Sotirov

Appelbaum

et al. 2009

Advances in Cryptology - CRYPTO 2009

Self Cite

124

View full text Add to dashboard Cite

show abstract

“…Prominent and widely deployed hash functions such as MD5 [38], SHA-1 [37], and the SHA-2 family [37] are used in various products and implementations whose security depends on the collision resistance of those hash functions. However, over the last years (chosen-prefix) collision attacks have been published for MD5 [42] [43] and SHA-1 [30] and are already exploited in the real-world. Recently, a major attack based on MD5 collisions was performed by the Flame espionage malware which injects itself into the Microsoft Windows operating system.…”

Section: Introductionmentioning

confidence: 99%

Embedded Syndrome-Based Hashing

Maurich

Güneysu

2012

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. We present novel implementations of the syndrome-based hash function RFSB on an Atmel ATxmega128A1 microcontroller and a low-cost Xilinx Spartan-6 FPGA. We explore several trade-offs between speed and area/code size on both platforms and show that RFSB is extremely versatile with applications ranging from lightweight to high performance. Our lightweight microcontroller implementation requires just 732 byte of ROM while still achieving a competitive performance with respect to other established hash functions. Our fastest FPGA implementation is based on embedded block memories available in Xilinx Spartan-6 devices and runs at 0.21 cycles/byte, with a throughput of 5.35 Gbit/s. To the best of our knowledge, this is the first time the RFSB hash function is implemented on either of these wide-spread platforms.

show abstract

“…MD5 had been known to be insecure since at least 1996, with a regular stream of findings against the algorithm, punctuated in particular by the generation of MD5 collisions in 2004 [20] and the extension of these attacks to chosen prefix attacks in 2007 [14]. Stevens and Sotirov demonstrated a real-world application of the chosen-prefix attack by finding a CA, RapidSSL, that used MD5 and generated entirely predictable certificates (in particular, the Serial Number and Signing/Expiration time fields) and giving it a PKCS#10 request that forced it to generate a certificate that had the same MD5 hash as an intermediate certificate they had already generated.…”

Section: Introductionmentioning

confidence: 99%