Short Chosen-Prefix Collisions for MD5 and the Creation of a Rogue CA Certificate

Stevens, Marc; Sotirov, Alexander; Appelbaum, Jacob; Lenstra, Arjen K.; Molnár, Dávid; Osvik, Dag Arne; Weger, Benne de

doi:10.1007/978-3-642-03356-8_4

Cited by 122 publications

(77 citation statements)

References 8 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Thus it is not surprising that with time, attacks against practical hash functions are usually found that drastically lower the bounds assumed in theory. Many attacks have been presented for MD5 [25,23,21], and also for SHA-1 [13] first attacks have been published [24,7,1,6]. This, in turn, led NIST (National Institute of Standards and Technology) to hold a competition to find a successor to the SHA-1 and SHA-2 families [14].…”

Section: Introductionmentioning

confidence: 99%

Hash Combiners for Second Pre-image Resistance, Target Collision Resistance and Pre-image Resistance Have Long Output

Mittelbach

2012

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. A (k, l) hash-function combiner for property P is a construction that, given access to l hash functions, yields a single cryptographic hash function which has property P as long as at least k out of the l hash functions have that property. Hash function combiners are used to hedge against the failure of one or more of the individual components. One example of the application of hash function combiners are the previous versions of the TLS and SSL protocols [10,8].The concatenation combiner which simply concatenates the outputs of all hash functions is an example of a robust combiner for collision resistance. However, its output length is, naturally, significantly longer than each individual hash-function output, while the security bounds are not necessarily stronger than that of the strongest input hash-function. In 2006 Boneh and Boyen asked whether a robust black-box combiner for collision resistance can exist that has an output length which is significantly less than that of the concatenation combiner [4]. Regrettably, this question has since been answered in the negative for fully black-box constructions (where hash function and adversary access is being treated as blackbox), that is, combiners (in this setting) for collision resistance roughly need at least the length of the concatenation combiner to be robust [4,5,16,17].In this paper we examine weaker notions of collision resistance, namely: second pre-image resistance and target collision resistance [20] and pre-image resistance. As a generic brute-force attack against any of these would take roughly 2 n queries to an n-bit hash function, in contrast to only 2 n/2 queries it would take to break collision resistance (due to the birthday bound), this might indicate that combiners for weaker notions of collision resistance can exist which have a significantly shorter output than the concatenation combiner (which is, naturally, also robust for these properties). Regrettably, this is not the case.

show abstract

Section: Introductionmentioning

confidence: 99%

Hash Combiners for Second Pre-image Resistance, Target Collision Resistance and Pre-image Resistance Have Long Output

Mittelbach

2012

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…Thus, attacks inside a secured channel can not be realized. However, the SSL/TLS protocol is prone to MITM attacks [25,26]. The attacker intercepts packets between the client and the server to establish two encrypted connections: 1) a connection between the client and the attacker and 2) a connection between the attacker and the server.…”

Section: And P Ms:m S = Genkey(r C R S P Ms)mentioning

confidence: 99%

“…The attacker intercepts packets between the client and the server to establish two encrypted connections: 1) a connection between the client and the attacker and 2) a connection between the attacker and the server. The attacker generates its own public key and modifies the original certificate to trick the user/client, which is even possible without a capability for the user to notice the attack [25]. By doing this, the attacker can read the traffic of the secured connection between the client and the server.…”

Section: And P Ms:m S = Genkey(r C R S P Ms)mentioning

confidence: 99%

See 1 more Smart Citation

Secure Communication Using Identity Based Encryption

Roschke

Ibraimi

Cheng

et al. 2010

Communications and Multimedia Security

View full text Add to dashboard Cite

Abstract. Secured communication has been widely deployed to guarantee confidentiality and integrity of connections over untrusted networks, e.g., the Internet. Although secure connections are designed to prevent attacks on the connection, they hide attacks inside the channel from being analyzed by Intrusion Detection Systems (IDS). Furthermore, secure connections require a certain key exchange at the initialization phase, which is prone to Man-In-The-Middle (MITM) attacks. In this paper, we present a new method to secure connection which enables Intrusion Detection and overcomes the problem of MITM attacks. We propose to apply Identity Based Encryption (IBE) to secure a communication channel. The key escrow property of IBE is used to recover the decryption key, decrypt network traffic on the fly, and scan for malicious content. As the public key can be generated based on the identity of the connected server and its exchange is not necessary, MITM attacks are not easy to be carried out any more. A prototype of a modified TLS scheme is implemented and proved with a simple client-server application. Based on this prototype, a new IDS sensor is developed to be capable of identifying IBE encrypted secure traffic on the fly. A deployment architecture of the IBE sensor in a company network is proposed. Finally, we show the applicability by a practical experiment and some preliminary performance measurements.

show abstract

“…In the current work, we study Montgomery modular multiplication on the Cell Broadband Engine (Cell). The Cell is an heterogeneous processor and has been used as a cryptographic accelerator [5,6,7,8] as well as for cryptanalysis [9,10].…”

Section: Introductionmentioning

confidence: 99%

Montgomery Multiplication on the Cell

Bos

Kaihara

2010

Parallel Processing and Applied Mathematics

View full text Add to dashboard Cite

Abstract.A technique to speed up Montgomery multiplication targeted at the Synergistic Processor Elements (SPE) of the Cell Broadband Engine is proposed. The technique consists of splitting a number into four consecutive parts. These parts are placed one by one in each of the four element positions of a vector, representing columns in a 4-SIMD organization. This representation enables arithmetic to be performed in a 4-SIMD fashion. An implementation of the Montgomery multiplication using this technique is up to 2.47 times faster compared to an unrolled implementation of Montgomery multiplication, which is part of the IBM multi-precision math library, for odd moduli of length 160 to 2048 bits. The presented technique can also be applied to speed up Montgomery multiplication on other SIMD-architectures.

show abstract

Short Chosen-Prefix Collisions for MD5 and the Creation of a Rogue CA Certificate

Cited by 122 publications

References 8 publications

Hash Combiners for Second Pre-image Resistance, Target Collision Resistance and Pre-image Resistance Have Long Output

Hash Combiners for Second Pre-image Resistance, Target Collision Resistance and Pre-image Resistance Have Long Output

Secure Communication Using Identity Based Encryption

Montgomery Multiplication on the Cell

Contact Info

Product

Resources

About