Chosen-prefix collisions for MD5 and applications (Q1758885): Difference between revisions

From MaRDI portal
Importer (talk | contribs)
Created a new Item
 
Added link to MaRDI item.
links / mardi / namelinks / mardi / name
 

Revision as of 07:12, 1 February 2024

scientific article
Language Label Description Also known as
English
Chosen-prefix collisions for MD5 and applications
scientific article

    Statements

    Chosen-prefix collisions for MD5 and applications (English)
    0 references
    0 references
    0 references
    0 references
    16 November 2012
    0 references
    Summary: We present a novel, automated way to find differential paths for MD5. Its main application is in the construction of chosen-prefix collisions. We have shown how, at an approximate expected cost of \(2^{39}\) calls to the MD5 compression function, for any two chosen message prefixes \(P\) and \(P^{\prime}\), suffixes \(S\) and \(S^{\prime}\) can be constructed such that the concatenated values \(P\parallel S\) and \(P^{\prime} \parallel S^{\prime}\) collide under MD5. The practical attack potential of this construction of chosen-prefix collisions is of greater concern than the MD5-collisions that were published before. This is illustrated by a pair of MD5-based X.509 certificates one of which was signed by a commercial certification authority (CA) as a legitimate website certificate, while the other one is a certificate for a rogue CA that is entirely under our control (cf. \url{http://www.win.tue.nl/hashclash/rogue-ca/}). Other examples, such as MD5-colliding executables, are presented as well. More details can be found on \url{http://www.win.tue.nl/hashclash/ChosenPrefixCollisions/}.
    0 references
    MD5
    0 references
    chosen-prefix collision attacks
    0 references
    differential analysis
    0 references
    certification authority
    0 references
    Playstation 3
    0 references

    Identifiers