TY - JOUR
T1 - Chosen-prefix collisions for MD5 and applications
AU - Stevens, M.M.J.
AU - Lenstra, A.K.
AU - Weger, de, B.M.M.
PY - 2012
Y1 - 2012
N2 - We present a novel, automated way to find differential paths for MD5. Its main application is in the construction of chosen-prefix collisions. We have shown how, at an approximate expected cost of 239 calls to the MD5 compression function, for any two chosen message prefixes P and P', suffixes S and S' can be constructed such that the concatenated values P||S and P'||S' collide under MD5. The practical attack potential of this construction of chosen-prefix collisions is of greater concern than the MD5-collisions that were published before. This is illustrated by a pair of MD5-based X.509 certificates one of which was signed by a commercial Certification Authority (CA) as a legitimate website certificate, while the other one is a certificate for a rogue CA that is entirely under our control
(cf. http://www.win.tue.nl/hashclash/rogue-ca/). Other examples, such as MD5-colliding executables, are presented as well. More details can be found on
http://www.win.tue.nl/hashclash/ChosenPrefixCollisions/.
AB - We present a novel, automated way to find differential paths for MD5. Its main application is in the construction of chosen-prefix collisions. We have shown how, at an approximate expected cost of 239 calls to the MD5 compression function, for any two chosen message prefixes P and P', suffixes S and S' can be constructed such that the concatenated values P||S and P'||S' collide under MD5. The practical attack potential of this construction of chosen-prefix collisions is of greater concern than the MD5-collisions that were published before. This is illustrated by a pair of MD5-based X.509 certificates one of which was signed by a commercial Certification Authority (CA) as a legitimate website certificate, while the other one is a certificate for a rogue CA that is entirely under our control
(cf. http://www.win.tue.nl/hashclash/rogue-ca/). Other examples, such as MD5-colliding executables, are presented as well. More details can be found on
http://www.win.tue.nl/hashclash/ChosenPrefixCollisions/.
U2 - 10.1504/IJACT.2012.048084
DO - 10.1504/IJACT.2012.048084
M3 - Article
SN - 1753-0563
VL - 2
SP - 322
EP - 359
JO - International Journal of Applied Cryptography
JF - International Journal of Applied Cryptography
IS - 4
ER -