Abstract
We present a novel, automated way to find differential paths for MD5. As an application we have shown how, at an approximate expected cost of 250 calls to the MD5 compression function, for any two chosen message prefixes P and P', suffixes S and S' can be constructed such that the concatenated values P||S and P'||S' collide under MD5. Although the practical attack potential of this construction of chosen-prefix collisions is limited, it is of greater concern than random collisions for MD5. To illustrate the practicality of our method, we constructed two MD5 based X.509 certificates with identical signatures but different public keys and different Distinguished Name fields, whereas our previous construction of colliding X.509 certificates required identical name fields. We speculate on other possibilities for abusing chosen-prefix collisions. More details than can be included here can be found on www.win.tue.nl/hashclash/ChosenPrefixCollisions/ .
Original language | English |
---|---|
Title of host publication | Proceedings of the 26th Annual International Conference on the Theory and Applications of Cryptographic Techniques (Eurocrypt 2007) 20-24 May 2007, Barcelona, Spain |
Editors | M. Naor |
Place of Publication | Berlin, Germany |
Publisher | Springer |
Pages | 1-22 |
ISBN (Print) | 978-3-540-72539-8 |
DOIs | |
Publication status | Published - 2007 |
Event | 26th Annual International Conference on the Theory and Applications of Cryptographic Techniques (Eurocrypt 2007) - Barcelona, Spain Duration: 20 May 2007 → 24 May 2007 Conference number: 26 |
Publication series
Name | Lecture Notes in Computer Science |
---|---|
Volume | 4515 |
ISSN (Print) | 0302-9743 |
Conference
Conference | 26th Annual International Conference on the Theory and Applications of Cryptographic Techniques (Eurocrypt 2007) |
---|---|
Abbreviated title | Eurocrypt 2007 |
Country/Territory | Spain |
City | Barcelona |
Period | 20/05/07 → 24/05/07 |