Short chosen-prefix collisions for MD5 and the creation of a rogue CA certificate

M.M.J. Stevens; A. Sotirov; J.R. Appelbaum; A.K. Lenstra; D. Molnar; D.A. Osvik; B.M.M. Weger, de

doi:10.1007/978-3-642-03356-8_4

Short chosen-prefix collisions for MD5 and the creation of a rogue CA certificate

M.M.J. Stevens, A. Sotirov, J.R. Appelbaum, A.K. Lenstra, D. Molnar, D.A. Osvik, B.M.M. Weger, de

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

113 Citations (Scopus)

143 Downloads (Pure)

Abstract

We present a refined chosen-prefix collision construction for MD5 that allowed creation of a rogue Certification Authority (CA) certificate, based on a collision with a regular end-user website certificate provided by a commercial CA. Compared to the previous construction from Eurocrypt 2007, this paper describes a more flexible family of differential paths and a new variable birthdaying search space. Combined with a time-memory trade-off, these improvements lead to just three pairs of near-collision blocks to generate the collision, enabling construction of RSA moduli that are sufficiently short to be accepted by current CAs. The entire construction is fast enough to allow for adequate prediction of certificate serial number and validity period: it can be made to require about 249 MD5 compression function calls. Finally, we improve the complexity of identical-prefix collisions for MD5 to about 216 MD5 compression function calls and use it to derive a practical single-block chosen-prefix collision construction of which an example is given.

Original language	English
Title of host publication	Advances in Cryptology - CRYPTO 2009 (29th Annual International Cryptology Conference, Santa Barbara CA, USA, August 16-20, 2009. Proceedings)
Editors	S. Halevi
Place of Publication	Berlin
Publisher	Springer
Pages	55-69
ISBN (Print)	978-3-642-03355-1
DOIs	https://doi.org/10.1007/978-3-642-03356-8_4
Publication status	Published - 2009

Publication series

Name	Lecture Notes in Computer Science
Volume	5677
ISSN (Print)	0302-9743

Access to Document

10.1007/978-3-642-03356-8_4

Metis227808Final published version, 283 KB

Crypto Best Paper Award 2009
Appelbaum, Jacob R. (Recipient), 2009
Prize: Other › Career, activity or publication related prizes (lifetime, best paper, poster etc.) › Scientific

Cite this

Stevens, M. M. J., Sotirov, A., Appelbaum, J. R., Lenstra, A. K., Molnar, D., Osvik, D. A., & Weger, de, B. M. M. (2009). Short chosen-prefix collisions for MD5 and the creation of a rogue CA certificate. In S. Halevi (Ed.), Advances in Cryptology - CRYPTO 2009 (29th Annual International Cryptology Conference, Santa Barbara CA, USA, August 16-20, 2009. Proceedings) (pp. 55-69). (Lecture Notes in Computer Science; Vol. 5677). Springer. https://doi.org/10.1007/978-3-642-03356-8_4

Stevens, M.M.J. ; Sotirov, A. ; Appelbaum, J.R. et al. / Short chosen-prefix collisions for MD5 and the creation of a rogue CA certificate. Advances in Cryptology - CRYPTO 2009 (29th Annual International Cryptology Conference, Santa Barbara CA, USA, August 16-20, 2009. Proceedings). editor / S. Halevi. Berlin : Springer, 2009. pp. 55-69 (Lecture Notes in Computer Science).

@inproceedings{68cbcbdd2187493ebb1be8522e276dfe,

title = "Short chosen-prefix collisions for MD5 and the creation of a rogue CA certificate",

abstract = "We present a refined chosen-prefix collision construction for MD5 that allowed creation of a rogue Certification Authority (CA) certificate, based on a collision with a regular end-user website certificate provided by a commercial CA. Compared to the previous construction from Eurocrypt 2007, this paper describes a more flexible family of differential paths and a new variable birthdaying search space. Combined with a time-memory trade-off, these improvements lead to just three pairs of near-collision blocks to generate the collision, enabling construction of RSA moduli that are sufficiently short to be accepted by current CAs. The entire construction is fast enough to allow for adequate prediction of certificate serial number and validity period: it can be made to require about 249 MD5 compression function calls. Finally, we improve the complexity of identical-prefix collisions for MD5 to about 216 MD5 compression function calls and use it to derive a practical single-block chosen-prefix collision construction of which an example is given.",

author = "M.M.J. Stevens and A. Sotirov and J.R. Appelbaum and A.K. Lenstra and D. Molnar and D.A. Osvik and {Weger, de}, B.M.M.",

year = "2009",

doi = "10.1007/978-3-642-03356-8_4",

language = "English",

isbn = "978-3-642-03355-1",

series = "Lecture Notes in Computer Science",

publisher = "Springer",

pages = "55--69",

editor = "S. Halevi",

booktitle = "Advances in Cryptology - CRYPTO 2009 (29th Annual International Cryptology Conference, Santa Barbara CA, USA, August 16-20, 2009. Proceedings)",

address = "Germany",

}

Stevens, MMJ, Sotirov, A, Appelbaum, JR, Lenstra, AK, Molnar, D, Osvik, DA & Weger, de, BMM 2009, Short chosen-prefix collisions for MD5 and the creation of a rogue CA certificate. in S Halevi (ed.), Advances in Cryptology - CRYPTO 2009 (29th Annual International Cryptology Conference, Santa Barbara CA, USA, August 16-20, 2009. Proceedings). Lecture Notes in Computer Science, vol. 5677, Springer, Berlin, pp. 55-69. https://doi.org/10.1007/978-3-642-03356-8_4

Short chosen-prefix collisions for MD5 and the creation of a rogue CA certificate. / Stevens, M.M.J.; Sotirov, A.; Appelbaum, J.R. et al.

Advances in Cryptology - CRYPTO 2009 (29th Annual International Cryptology Conference, Santa Barbara CA, USA, August 16-20, 2009. Proceedings). ed. / S. Halevi. Berlin : Springer, 2009. p. 55-69 (Lecture Notes in Computer Science; Vol. 5677).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

TY - GEN

T1 - Short chosen-prefix collisions for MD5 and the creation of a rogue CA certificate

AU - Stevens, M.M.J.

AU - Sotirov, A.

AU - Appelbaum, J.R.

AU - Lenstra, A.K.

AU - Molnar, D.

AU - Osvik, D.A.

AU - Weger, de, B.M.M.

PY - 2009

Y1 - 2009

N2 - We present a refined chosen-prefix collision construction for MD5 that allowed creation of a rogue Certification Authority (CA) certificate, based on a collision with a regular end-user website certificate provided by a commercial CA. Compared to the previous construction from Eurocrypt 2007, this paper describes a more flexible family of differential paths and a new variable birthdaying search space. Combined with a time-memory trade-off, these improvements lead to just three pairs of near-collision blocks to generate the collision, enabling construction of RSA moduli that are sufficiently short to be accepted by current CAs. The entire construction is fast enough to allow for adequate prediction of certificate serial number and validity period: it can be made to require about 249 MD5 compression function calls. Finally, we improve the complexity of identical-prefix collisions for MD5 to about 216 MD5 compression function calls and use it to derive a practical single-block chosen-prefix collision construction of which an example is given.

AB - We present a refined chosen-prefix collision construction for MD5 that allowed creation of a rogue Certification Authority (CA) certificate, based on a collision with a regular end-user website certificate provided by a commercial CA. Compared to the previous construction from Eurocrypt 2007, this paper describes a more flexible family of differential paths and a new variable birthdaying search space. Combined with a time-memory trade-off, these improvements lead to just three pairs of near-collision blocks to generate the collision, enabling construction of RSA moduli that are sufficiently short to be accepted by current CAs. The entire construction is fast enough to allow for adequate prediction of certificate serial number and validity period: it can be made to require about 249 MD5 compression function calls. Finally, we improve the complexity of identical-prefix collisions for MD5 to about 216 MD5 compression function calls and use it to derive a practical single-block chosen-prefix collision construction of which an example is given.

U2 - 10.1007/978-3-642-03356-8_4

DO - 10.1007/978-3-642-03356-8_4

M3 - Conference contribution

SN - 978-3-642-03355-1

T3 - Lecture Notes in Computer Science

SP - 55

EP - 69

BT - Advances in Cryptology - CRYPTO 2009 (29th Annual International Cryptology Conference, Santa Barbara CA, USA, August 16-20, 2009. Proceedings)

A2 - Halevi, S.

PB - Springer

CY - Berlin

ER -

Stevens MMJ, Sotirov A, Appelbaum JR, Lenstra AK, Molnar D, Osvik DA et al. Short chosen-prefix collisions for MD5 and the creation of a rogue CA certificate. In Halevi S, editor, Advances in Cryptology - CRYPTO 2009 (29th Annual International Cryptology Conference, Santa Barbara CA, USA, August 16-20, 2009. Proceedings). Berlin: Springer. 2009. p. 55-69. (Lecture Notes in Computer Science). doi: 10.1007/978-3-642-03356-8_4

Short chosen-prefix collisions for MD5 and the creation of a rogue CA certificate

Abstract

Publication series

Access to Document

Fingerprint

Prizes

Crypto Best Paper Award 2009

Cite this