View
8
Download
0
Category
Preview:
Citation preview
Elie Bursztein with the help of Marc Stevens (CWI), Pierre Karpman (INRIA), Ange Albertini, Yarik Markov, Alex Petit-Bianco
and
242A9 1C4E 3CBE
3171 AC03 B186File 1
File 2
Digest uniqueness
One-way function
Attacking hash functions
Finding a SHA-1 collision
Post-collision world
https://shattered.io
Attacker file 1 Attacker file 2
3713ACE30E7ABBA
https://shattered.io
Unknown file Attacker file
42ACE13F0E93BAD
https://shattered.io
Known file Attacker file
BAD37ACE308E93D
https://shattered.io
https://shattered.io
Bruteforce is impractical
Cryptanalysis to the rescue
Hash
R.C Merkle - Secrecy, authentication, and public key systems (1979)
SHA1compress()
File 1st block
IV SHA1compress()
File2nd block
SHA1compress()
File last block
F
Message block
Chain value
+
F F
?
F
+
F F
?
Messages differential path
Equation system
Message block
Chain value
Near collision
Collision Collision!=
File 1 (block m) File 2 (block m)=
Near collision!=
File 1 (block 1) File 2 (block 1)?
https://shattered.io
Collision blocks (C1)Fixed prefix (P) Arbitrary suffix (S)
Collision blocks (C2)Fixed prefix (P) Arbitrary suffix (S)
P==P and C1!=C2 and S==S
Collision blocks (C1)
Partial Suffix displayed (S)
Collision blocks (C2)
Specially crafted prefix
Partial Suffix displayed (S)
Specially crafted prefix
File 1 File 2
Collision blocks (C1)Fixed prefix (P1) Arbitrary suffix (S)
Collision blocks (C2)Fixed prefix (P2) Arbitrary suffix (S)
P1!=P2 and C1!=C2 and S==S
https://shattered.io
MD5 SSL certificate forgery
Serial number
X509 extensionsCA=FALSE
Validity period
Real cert domain name
Signature Signature
RSA public keyNetscape Comment
X509 extension
Serial number
Validity period
Rogue signing certificateVictim certificate
X509 extensions CA=TRUE
Rogue cert(* wildcard)
RSA public key
Collision resistance Preimage resistance
Security Claim
Fixed prefix Chosen attack Security claim Best attack
MD4 264 21
MD5 264 216 239
SHA-1 280 263 277
4. Compute collision
3. Developfull collision
attack
1. Craft file prefix
2. Compute near-collision
blocks
2015 2015 - 2016 2016 2017
PDF header
JPEG header
JPEG comment
Image 1
collision
File 1
lengthlength
File 2
PDF header
JPEG header
JPEG comment
Image 2
length 2length
comment in comment
Work in small batches ~1h
Refactor code to be stateless
Factory paradigm not map-reduce
DVselection
Craft non linear path
Determineattack success
conditions
Findadditional conditions
Fixsolvability
Findspeed-ups
Write attack code
Computecollision
Collision blocks (C1)
Final collision check(CPU)
Collision blocks (C1)
Base solution(CPU)
Work step by step
Always try to work at the highest step
Parallelized: One thread / one solution
https://shattered.iohttps://github.com/nneonneo/sha1collider
Fixe
dPDF header
Varia
ble
JPEG start
Image parsed as comment
JPEG comment
JPEG comment
Visual Desync
Comment length = 0x173
Image
Comment length = 0x17F
Collision block
https://shattered.io
Transition plan slowly in the making
Leverage how collisions are created
Only requires one file to detect collision
Negligible false positivesTrivial differencesrequired for feasible attacks
JGit Github.com
Git 2.12.2 (Mar 2017)
~4.45%
MD
MD 2128
Sponge 2128 2128
HAIFA 2128 2256
SHA-1 is dead long live to SHA-256 & SHA-3
Counter-cryptanalysis as a means of detection
Hash diversityas a safeguard for the years to come
Recommended