sign in sign up
<<
Home , M8 (cipher)

Message Freedom in MD4 and MD5 Collisions. Application to APOP.

Gaëtan Leurent Message Freedom in MD4 and MD5 Collisions.

APOP Application to APOP. Description Attack MD4/MD5 Collisions Gaëtan Leurent The MD4 family Collisions: Wang’s Laboratoire d’Informatique de l’École Normale Supérieure, technique Revisiting Département d’Informatique, Wang 45 rue d’Ulm, Paris 75230 Cedex 05, France Message freedom [email protected] The APOP attack in practice Fast Software 2007

1 / 27 Message Freedom in Outline MD4 and MD5 Collisions. Application to APOP. Gaëtan 1 APOP Leurent Description APOP Attack Description Attack MD4/MD5 Collisions 2 MD4/MD5 Collisions The MD4 family Collisions: The MD4 family Wang’s technique Collisions: Wang’s technique Revisiting Wang Revisiting Wang Message freedom Message freedom The APOP attack in practice 3 The APOP attack in practice

2 / 27 Message Freedom in The Post Office Protocol MD4 and MD5 Collisions. Application to APOP. POP3 Gaëtan Leurent Standard protocol for remote access to a mailbox

APOP RFC 1460,1725,1939 (first version 1993) Description Attack Supported by virtually every mail provider and every mail MD4/MD5 user agent Collisions The MD4 family Widely used (tend to be replaced by IMAP) Collisions: Wang’s technique Revisiting Wang Supported authentication command Message freedom USER/PASS: plaintext password The APOP attack in APOP: “secure” authentication practice AUTH: any IMAP authentication mechanism: Kerberos, GSS-API, S/, CRAM-MD5

3 / 27 Message Freedom in APOP authentication MD4 and MD5 Collisions. What is APOP? Application to APOP. Unilateral challenge-response authentication protocol Gaëtan k Leurent based on a MAC: h (m)= MD5(m||k)

APOP Server Client Description Attack MD4/MD5 Collisions id ⇒ p id, p The MD4 family Collisions: Wang’s Challenges form: <[email protected]> technique Revisiting Wang Origin authentication and replay protection Message freedom The APOP attack in First remarks practice hk (m)= MD5(m||k) is not a secure MAC: offline collisions and envelope attack. The protocol allows chosen-text attack. There should be some client-chosen randomness. 4 / 27 Message Freedom in APOP authentication MD4 and MD5 Collisions. What is APOP? Application to APOP. Unilateral challenge-response authentication protocol Gaëtan k Leurent based on a MAC: h (m)= MD5(m||k) c APOP Server Client Description Attack id, MD5(c||pwd) MD4/MD5 Collisions The MD4 family Collisions: Wang’s Challenges form: <[email protected]> technique Revisiting Wang Origin authentication and replay protection Message freedom The APOP attack in First remarks practice hk (m)= MD5(m||k) is not a secure MAC: offline collisions and envelope attack. The protocol allows chosen-text attack. There should be some client-chosen randomness. 4 / 27 Message Freedom in APOP authentication MD4 and MD5 Collisions. What is APOP? Application to APOP. Unilateral challenge-response authentication protocol Gaëtan k Leurent based on a MAC: h (m)= MD5(m||k) c APOP Server Client Description Attack id, MD5(c||pwd) MD4/MD5 Collisions The MD4 family Collisions: Wang’s Challenges form: <[email protected]> technique Revisiting Wang Origin authentication and replay protection Message freedom The APOP attack in First remarks practice hk (m)= MD5(m||k) is not a secure MAC: offline collisions and envelope attack. The protocol allows chosen-text attack. There should be some client-chosen randomness. 4 / 27 Message Freedom in The APOP Attack MD4 and MD5 Collisions. Application to APOP. Attack setting Gaëtan Leurent Active attack: impersonate the server

APOP Description Server Client Attack c MD4/MD5 ) pwd Collisions Attacker (c|| The MD4 family id, MD5 Collisions: Wang’s technique Revisiting Wang Message freedom No server authentication in POP. The APOP attack in Typical scenario: open WiFi network. practice We can use the client to log on the server and access the mails, but the password should still be safe...

5 / 27 Message Freedom in The APOP Attack MD4 and Basic idea MD5 Collisions. Application to APOP. Basic idea: use collisions Gaëtan Leurent c1 APOP h = MD5(c ||pwd) Description Attacker 1 1 Client Attack

MD4/MD5 ? c2 Collisions h h The MD4 1 = 2 family h2 = MD5(c2||pwd) Collisions: Wang’s technique Revisiting Wang Message freedom Chosen message attack: craft challenges. The APOP attack in practice Choose the challenge size to isolate some part of the key in a block. Same idea as the key-recovery against the envelope method by Preneel and van Oorschot.

6 / 27 Message Freedom in The APOP Attack MD4 and Basic idea MD5 Collisions. Application to APOP. Recover the first password character Gaëtan Leurent If we have an MD5 collision with a specific format:

APOP Description M = <‽‽‽ ‽‽@ ‽‽‽> x c1 = <‽‽‽...‽‽‽> Attack 1

MD4/MD5

‽ ‽ ‽ ‽ ‽ ‽ ‽ ‽ ‽ ‽ ‽ ‽ ‽ Collisions ‽ The MD4 M2 = < @ > x c2 = < ... > family Collisions: Wang’s technique We send c1 and c2 as challenges, and we get: Revisiting Wang Message freedom MD5 <‽‽‽ ‽‽@ ‽‽‽> p0 p1p2... pad 

The APOP

attack in ‽ ‽ ‽ ‽ ‽ ‽ ‽

practice MD5 < ‽ @ > p0 p1p2... pad 

Both hashes collide if p0 = ‘x’ (unlikely if p0 6= ‘x’).

We will repeat this with all ‘x’ until we find p0.

7 / 27 Message Freedom in The APOP Attack MD4 and Basic idea MD5 Collisions. Application to APOP. Recover the next password character Gaëtan Leurent Then we use collisions of the form:

APOP Description M1 = <‽‽‽ ‽‽@ ‽‽‽> p0 y c1 = <‽‽‽...‽‽‽> Attack

MD4/MD5 ‽ ‽ ‽ ‽ ‽ ‽ ‽ ‽ ‽ ‽ ‽ ‽ ‽

Collisions M ‽ p0 y c < ... > The MD4 2 = < @ > 2 = family Collisions: Wang’s When we send the challenges c and c , we receive: technique 1 2 Revisiting Wang Message freedom MD5 <‽‽‽ ‽‽@ ‽‽‽> p0 p1 p2... pad 

The APOP

‽ ‽ ‽ ‽ ‽ ‽ ‽ attack in ‽ practice MD5 < @ > p0 p1 p2... pad 

Both hashes collide if p1 = ‘y’. We can recover the full password in linear time.

8 / 27 Message Freedom in Using Wang’s collision to attack APOP MD4 and MD5 Collisions. Application to APOP.

Gaëtan Leurent What we need to attack APOP

APOP We need collisions with control over the end of the last Description block. Attack MD4/MD5 Birthday paradox too expensive. Collisions The MD4 family Collisions: Wang’s Using Wang’s collisions technique Revisiting Wang Wang’s collisions look random. Message freedom Due to the message modifications, we loose control over The APOP attack in the message value. practice Modify Wang’s collision finding technique.

9 / 27 Message Freedom in Outline MD4 and MD5 Collisions. Application to APOP.

Gaëtan Leurent 1 APOP

APOP Description 2 Attack MD4/MD5 Collisions MD4/MD5 The MD4 family Collisions The MD4 Collisions: Wang’s technique family Collisions: Revisiting Wang Wang’s technique Revisiting Message freedom Wang Message freedom The APOP 3 The APOP attack in practice attack in practice

10 / 27 Message Freedom in The MD4 family MD4 and Compression function MD5 Collisions. Application to APOP. Compression Function Design Gaëtan Leurent mi APOP Davies-Meyer with a Description Attack Feistel-like cipher. MD4/MD5 Hi−1 Hi Collisions C The MD4 family Collisions: Wang’s technique Revisiting Wang Designed to be fast: 32 bit words, and operations available Message freedom in hardware: 32 The APOP additions mod2 : ⊞ attack in practice boolean functions: Φi rotations ≪ si

Message expansion M = hM0, ...M15i 7→ hm0, ...m47/63i 4 words of internal state Qi updated in rounds of 16 steps

11 / 27 Message Freedom in Compression Function MD4 and MD5 Collisions. Application to APOP. MD4 Step Update

Gaëtan Leurent Qi−4 Qi−3 Qi−2 Qi−1 APOP Description Φi Attack MD4/MD5 Collisions mi The MD4 family Collisions: Wang’s ki technique Revisiting ≪ Wang si Message freedom The APOP attack in practice Qi−3 Qi−2 Qi−1 Qi

Qi = (Qi−4 ⊞ Φi (Qi−1, Qi−2, Qi−3) ⊞ mi ⊞ ki ) ≪ si

12 / 27 Message Freedom in Compression Function MD4 and MD5 Collisions. Application MD5 Step Update to APOP.

Gaëtan Leurent Qi−4 Qi−3 Qi−2 Qi−1

APOP Φi Description Attack MD4/MD5 Collisions mi The MD4 family Collisions: ki Wang’s technique ≪ Revisiting si Wang Message freedom The APOP attack in practice Qi−3 Qi−2 Qi−1 Qi

Qi = Qi−1 ⊞ (Qi−4 ⊞ Φi (Qi−1, Qi−2, Qi−3) ⊞ mi ⊞ ki ) ≪ si

13 / 27 Message Freedom in Collisions in MD4 and MD5 MD4 and MD5 Collisions. Application Wang in a nutshell to APOP.

Gaëtan 1 Precomputation: Leurent Choose a message difference. APOP Compute a differential path. Description Attack Derive a set of sufficient conditions. MD4/MD5 2 Collision search: Collisions The MD4 Find a message that satisfies the set of conditions. family Collisions: Wang’s technique Revisiting Main result Wang Message freedom We know a difference ∆ and a set of conditions on the internal The APOP state variables Qi ’s, such that: attack in practice If all the conditions are satisfied by the internal state variable in the computation of H(M), then H(M)= H(M + ∆).

14 / 27 Message Freedom in Collision search MD4 and MD5 − Q Collisions. 4 12 Application Q−3 Q13 to APOP. Q−2 Q14 Gaëtan Q− Leurent 1 Q15 m0 1c Q0 m0 3c Q16 APOP m1 3c Q m4 3c Q Description 1 17 Attack m2 3c Q2 m8 3c Q18 MD4/MD5 m3 5c Q3 m12 2c Q19 Collisions m4 m1 The MD4 5c Q4 2c Q20 family m5 m5 Collisions: 5c Q5 1c Q21 Wang’s m m technique 6 6c Q6 9 2c Q22 Revisiting m m Wang 7 4c Q7 13 Q23 Message m8 4c Q8 m2 Q24 freedom m m The APOP 9 4c Q9 6 Q25 attack in m10 4c Q10 m10 Q26 practice m11 5c Q11 m14 Q27 m12 6c Q12 Goalm3 Q28 m m 13 6c Q13 Given the7 set of conditions,Q29 m14 6c Q m11 Q 14 find a message (here on30 MD4). m15 6c Q15 m15 Q31 15 / 27 Message Freedom in Collision search MD4 and MD5 Q− Collisions. 4 Application Q−3 to APOP. Q−2 Gaëtan Q− Leurent 1 m0 Q0 APOP m1 Q Description 1 Attack m2 Q2 MD4/MD5 m3 Q3 Basic equations Collisions m4 The MD4 Q4 Qi− Qi− Qi− Qi− family m5 4 3 2 1 Collisions: Q5 Wang’s m Φi technique 6 Q6 Revisiting m mi Wang 7 Q7 Message m8 ki freedom Q8 m ≪ si The APOP 9 Q9 attack in m10 Q10 X practice Qi− Qi− Qi− Qi m11 Q11 3 2 1 m12 Q12 Qi = (Qi−4⊞Φi ⊞mi ⊞ki ) ≪ si m13 Q13 Qi−4 = Qi ≫ si ⊟ Φi ⊟ mi ⊟ ki m14 Q14 mi = Qi ≫ si ⊟ Qi−4 ⊟ Φi ⊟ ki m15 Q15 15 / 27 Message Freedom in Collision search MD4 and MD5 Q− Collisions. 4 Application Q−3 to APOP. Q−2 Gaëtan Q− Leurent 1 m0 Q0 APOP m1 Q Description 1 Attack m2 Q2 MD4/MD5 m3 Q3 Basic equations Collisions m4 The MD4 Q4 Qi− Qi− Qi− Qi− family m5 4 3 2 1 Collisions: Q5 Wang’s m Φi technique 6 Q6 Revisiting m mi Wang 7 Q7 Message m8 ki freedom Q8 m ≪ si The APOP 9 Q9 attack in m10 Q10 X practice Qi− Qi− Qi− Qi m11 Q11 3 2 1 m12 Q12 Qi = (Qi−4⊞Φi ⊞mi ⊞ki ) ≪ si m13 Q13 Qi−4 = Qi ≫ si ⊟ Φi ⊟ mi ⊟ ki m14 Q14 mi = Qi ≫ si ⊟ Qi−4 ⊟ Φi ⊟ ki m15 Q15 15 / 27 Message Freedom in Collision search MD4 and MD5 Q− Collisions. 4 Application Q−3 to APOP. Q−2 Gaëtan Q− Leurent 1 m0 Q0 APOP m1 Q Description 1 Attack m2 Q2 MD4/MD5 m3 Q3 Basic equations Collisions m4 The MD4 Q4 Qi− Qi− Qi− Qi− family m5 4 3 2 1 Collisions: Q5 Wang’s m Φi technique 6 Q6 Revisiting m mi Wang 7 Q7 Message m8 ki freedom Q8 m ≪ si The APOP 9 Q9 attack in m10 Q10 X practice Qi− Qi− Qi− Qi m11 Q11 3 2 1 m12 Q12 Qi = (Qi−4⊞Φi ⊞mi ⊞ki ) ≪ si m13 Q13 Qi−4 = Qi ≫ si ⊟ Φi ⊟ mi ⊟ ki m14 Q14 mi = Qi ≫ si ⊟ Qi−4 ⊟ Φi ⊟ ki m15 Q15 15 / 27 Message Freedom in How to satisfy conditions in the first round (Wang) MD4 and MD5 Collisions. Q−4 Application Q− to APOP. 3 Q−2 Gaëtan Leurent Q−1 m0 Q0 APOP Message modification Description m1 Q1 Attack m2 Q2 Pick a message. MD4/MD5 m3 Q Collisions 3 Compute Qi . The MD4 m4 Q4 family Modify Qi ; recompute mi . Collisions: m5 Q5 Wang’s technique Q6 Alternatively, modify mi . Revisiting Wang m7 Q7 Message m freedom 8 Q8 Remark The APOP m9 Q9 attack in m10 Each message modification practice Q10 m11 Q11 depends on the previous ones. m12 Q12 m13 Q13 m14 Q14 m15 Q15 16 / 27 Message Freedom in How to satisfy conditions in the first round (Wang) MD4 and MD5 Collisions. Q−4 Application Q− to APOP. 3 Q−2 Gaëtan Leurent Q−1 m0 Q0 X APOP Message modification Description m1 Q1 Attack m2 Q2 Pick a message. MD4/MD5 m3 Q Collisions 3 Compute Qi . The MD4 m4 Q4 family Modify Qi ; recompute mi . Collisions: m5 Q5 Wang’s technique m6 Q6 Alternatively, modify mi . Revisiting Wang m7 Q7 Message m freedom 8 Q8 Remark The APOP m9 Q9 attack in m10 Each message modification practice Q10 m11 Q11 depends on the previous ones. m12 Q12 m13 Q13 m14 Q14 m15 Q15 16 / 27 Message Freedom in How to satisfy conditions in the first round (Wang) MD4 and MD5 Collisions. Q−4 Application Q− to APOP. 3 Q−2 Gaëtan Leurent Q−1 m0 Q0 X APOP Message modification Description m1 Q1 Attack m2 Q2 Pick a message. MD4/MD5 m3 Q Collisions 3 Compute Qi . The MD4 m4 Q4 family Modify Qi ; recompute mi . Collisions: m5 Q5 Wang’s technique m6 Q6 Alternatively, modify mi . Revisiting Wang m7 Q7 Message m freedom 8 Q8 Remark The APOP m9 Q9 attack in m10 Each message modification practice Q10 m11 Q11 depends on the previous ones. m12 Q12 m13 Q13 m14 Q14 m15 Q15 16 / 27 Message Freedom in How to satisfy conditions in the first round (Wang) MD4 and MD5 Collisions. Q−4 Application Q− to APOP. 3 Q−2 Gaëtan Leurent Q−1 m0 Q0 X APOP Message modification Description m1 Q1 X Attack m2 Q2 Pick a message. MD4/MD5 m3 Q Collisions 3 Compute Qi . The MD4 m4 Q4 family Modify Qi ; recompute mi . Collisions: m5 Q5 Wang’s technique m6 Q6 Alternatively, modify mi . Revisiting Wang m7 Q7 Message m freedom 8 Q8 Remark The APOP m9 Q9 attack in m10 Each message modification practice Q10 m11 Q11 depends on the previous ones. m12 Q12 m13 Q13 m14 Q14 m15 Q15 16 / 27 Message Freedom in How to satisfy conditions in the first round (Wang) MD4 and MD5 Collisions. Q−4 Application Q− to APOP. 3 Q−2 Gaëtan Leurent Q−1 m0 Q0 X APOP Message modification Description m1 Q1 X Attack m2 Q2 Pick a message. MD4/MD5 m3 Q Collisions 3 Compute Qi . The MD4 m4 Q4 family Modify Qi ; recompute mi . Collisions: m5 Q5 Wang’s technique m6 Q6 Alternatively, modify mi . Revisiting Wang m7 Q7 Message m freedom 8 Q8 Remark The APOP m9 Q9 attack in m10 Each message modification practice Q10 m11 Q11 depends on the previous ones. m12 Q12 m13 Q13 m14 Q14 m15 Q15 16 / 27 Message Freedom in How to satisfy conditions in the first round (Wang) MD4 and MD5 Collisions. Q−4 Application Q− to APOP. 3 Q−2 Gaëtan Leurent Q−1 m0 Q0 X APOP Message modification Description m1 Q1 X Attack m2 Q2 X Pick a message. MD4/MD5 m3 Q Collisions 3 Compute Qi . The MD4 m4 Q4 family Modify Qi ; recompute mi . Collisions: m5 Q5 Wang’s technique m6 Q6 Alternatively, modify mi . Revisiting Wang m7 Q7 Message m freedom 8 Q8 Remark The APOP m9 Q9 attack in m10 Each message modification practice Q10 m11 Q11 depends on the previous ones. m12 Q12 m13 Q13 m14 Q14 m15 Q15 16 / 27 Message Freedom in How to satisfy conditions in the first round (Wang) MD4 and MD5 Collisions. Q−4 Application Q− to APOP. 3 Q−2 Gaëtan Leurent Q−1 m0 Q0 X APOP Message modification Description m1 Q1 X Attack m2 Q2 X Pick a message. MD4/MD5 m3 Q Collisions 3 Compute Qi . The MD4 m4 Q4 family Modify Qi ; recompute mi . Collisions: m5 Q5 Wang’s technique m6 Q6 Alternatively, modify mi . Revisiting Wang m7 Q7 Message m freedom 8 Q8 Remark The APOP m9 Q9 attack in m10 Each message modification practice Q10 m11 Q11 depends on the previous ones. m12 Q12 m13 Q13 m14 Q14 m15 Q15 16 / 27 Message Freedom in How to satisfy conditions in the first round (Wang) MD4 and MD5 Collisions. Q−4 Application Q− to APOP. 3 Q−2 Gaëtan Leurent Q−1 m0 Q0 X APOP Message modification Description m1 Q1 X Attack m2 Q2 X Pick a message. MD4/MD5 m3 Q X Collisions 3 Compute Qi . The MD4 m4 Q4 X family Modify Qi ; recompute mi . Collisions: m5 Q5 X Wang’s technique m6 Q6 X Alternatively, modify mi . Revisiting Wang m7 Q7 X Message m X freedom 8 Q8 Remark The APOP m9 Q9 X attack in m10 X Each message modification practice Q10 m11 Q11 X depends on the previous ones. m12 Q12 X m13 Q13 X m14 Q14 X m15 Q15 X 16 / 27 Message nd Freedom in How to satisfy conditions in the 2 round (Wang) MD4 and MD5 Collisions. Q−4 Q12 Application − to APOP. Q 3 Q13 Q−2 Q Gaëtan 14 Leurent Q−1 Q15 m0 Q X m0 Q APOP 0 16 Description m1 Q1 X m4 Q17 Attack m2 Q2 X m8 Q18 MD4/MD5 m X m Collisions 3 Q3 12 Q19 The MD4 m4 Q4 X m1 Q20 family Collisions: m5 Q5 X m5 Q21 Wang’s technique m6 Q6 X m9 Q22 Revisiting Wang m7 Q7 X m13 Q23 Message freedom m8 Q8 X Multi message modification The APOP m9 Q9 X attack in m Compute Qi . practice 10 Q10 X m11 Q11 X Modify Qi and recompute m12 Q12 X mi . m13 Q13 X Recompute Qi ’s and mi ’s m14 Q14 X m15 Q15 X in the first round. 17 / 27 Message nd Freedom in How to satisfy conditions in the 2 round (Wang) MD4 and MD5 Collisions. Q−4 Q12 Application − to APOP. Q 3 Q13 Q−2 Q Gaëtan 14 Leurent Q−1 Q15 m0 Q X m0 Q X APOP 0 16 Description m1 Q1 X m4 Q17 Attack m2 Q2 X m8 Q18 MD4/MD5 m X m Collisions 3 Q3 12 Q19 The MD4 m4 Q4 X m1 Q20 family Collisions: m5 Q5 X m5 Q21 Wang’s technique m6 Q6 X m9 Q22 Revisiting Wang m7 Q7 X m13 Q23 Message freedom m8 Q8 X Multi message modification The APOP m9 Q9 X attack in m Compute Qi . practice 10 Q10 X m11 Q11 X Modify Qi and recompute m12 Q12 X mi . m13 Q13 X Recompute Qi ’s and mi ’s m14 Q14 X m15 Q15 X in the first round. 17 / 27 Message nd Freedom in How to satisfy conditions in the 2 round (Wang) MD4 and MD5 Collisions. Q−4 Q12 Application − to APOP. Q 3 Q13 Q−2 Q Gaëtan 14 Leurent Q−1 Q15 m0 Q X✗ m0 Q X APOP 0 16 Description m1 Q1 X m4 Q17 Attack m2 Q2 X m8 Q18 MD4/MD5 m X m Collisions 3 Q3 12 Q19 The MD4 m4 Q4 X m1 Q20 family Collisions: m5 Q5 X m5 Q21 Wang’s technique m6 Q6 X m9 Q22 Revisiting Wang m7 Q7 X m13 Q23 Message freedom m8 Q8 X Multi message modification The APOP m9 Q9 X attack in m Compute Qi . practice 10 Q10 X m11 Q11 X Modify Qi and recompute m12 Q12 X mi . m13 Q13 X Recompute Qi ’s and mi ’s m14 Q14 X m15 Q15 X in the first round. 17 / 27 Message nd Freedom in How to satisfy conditions in the 2 round (Wang) MD4 and MD5 Collisions. Q−4 Q12 Application − to APOP. Q 3 Q13 Q−2 Q Gaëtan 14 Leurent Q−1 Q15 m0 Q X m0 Q X APOP 0 16 Description m1 Q1 X✗ m4 Q17 Attack m2 Q2 X✗ m8 Q18 MD4/MD5 m X✗ m Collisions 3 Q3 12 Q19 The MD4 m4 Q4 X✗ m1 Q20 family Collisions: m5 Q5 X m5 Q21 Wang’s technique m6 Q6 X m9 Q22 Revisiting Wang m7 Q7 X m13 Q23 Message freedom m8 Q8 X Multi message modification The APOP m9 Q9 X attack in m Compute Qi . practice 10 Q10 X m11 Q11 X Modify Qi and recompute m12 Q12 X mi . m13 Q13 X Recompute Qi ’s and mi ’s m14 Q14 X m15 Q15 X in the first round. 17 / 27 Message nd Freedom in How to satisfy conditions in the 2 round (Wang) MD4 and MD5 Collisions. Q−4 Q12 Application − to APOP. Q 3 Q13 Q−2 Q Gaëtan 14 Leurent Q−1 Q15 m0 Q Xm0 Q X APOP 0 16 Description m1 Q1 X m4 Q17 Attack m2 Q2 X m8 Q18 MD4/MD5 m X m Collisions 3 Q3 12 Q19 The MD4 m4 Q4 X m1 Q20 family Collisions: m5 Q5 X m5 Q21 Wang’s technique m6 Q6 X m9 Q22 Revisiting Wang m7 Q7 X m13 Q23 Message freedom m8 Q8 X Multi message modification The APOP m9 Q9 X attack in m Compute Qi . practice 10 Q10 X m11 Q11 X Modify Qi and recompute m12 Q12 X mi . m13 Q13 X Recompute Qi ’s and mi ’s m14 Q14 X m15 Q15 X in the first round. 17 / 27 Message Freedom in Revisiting Wang MD4 and MD5 Collisions. Application to APOP.

Gaëtan Leurent

APOP Description Attack Outline MD4/MD5 Collisions Message modification in the second round hard to find. The MD4 family Collisions: Little message freedom due to message modifications. Wang’s technique We propose a new way to satisfy the conditions. Revisiting Wang Message freedom The APOP attack in practice

18 / 27 Message Freedom in How to satisfy conditions in the first round (New) MD4 and MD5 Collisions. Q−4 Application Q− to APOP. 3 Q−2 Gaëtan Leurent Q−1 m0 Q0 APOP m1 Q Description 1 Wang revisited Attack m2 Q2 MD4/MD5 m3 Q i Collisions 3 Choose Q . The MD4 m4 Q4 family Compute mi . Collisions: m5 Q5 Wang’s technique m6 Q6 Revisiting Wang m7 Q7 Remark Message freedom m8 Q8 The Qi ’s in the first round can The APOP m9 Q9 attack in m10 be chosen in any order. practice Q10 m11 Q11 m12 Q12 m13 Q13 m14 Q14 m15 Q15 19 / 27 Message Freedom in How to satisfy conditions in the first round (New) MD4 and MD5 Collisions. Q−4 Application Q− to APOP. 3 Q−2 Gaëtan Leurent Q−1 m0 Q0 X APOP m1 Q Description 1 Wang revisited Attack m2 Q2 MD4/MD5 m3 Q i Collisions 3 Choose Q . The MD4 m4 Q4 family Compute mi . Collisions: m5 Q5 Wang’s technique m6 Q6 Revisiting Wang m7 Q7 Remark Message freedom m8 Q8 The Qi ’s in the first round can The APOP m9 Q9 attack in m10 be chosen in any order. practice Q10 m11 Q11 m12 Q12 m13 Q13 m14 Q14 m15 Q15 19 / 27 Message Freedom in How to satisfy conditions in the first round (New) MD4 and MD5 Collisions. Q−4 Application Q− to APOP. 3 Q−2 Gaëtan Leurent Q−1 m0 Q0 X APOP m1 Q Description 1 Wang revisited Attack m2 Q2 MD4/MD5 m3 Q i Collisions 3 Choose Q . The MD4 m4 Q4 family Compute mi . Collisions: m5 Q5 Wang’s technique m6 Q6 Revisiting Wang m7 Q7 Remark Message freedom m8 Q8 The Qi ’s in the first round can The APOP m9 Q9 attack in m10 be chosen in any order. practice Q10 m11 Q11 m12 Q12 m13 Q13 m14 Q14 m15 Q15 19 / 27 Message Freedom in How to satisfy conditions in the first round (New) MD4 and MD5 Collisions. Q−4 Application Q− to APOP. 3 Q−2 Gaëtan Leurent Q−1 m0 Q0 X APOP m1 Q X Description 1 Wang revisited Attack m2 Q2 MD4/MD5 m3 Q i Collisions 3 Choose Q . The MD4 m4 Q4 family Compute mi . Collisions: m5 Q5 Wang’s technique m6 Q6 Revisiting Wang m7 Q7 Remark Message freedom m8 Q8 The Qi ’s in the first round can The APOP m9 Q9 attack in m10 be chosen in any order. practice Q10 m11 Q11 m12 Q12 m13 Q13 m14 Q14 m15 Q15 19 / 27 Message Freedom in How to satisfy conditions in the first round (New) MD4 and MD5 Collisions. Q−4 Application Q− to APOP. 3 Q−2 Gaëtan Leurent Q−1 m0 Q0 X APOP m1 Q X Description 1 Wang revisited Attack m2 Q2 MD4/MD5 m3 Q i Collisions 3 Choose Q . The MD4 m4 Q4 family Compute mi . Collisions: m5 Q5 Wang’s technique m6 Q6 Revisiting Wang m7 Q7 Remark Message freedom m8 Q8 The Qi ’s in the first round can The APOP m9 Q9 attack in m10 be chosen in any order. practice Q10 m11 Q11 m12 Q12 m13 Q13 m14 Q14 m15 Q15 19 / 27 Message Freedom in How to satisfy conditions in the first round (New) MD4 and MD5 Collisions. Q−4 Application Q− to APOP. 3 Q−2 Gaëtan Leurent Q−1 m0 Q0 X APOP m1 Q X Description 1 Wang revisited Attack m2 Q2 X MD4/MD5 m3 Q i Collisions 3 Choose Q . The MD4 m4 Q4 family Compute mi . Collisions: m5 Q5 Wang’s technique m6 Q6 Revisiting Wang m7 Q7 Remark Message freedom m8 Q8 The Qi ’s in the first round can The APOP m9 Q9 attack in m10 be chosen in any order. practice Q10 m11 Q11 m12 Q12 m13 Q13 m14 Q14 m15 Q15 19 / 27 Message Freedom in How to satisfy conditions in the first round (New) MD4 and MD5 Collisions. Q−4 Application Q− to APOP. 3 Q−2 Gaëtan Leurent Q−1 m0 Q0 X APOP m1 Q X Description 1 Wang revisited Attack m2 Q2 X MD4/MD5 m3 Q i Collisions 3 Choose Q . The MD4 m4 Q4 family Compute mi . Collisions: m5 Q5 Wang’s technique m6 Q6 Revisiting Wang m7 Q7 Remark Message freedom m8 Q8 The Qi ’s in the first round can The APOP m9 Q9 attack in m10 be chosen in any order. practice Q10 m11 Q11 m12 Q12 m13 Q13 m14 Q14 m15 Q15 19 / 27 Message Freedom in How to satisfy conditions in the first round (New) MD4 and MD5 Collisions. Q−4 Application Q− to APOP. 3 Q−2 Gaëtan Leurent Q−1 m0 Q0 X APOP m1 Q X Description 1 Wang revisited Attack m2 Q2 X MD4/MD5 m3 Q X i Collisions 3 Choose Q . The MD4 m4 Q4 X family Compute mi . Collisions: m5 Q5 X Wang’s technique m6 Q6 X Revisiting Wang m7 Q7 X Remark Message freedom m8 Q8 X The Qi ’s in the first round can The APOP m9 Q9 X attack in m10 X be chosen in any order. practice Q10 m11 Q11 X m12 Q12 X m13 Q13 X m14 Q14 X m15 Q15 X 19 / 27 Message Freedom in How to satisfy conditions in the first round (New) MD4 and MD5 Collisions. Q−4 Application Q− to APOP. 3 Q−2 Gaëtan Leurent Q−1 m0 Q0 X APOP m1 Q X Description 1 Wang revisited Attack m2 Q2 X MD4/MD5 m3 Q X i Collisions 3 Choose Q . The MD4 m4 Q4 X family Compute mi . Collisions: m5 Q5 X Wang’s technique m6 Q6 X Revisiting Wang m7 Q7 X Remark Message freedom m8 Q8 X The Qi ’s in the first round can The APOP m9 Q9 X attack in m10 X be chosen in any order. practice Q10 m11 Q11 X m12 Q12 X m13 Q13 X m14 Q14 X m15 Q15 X 19 / 27 Message nd Freedom in How to satisfy conditions in the 2 round (New) MD4 and MD5 Collisions. Q−4 Q12 Application − to APOP. Q 3 Q13 Q−2 Q Gaëtan 14 Leurent Q−1 Q15 m0 Q m0 Q APOP 0 16 Description m1 Q1 m4 Q17 Attack m2 Q2 m8 Q18 MD4/MD5 m m Collisions 3 Q3 12 Q19 The MD4 m4 Q4 m1 Q20 family Collisions: m5 Q5 m5 Q21 Wang’s technique m6 Q6 m9 Q22 Revisiting Wang m7 Q7 m13 Q23 Message freedom m8 Q8 New method The APOP m9 Q9 attack in m Choose the end of the practice 10 Q10 m11 Q11 first round. m12 Q12 Choose mi to satisfy both m 13 Q13 rounds. m14 Q14 m15 Q15 Fill the first round. 20 / 27 Message nd Freedom in How to satisfy conditions in the 2 round (New) MD4 and MD5 Collisions. Q−4 Q12 Application − to APOP. Q 3 Q13 Q−2 Q Gaëtan 14 Leurent Q−1 Q15 m0 Q m0 Q APOP 0 16 Description m1 Q1 m4 Q17 Attack m2 Q2 m8 Q18 MD4/MD5 m m Collisions 3 Q3 12 Q19 The MD4 m4 Q4 m1 Q20 family Collisions: m5 Q5 m5 Q21 Wang’s technique m6 Q6 m9 Q22 Revisiting Wang m7 Q7 m13 Q23 Message freedom m8 Q8 New method The APOP m9 Q9 attack in m Choose the end of the practice 10 Q10 m11 Q11 first round. m12 Q12 Choose mi to satisfy both m 13 Q13 rounds. m14 Q14 m15 Q15 Fill the first round. 20 / 27 Message nd Freedom in How to satisfy conditions in the 2 round (New) MD4 and MD5 Collisions. Q−4 Q12 Application − to APOP. Q 3 Q13 Q−2 Q Gaëtan 14 Leurent Q−1 Q15 m0 Q X m0 Q X APOP 0 16 Description m1 Q1 m4 Q17 Attack m2 Q2 m8 Q18 MD4/MD5 m m Collisions 3 Q3 12 Q19 The MD4 m4 Q4 m1 Q20 family Collisions: m5 Q5 m5 Q21 Wang’s technique m6 Q6 m9 Q22 Revisiting Wang m7 Q7 m13 Q23 Message freedom m8 Q8 New method The APOP m9 Q9 attack in m Choose the end of the practice 10 Q10 m11 Q11 first round. m12 Q12 Choose mi to satisfy both m 13 Q13 rounds. m14 Q14 m15 Q15 Fill the first round. 20 / 27 Message nd Freedom in How to satisfy conditions in the 2 round (New) MD4 and MD5 Collisions. Q−4 Q12 Application − to APOP. Q 3 Q13 Q−2 Q Gaëtan 14 Leurent Q−1 Q15 m0 Q X m0 Q X APOP 0 16 Description m1 Q1 m4 Q17 Attack m2 Q2 m8 Q18 MD4/MD5 m m Collisions 3 Q3 12 Q19 The MD4 m4 Q4 m1 Q20 family Collisions: m5 Q5 m5 Q21 Wang’s technique m6 Q6 m9 Q22 Revisiting Wang m7 Q7 m13 Q23 Message freedom m8 Q8 New method The APOP m9 Q9 attack in m Choose the end of the practice 10 Q10 m11 Q11 first round. m12 Q12 Choose mi to satisfy both m 13 Q13 rounds. m14 Q14 m15 Q15 Fill the first round. 20 / 27 Message nd Freedom in How to satisfy conditions in the 2 round (New) MD4 and MD5 Collisions. Q−4 Q12 Application − to APOP. Q 3 Q13 Q−2 Q Gaëtan 14 Leurent Q−1 Q15 m0 Q X m0 Q X APOP 0 16 Description m1 Q1 X m4 Q17 Attack m2 Q2 X m8 Q18 MD4/MD5 m X m Collisions 3 Q3 12 Q19 The MD4 m4 Q4 m1 Q20 family Collisions: m5 Q5 m5 Q21 Wang’s technique m6 Q6 m9 Q22 Revisiting Wang m7 Q7 m13 Q23 Message freedom m8 Q8 New method The APOP m9 Q9 attack in m Choose the end of the practice 10 Q10 m11 Q11 first round. m12 Q12 Choose mi to satisfy both m 13 Q13 rounds. m14 Q14 m15 Q15 Fill the first round. 20 / 27 Message nd Freedom in How to satisfy conditions in the 2 round (New) MD4 and MD5 Collisions. Q−4 Q12 Application − to APOP. Q 3 Q13 Q−2 Q Gaëtan 14 Leurent Q−1 Q15 m0 Q X m0 Q X APOP 0 16 Description m1 Q1 X m4 Q17 X Attack m2 Q2 X m8 Q18 MD4/MD5 m X m Collisions 3 Q3 12 Q19 The MD4 m4 Q4 X m1 Q20 family Collisions: m5 Q5 m5 Q21 Wang’s technique m6 Q6 m9 Q22 Revisiting Wang m7 Q7 m13 Q23 Message freedom m8 Q8 New method The APOP m9 Q9 attack in m Choose the end of the practice 10 Q10 m11 Q11 first round. m12 Q12 Choose mi to satisfy both m 13 Q13 rounds. m14 Q14 m15 Q15 Fill the first round. 20 / 27 Message nd Freedom in How to satisfy conditions in the 2 round (New) MD4 and MD5 Collisions. Q−4 Q12 Application − to APOP. Q 3 Q13 Q−2 Q Gaëtan 14 Leurent Q−1 Q15 m0 Q X m0 Q X APOP 0 16 Description m1 Q1 X m4 Q17 X Attack m2 Q2 X m8 Q18 MD4/MD5 m X m Collisions 3 Q3 12 Q19 The MD4 m4 Q4 X m1 Q20 family Collisions: m5 Q5 m5 Q21 Wang’s technique m6 Q6 m9 Q22 Revisiting Wang m7 Q7 m13 Q23 Message freedom m8 Q8 New method The APOP m9 Q9 attack in m Choose the end of the practice 10 Q10 m11 Q11 first round. m12 Q12 Choose mi to satisfy both m 13 Q13 rounds. m14 Q14 m15 Q15 Fill the first round. 20 / 27 Message nd Freedom in How to satisfy conditions in the 2 round (New) MD4 and MD5 Collisions. Q−4 Q12 Application − to APOP. Q 3 Q13 Q−2 Q Gaëtan 14 Leurent Q−1 Q15 m0 Q X m0 Q X APOP 0 16 Description m1 Q1 X m4 Q17 X Attack m2 Q2 X m8 Q18 MD4/MD5 m X m Collisions 3 Q3 12 Q19 The MD4 m4 Q4 X m1 Q20 family Collisions: m5 Q5 X m5 Q21 Wang’s technique m6 Q6 X m9 Q22 Revisiting Wang m7 Q7 X m13 Q23 Message freedom m8 Q8 New method The APOP m9 Q9 attack in m Choose the end of the practice 10 Q10 m11 Q11 first round. m12 Q12 Choose mi to satisfy both m 13 Q13 rounds. m14 Q14 m15 Q15 Fill the first round. 20 / 27 Message nd Freedom in How to satisfy conditions in the 2 round (New) MD4 and MD5 Collisions. Q−4 Q12 Application − to APOP. Q 3 Q13 Q−2 Q Gaëtan 14 Leurent Q−1 Q15 m0 Q X m0 Q X APOP 0 16 Description m1 Q1 X m4 Q17 X Attack m2 Q2 X m8 Q18 X MD4/MD5 m X m Collisions 3 Q3 12 Q19 The MD4 m4 Q4 X m1 Q20 family Collisions: m5 Q5 X m5 Q21 Wang’s technique m6 Q6 X m9 Q22 Revisiting Wang m7 Q7 X m13 Q23 Message freedom m8 Q8 X New method The APOP m9 Q9 attack in m Choose the end of the practice 10 Q10 m11 Q11 first round. m12 Q12 Choose mi to satisfy both m 13 Q13 rounds. m14 Q14 m15 Q15 Fill the first round. 20 / 27 Message nd Freedom in How to satisfy conditions in the 2 round (New) MD4 and MD5 Collisions. Q−4 Q12 Application − to APOP. Q 3 Q13 Q−2 Q Gaëtan 14 Leurent Q−1 Q15 m0 Q X m0 Q X APOP 0 16 Description m1 Q1 X m4 Q17 X Attack m2 Q2 X m8 Q18 X MD4/MD5 m X m Collisions 3 Q3 12 Q19 The MD4 m4 Q4 X m1 Q20 family Collisions: m5 Q5 X m5 Q21 Wang’s technique m6 Q6 X m9 Q22 Revisiting Wang m7 Q7 X m13 Q23 Message freedom m8 Q8 X New method The APOP m9 Q9 attack in m Choose the end of the practice 10 Q10 m11 Q11 first round. m12 Q12 Choose mi to satisfy both m 13 Q13 rounds. m14 Q14 m15 Q15 Fill the first round. 20 / 27 Message nd Freedom in How to satisfy conditions in the 2 round (New) MD4 and MD5 Collisions. Q−4 Q12 Application − to APOP. Q 3 Q13 Q−2 Q Gaëtan 14 Leurent Q−1 Q15 m0 Q X m0 Q X APOP 0 16 Description m1 Q1 X m4 Q17 X Attack m2 Q2 X m8 Q18 X MD4/MD5 m X m Collisions 3 Q3 12 Q19 The MD4 m4 Q4 X m1 Q20 family Collisions: m5 Q5 X m5 Q21 Wang’s technique m6 Q6 X m9 Q22 Revisiting Wang m7 Q7 X m13 Q23 Message freedom m8 Q8 X New method The APOP m9 Q9 X attack in m Choose the end of the practice 10 Q10 X m11 Q11 X first round. m12 Q12 X Choose mi to satisfy both m X 13 Q13 rounds. m14 Q14 X m15 Q15 X Fill the first round. 20 / 27 Message nd Freedom in How to satisfy conditions in the 2 round (New) MD4 and MD5 Collisions. Q−4 Q12 Application − to APOP. Q 3 Q13 Q−2 Q Gaëtan 14 Leurent Q−1 Q15 m0 Q X m0 Q X APOP 0 16 Description m1 Q1 X m4 Q17 X Attack m2 Q2 X m8 Q18 X MD4/MD5 m X m Collisions 3 Q3 12 Q19 The MD4 m4 Q4 X m1 Q20 family Collisions: m5 Q5 X m5 Q21 Wang’s technique m6 Q6 X m9 Q22 Revisiting Wang m7 Q7 X m13 Q23 Message freedom m8 Q8 X New method The APOP m9 Q9 X attack in m Choose the end of the practice 10 Q10 X m11 Q11 X first round. m12 Q12 X Choose mi to satisfy both m X 13 Q13 rounds. m14 Q14 X m15 Q15 X Fill the first round. 20 / 27 Message Freedom in How to choose part of the message MD4 and MD5 Collisions. Q−4 Q12 Application Q−3 Q13 to APOP. Q−2 Q14 Gaëtan Leurent Q−1 Q15 m0 Q0 m0 Q16 APOP m m Description 1 Q1 4 Q17 Attack m2 Q2 m8 Q18 MD4/MD5 m3 Q3 m12 Q19 Collisions The MD4 m4 Q4 m1 Q20 family Collisions: m5 Q5 m5 Q21 Wang’s technique m6 Q6 m9 Q22 Revisiting Wang m7 Q7 m13 Q23 Message m freedom 8 Q8 New method The APOP m9 Q9 1 Choose the end of the attack in m10 Q practice 10 m11 Q11 message. m12 Q12 2 Select Qi in the end of m 13 Q13 the first round. m14 Q14 3 m15 Q15 Fill the rest. 21 / 27 Message Freedom in How to choose part of the message MD4 and MD5 Collisions. Q−4 Q12 Application Q−3 Q13 to APOP. Q−2 Q14 Gaëtan Leurent Q−1 Q15 m0 Q0 m0 Q16 APOP m m Description 1 Q1 4 Q17 Attack m2 Q2 m8 Q18 MD4/MD5 m3 Q3 m12 Q19 Collisions The MD4 m4 Q4 m1 Q20 family Collisions: m5 Q5 m5 Q21 Wang’s technique m6 Q6 m9 Q22 Revisiting Wang m7 Q7 m13 Q23 Message m freedom 8 Q8 New method The APOP m9 Q9 1 Choose the end of the attack in m10 Q practice 10 m11 Q11 message. m12 Q12 2 Select Qi in the end of m 13 Q13 the first round. m14 Q14 3 m15 Q15 Fill the rest. 21 / 27 Message Freedom in How to choose part of the message MD4 and MD5 Collisions. Q−4 Q12 Application Q−3 Q13 to APOP. Q−2 Q14 Gaëtan Leurent Q−1 Q15 m0 Q0 m0 Q16 APOP m m Description 1 Q1 4 Q17 Attack m2 Q2 m8 Q18 MD4/MD5 m3 Q3 m12 Q19 Collisions The MD4 m4 Q4 m1 Q20 family Collisions: m5 Q5 m5 Q21 Wang’s technique m6 Q6 m9 Q22 Revisiting Wang m7 Q7 m13 Q23 Message m freedom 8 Q8 New method The APOP m9 Q9 1 Choose the end of the attack in m10 Q practice 10 m11 Q11 message. m12 Q12 2 Select Qi in the end of m 13 Q13 the first round. m14 Q14 3 m15 Q15 Fill the rest. 21 / 27 Message Freedom in How to choose part of the message MD4 and MD5 Collisions. Q−4 Q12 Application Q−3 Q13 to APOP. Q−2 Q14 Gaëtan Leurent Q−1 Q15 m0 Q0 m0 Q16 APOP m m Description 1 Q1 4 Q17 Attack m2 Q2 m8 Q18 MD4/MD5 m3 Q3 m12 Q19 Collisions The MD4 m4 Q4 m1 Q20 family Collisions: m5 Q5 m5 Q21 Wang’s technique m6 Q6 m9 Q22 Revisiting Wang m7 Q7 m13 Q23 Message m freedom 8 Q8 New method The APOP m9 Q9 1 Choose the end of the attack in m10 Q practice 10 m11 Q11 message. m12 Q12 2 Select Qi in the end of m 13 Q13 the first round. m14 Q14 X 3 m15 Q15 Fill the rest. 21 / 27 Message Freedom in How to choose part of the message MD4 and MD5 Collisions. Q−4 Q12 Application Q−3 Q13 to APOP. Q−2 Q14 Gaëtan Leurent Q−1 Q15 m0 Q0 m0 Q16 APOP m m Description 1 Q1 4 Q17 Attack m2 Q2 m8 Q18 MD4/MD5 m3 Q3 m12 Q19 Collisions The MD4 m4 Q4 m1 Q20 family Collisions: m5 Q5 m5 Q21 Wang’s technique m6 Q6 m9 Q22 Revisiting Wang m7 Q7 m13 Q23 Message m freedom 8 Q8 New method The APOP m9 Q9 1 Choose the end of the attack in m10 Q practice 10 m11 Q11 message. m12 Q12 2 Select Qi in the end of m 13 Q13 the first round. m14 Q14 X 3 m15 Q15 Fill the rest. 21 / 27 Message Freedom in How to choose part of the message MD4 and MD5 Collisions. Q−4 Q12 Application Q−3 Q13 to APOP. Q−2 Q14 Gaëtan Leurent Q−1 Q15 m0 Q0 m0 Q16 APOP m m Description 1 Q1 4 Q17 Attack m2 Q2 Warningm8 Q18 MD4/MD5 m3 Q3 m12 Q19 Collisions Restart from the beginning if The MD4 m4 Q4 m1 Q20 family Qi does not satisfy the Collisions: m5 Q5 m5 Q21 Wang’s conditions. technique m6 Q6 m9 Q22 Revisiting Wang m7 Q7 m13 Q23 Message m freedom 8 Q8 New method The APOP m9 Q9 1 Choose the end of the attack in m10 Q practice 10 m11 Q11 message. m12 Q12 2 Select Qi in the end of m 13 Q13 the first round. m14 Q14 X 3 m15 Q15 X Fill the rest. 21 / 27 Message Freedom in How to choose part of the message MD4 and MD5 Collisions. Q−4 Q12 Application Q−3 Q13 to APOP. Q−2 Q14 Gaëtan Leurent Q−1 Q15 m0 Q0 X m0 Q16 X APOP m m Description 1 Q1 4 Q17 Attack m2 Q2 m8 Q18 MD4/MD5 m3 Q3 m12 Q19 Collisions The MD4 m4 Q4 m1 Q20 family Collisions: m5 Q5 m5 Q21 Wang’s technique m6 Q6 m9 Q22 Revisiting Wang m7 Q7 m13 Q23 Message m freedom 8 Q8 New method The APOP m9 Q9 1 Choose the end of the attack in m10 Q practice 10 m11 Q11 message. m12 Q12 2 Select Qi in the end of m 13 Q13 the first round. m14 Q14 X 3 m15 Q15 X Fill the rest. 21 / 27 Message Freedom in How to choose part of the message MD4 and MD5 Collisions. Q−4 Q12 Application Q−3 Q13 to APOP. Q−2 Q14 Gaëtan Leurent Q−1 Q15 m0 Q0 X m0 Q16 X APOP m m Description 1 Q1 4 Q17 Attack m2 Q2 m8 Q18 MD4/MD5 m3 Q3 m12 Q19 Collisions The MD4 m4 Q4 m1 Q20 family Collisions: m5 Q5 m5 Q21 Wang’s technique m6 Q6 m9 Q22 Revisiting Wang m7 Q7 m13 Q23 Message m freedom 8 Q8 New method The APOP m9 Q9 1 Choose the end of the attack in m10 Q practice 10 m11 Q11 message. m12 Q12 2 Select Qi in the end of m 13 Q13 the first round. m14 Q14 X 3 m15 Q15 X Fill the rest. 21 / 27 Message Freedom in How to choose part of the message MD4 and MD5 Collisions. Q−4 Q12 Application Q−3 Q13 to APOP. Q−2 Q14 Gaëtan Leurent Q−1 Q15 m0 Q0 X m0 Q16 X APOP m m Description 1 Q1 X 4 Q17 Attack m2 Q2 X m8 Q18 MD4/MD5 m3 Q3 X m12 Q19 Collisions The MD4 m4 Q4 m1 Q20 family Collisions: m5 Q5 m5 Q21 Wang’s technique m6 Q6 m9 Q22 Revisiting Wang m7 Q7 m13 Q23 Message m freedom 8 Q8 New method The APOP m9 Q9 1 Choose the end of the attack in m10 Q practice 10 m11 Q11 message. m12 Q12 2 Select Qi in the end of m 13 Q13 the first round. m14 Q14 X 3 m15 Q15 X Fill the rest. 21 / 27 Message Freedom in How to choose part of the message MD4 and MD5 Collisions. Q−4 Q12 Application Q−3 Q13 to APOP. Q−2 Q14 Gaëtan Leurent Q−1 Q15 m0 Q0 X m0 Q16 X APOP m m Description 1 Q1 X 4 Q17 X Attack m2 Q2 X m8 Q18 MD4/MD5 m3 Q3 X m12 Q19 Collisions The MD4 m4 Q4 X m1 Q20 family Collisions: m5 Q5 m5 Q21 Wang’s technique m6 Q6 m9 Q22 Revisiting Wang m7 Q7 m13 Q23 Message m freedom 8 Q8 New method The APOP m9 Q9 1 Choose the end of the attack in m10 Q practice 10 m11 Q11 message. m12 Q12 2 Select Qi in the end of m 13 Q13 the first round. m14 Q14 X 3 m15 Q15 X Fill the rest. 21 / 27 Message Freedom in How to choose part of the message MD4 and MD5 Collisions. Q−4 Q12 Application Q−3 Q13 to APOP. Q−2 Q14 Gaëtan Leurent Q−1 Q15 m0 Q0 X m0 Q16 X APOP m m Description 1 Q1 X 4 Q17 X Attack m2 Q2 X m8 Q18 MD4/MD5 m3 Q3 X m12 Q19 Collisions The MD4 m4 Q4 X m1 Q20 family Collisions: m5 Q5 m5 Q21 Wang’s technique m6 Q6 m9 Q22 Revisiting Wang m7 Q7 m13 Q23 Message m freedom 8 Q8 New method The APOP m9 Q9 1 Choose the end of the attack in m10 Q practice 10 m11 Q11 message. m12 Q12 2 Select Qi in the end of m 13 Q13 the first round. m14 Q14 X 3 m15 Q15 X Fill the rest. 21 / 27 Message Freedom in How to choose part of the message MD4 and MD5 Collisions. Q−4 Q12 Application Q−3 Q13 to APOP. Q−2 Q14 Gaëtan Leurent Q−1 Q15 m0 Q0 X m0 Q16 X APOP m m Description 1 Q1 X 4 Q17 X Attack m2 Q2 X m8 Q18 MD4/MD5 m3 Q3 X m12 Q19 Collisions The MD4 m4 Q4 X m1 Q20 family Collisions: m5 Q5 X m5 Q21 Wang’s technique m6 Q6 X m9 Q22 Revisiting Wang m7 Q7 X m13 Q23 Message m freedom 8 Q8 New method The APOP m9 Q9 1 Choose the end of the attack in m10 Q practice 10 m11 Q11 message. m12 Q12 2 Select Qi in the end of m 13 Q13 the first round. m14 Q14 X 3 m15 Q15 X Fill the rest. 21 / 27 Message Freedom in How to choose part of the message MD4 and MD5 Collisions. Q−4 Q12 Application Q−3 Q13 to APOP. Q−2 Q14 Gaëtan Leurent Q−1 Q15 m0 Q0 X m0 Q16 X APOP m m Description 1 Q1 X 4 Q17 X Attack m2 Q2 X m8 Q18 X MD4/MD5 m3 Q3 X m12 Q19 Collisions The MD4 m4 Q4 X m1 Q20 family Collisions: m5 Q5 X m5 Q21 Wang’s technique m6 Q6 X m9 Q22 Revisiting Wang m7 Q7 X m13 Q23 Message m freedom 8 Q8 X New method The APOP m9 Q9 1 Choose the end of the attack in m10 Q practice 10 m11 Q11 message. m12 Q12 2 Select Qi in the end of m 13 Q13 the first round. m14 Q14 X 3 m15 Q15 X Fill the rest. 21 / 27 Message Freedom in How to choose part of the message MD4 and MD5 Collisions. Q−4 Q12 Application Q−3 Q13 to APOP. Q−2 Q14 Gaëtan Leurent Q−1 Q15 m0 Q0 X m0 Q16 X APOP m m Description 1 Q1 X 4 Q17 X Attack m2 Q2 X m8 Q18 X MD4/MD5 m3 Q3 X m12 Q19 Collisions The MD4 m4 Q4 X m1 Q20 family Collisions: m5 Q5 X m5 Q21 Wang’s technique m6 Q6 X m9 Q22 Revisiting Wang m7 Q7 X m13 Q23 Message m freedom 8 Q8 X New method The APOP m9 Q9 1 Choose the end of the attack in m10 Q practice 10 m11 Q11 message. m12 Q12 2 Select Qi in the end of m 13 Q13 the first round. m14 Q14 X 3 m15 Q15 X Fill the rest. 21 / 27 Message Freedom in How to choose part of the message MD4 and MD5 Collisions. Q−4 Q12 Application Q−3 Q13 to APOP. Q−2 Q14 Gaëtan Leurent Q−1 Q15 m0 Q0 X m0 Q16 X APOP m m Description 1 Q1 X 4 Q17 X Attack m2 Q2 X m8 Q18 X MD4/MD5 m3 Q3 X m12 Q19 Collisions The MD4 m4 Q4 X m1 Q20 family Collisions: m5 Q5 X m5 Q21 Wang’s technique m6 Q6 X m9 Q22 Revisiting Wang m7 Q7 X m13 Q23 Message m freedom 8 Q8 X New method The APOP m9 Q9 X 1 Choose the end of the attack in m10 Q X practice 10 m11 Q11 X message. m12 Q12 X 2 Select Qi in the end of m X 13 Q13 the first round. m14 Q14 X 3 m15 Q15 X Fill the rest. 21 / 27 Message Freedom in How to choose part of the message MD4 and MD5 Collisions. Q−4 Q12 Application Q−3 Q13 to APOP. Q−2 Q14 Gaëtan Leurent Q−1 Q15 m0 Q0 X m0 Q16 X APOP m m Description 1 Q1 X 4 Q17 X Attack m2 Q2 X m8 Q18 X MD4/MD5 m3 Q3 X m12 Q19 Collisions The MD4 m4 Q4 X m1 Q20 family Collisions: m5 Q5 X m5 Q21 Wang’s technique m6 Q6 X m9 Q22 Revisiting Wang m7 Q7 X m13 Q23 Message m freedom 8 Q8 X New method The APOP m9 Q9 X 1 Choose the end of the attack in m10 Q X practice 10 m11 Q11 X message. m12 Q12 X 2 Select Qi in the end of m X 13 Q13 the first round. m14 Q14 X 3 m15 Q15 X Fill the rest. 21 / 27 Message Freedom in Message Freedom MD4 and Results MD5 Collisions. Application MD4 Collision Freedom to APOP.

Gaëtan With Wang’s path (Eurocrypt 2005): Leurent complexity about 25 MD4 APOP Description m14, m15 Attack 21 MD4/MD5 complexity about 2 MD4 Collisions m ...m The MD4 11 15 family Collisions: With Yu’s path (CANS 2005): Wang’s technique 31 Revisiting complexity about 2 MD4 Wang Message m5...m15 freedom The APOP attack in practice MD5 Collision Freedom We can choose 3 words of a two block collision:

m0 m15 m15 22 / 27 Message Freedom in Outline MD4 and MD5 Collisions. Application to APOP.

Gaëtan Leurent 1 APOP APOP Description Attack MD4/MD5 2 MD4/MD5 Collisions Collisions The MD4 family Collisions: Wang’s 3 The APOP attack in practice technique Revisiting Wang Message freedom The APOP attack in practice

23 / 27 Message Freedom in APOP challenge MD4 and MD5 Collisions. Application to APOP.

Gaëtan RFC description Leurent The challenge has to be a message-id: APOP Description Begins with ‘<’ and ends with ‘>’. Attack Two parts separated by an ‘@’. MD4/MD5 Collisions The MD4 Restricted set of allowed characters. family Collisions: Wang’s ⇒ Attack fails (ASCII collisions not possible today). technique Revisiting Wang Message freedom In practice The APOP attack in With most mail user agents: practice Very few restrictions on the set of allowed characters ⇒ Attack works

24 / 27 Message Freedom in APOP challenge MD4 and MD5 Collisions. Application to APOP.

Gaëtan RFC description Leurent The challenge has to be a message-id: APOP Description Begins with ‘<’ and ends with ‘>’. Attack Two parts separated by an ‘@’. MD4/MD5 Collisions The MD4 Restricted set of allowed characters. family Collisions: Wang’s ⇒ Attack fails (ASCII collisions not possible today). technique Revisiting Wang Message freedom In practice The APOP attack in With most mail user agents: practice Very few restrictions on the set of allowed characters ⇒ Attack works

24 / 27 Message Freedom in APOP challenge in practice MD4 and MD5 Collisions. Application APOP challenge in practice to APOP.

Gaëtan Begins with ‘<’ and ends with ‘>’. Leurent Must contain at least one ‘@’. APOP Inside the msg-id, all characters are accepted, excepted: Description Attack 0x00 Null MD4/MD5 0x3e Greater-Than Sign (‘>’) Collisions The MD4 0x0a Line-Feed family Collisions: 0x0d Carriage-Return Wang’s technique Revisiting Wang Message Collision search freedom The APOP First block computed only once: include ‘@’. attack in practice For the second block: avoid 4 characters. ends with ‘>’ followed by some password characters. Using message freedom, we recover 3 password characters.

25 / 27 Message Freedom in The APOP attack in practice MD4 and MD5 Collisions. Mail User Agents Application to APOP. Microsoft Outlook, Apple Mail: No APOP support Gaëtan Leurent KMail: Attack does not work

APOP Thunderbird, Evolution, Mutt, Fetchmail: Attack works Description Attack MD4/MD5 Attack complexity Collisions The MD4 family A few seconds of computations per collision. Collisions: Wang’s technique Need about 100 collisions (200 authentications): Revisiting Wang if the client checks mails every minute, 3 hours. Message freedom Remaining characters can be brute-forced: The APOP attack in 5 characters → 2 hours. practice Recommendations Mail User Agent: check challenge conformity to RFC. Users: avoid APOP if possible (eg. use CRAM-MD5). 26 / 27 Message Freedom in The APOP attack in practice MD4 and MD5 Collisions. Mail User Agents Application to APOP. Microsoft Outlook, Apple Mail: No APOP support Gaëtan Leurent KMail: Attack does not work

APOP Thunderbird, Evolution, Mutt, Fetchmail: Attack works Description Attack MD4/MD5 Attack complexity Collisions The MD4 family A few seconds of computations per collision. Collisions: Wang’s technique Need about 100 collisions (200 authentications): Revisiting Wang if the client checks mails every minute, 3 hours. Message freedom Remaining characters can be brute-forced: The APOP attack in 5 characters → 2 hours. practice Recommendations Mail User Agent: check challenge conformity to RFC. Users: avoid APOP if possible (eg. use CRAM-MD5). 26 / 27 Message Freedom in The APOP attack in practice MD4 and MD5 Collisions. Mail User Agents Application to APOP. Microsoft Outlook, Apple Mail: No APOP support Gaëtan Leurent KMail: Attack does not work

APOP Thunderbird, Evolution, Mutt, Fetchmail: Attack works Description Attack MD4/MD5 Attack complexity Collisions The MD4 family A few seconds of computations per collision. Collisions: Wang’s technique Need about 100 collisions (200 authentications): Revisiting Wang if the client checks mails every minute, 3 hours. Message freedom Remaining characters can be brute-forced: The APOP attack in 5 characters → 2 hours. practice Recommendations Mail User Agent: check challenge conformity to RFC. Users: avoid APOP if possible (eg. use CRAM-MD5). 26 / 27 Message Freedom in Conclusion MD4 and MD5 Collisions. Application to APOP.

Gaëtan Leurent Summary

APOP Wang’s attack allows some message freedom. Description Attack Collision attacks can be used to attack real protocols. MD4/MD5 Collisions The MD4 family Outlook Collisions: Wang’s technique Study collision impact against other authentication Revisiting Wang protocols. Message freedom New differential paths could improve the attack: The APOP attack in Better message difference (ASCII collisions) practice More freedom

27 / 27 Message Freedom in MD4 and Table: APOP MD5 collision. These two msg-id’s collides if padded MD5 with “bar” Collisions. Application to APOP.

Gaëtan Message M Leurent ef 4c b4 ef aa d8 23 bb ec 5d 29 freedom ′ The APOP Message M attack in H P H practice