Author Topic: MD4/MD5 Collision generators  (Read 7802 times)

0 Members and 2 Guests are viewing this topic.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
MD4/MD5 Collision generators
« on: November 14, 2005, 02:19:48 pm »
Can you tell that I've been catching up on Email today? :)

Anyway, here's a site that has software to generate MD4 (instantly) and MD5 (~45mins) collisions:
http://www.stachliu.com/collisions.html

Offline Sidoh

  • x86
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: MD4/MD5 Collision generators
« Reply #1 on: November 14, 2005, 04:04:32 pm »
Neat!

Offline Blaze

  • x86
  • Hero Member
  • *****
  • Posts: 7136
  • Canadian
    • View Profile
    • Maide
Re: MD4/MD5 Collision generators
« Reply #2 on: November 14, 2005, 04:06:53 pm »
If those are on 1.6ghz... and I have 3.8ghz... =D
And like a fool I believed myself, and thought I was somebody else...

Offline Newby

  • x86
  • Hero Member
  • *****
  • Posts: 10877
  • Thrash!
    • View Profile
"The death of MD5" + newby is a double posting moron
« Reply #3 on: November 14, 2005, 08:57:43 pm »
Totally jacked from Skywing's post on it @ vL forums.

http://lists.grok.org.uk/pipermail/full-disclosure/2005-November/038719.html

Looks like it's time to move anything you have still using MD5 away from it.  45 minutes to generate a collision on a slow P4 is about as broken as you can get, makes it completely useless for any practical purposes now.

Discuss?
- Newby
http://www.x86labs.org

Quote
[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

I'd bet that you're currently bloated like a water ballon on a hot summer's day.

That analogy doesn't even make sense.  Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT. 

Offline Sidoh

  • x86
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: "The death of MD5"
« Reply #4 on: November 14, 2005, 08:58:46 pm »
That's a bummer.  Are there any similar collision algorithms for the respective SHA algorithms?

Offline Blaze

  • x86
  • Hero Member
  • *****
  • Posts: 7136
  • Canadian
    • View Profile
    • Maide
Re: "The death of MD5"
« Reply #5 on: November 14, 2005, 09:07:47 pm »
http://www.x86labs.org/forum/index.php/topic,3740.0.html

So many double posts these days. :P

Still, I told Warrior we should use sha1 on AdvancedContent, and I think hes working on it now, or something.
And like a fool I believed myself, and thought I was somebody else...

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: "The death of MD5"
« Reply #6 on: November 14, 2005, 09:10:13 pm »
The fact that a collision can be generated has nothing to do with how secure it is for storing passwords.  Passwords can still be stored in MD5 without a problem. 

Offline Sidoh

  • x86
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: "The death of MD5"
« Reply #7 on: November 14, 2005, 09:14:35 pm »
http://www.x86labs.org/forum/index.php/topic,3740.0.html

So many double posts these days. :P

Still, I told Warrior we should use sha1 on AdvancedContent, and I think hes working on it now, or something.

Changing that is an extremely minimal task.  It would take about five minutes.

The fact that a collision can be generated has nothing to do with how secure it is for storing passwords. Passwords can still be stored in MD5 without a problem.

I'm a bit confused.  Why is that true?

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: "The death of MD5" + newby is a double posting moron
« Reply #8 on: November 14, 2005, 09:23:29 pm »
I hate explaining this.  I've had to do it so many times....

But anyway, MD5 and SHA1 both have weaknesses.  However, that doesn't mean they're easy to bruteforce, it's still just as hard to bruteforce them.

Hashing is used for at least 2 things:
- Storing unrecoverable data (ie, passwords)
- Authenticating a document

The weakness is that a collision can be induced in the document storage.  As an example, you might be able to have two programs, one malicious and one clean.  You store the MD5 of the clean one to verify that the program you're running is safe.  Then somebody sends you the malicoius one, you check the signature, decide that the program is clean, and run it.

Or, you send somebody a legal document, and ask them to encrypt the MD5 and send it back (basically like signing the document).  However, you've secretly generated a second document that has the same MD5 hash, but says something different.  You swap their signature on the different document, and it looks like they signed that. 

You might be thinking, "Who cares?", and that's exactly right.  For day-to-day use, like storing passwords, being able to induce collisions isn't a big deal.  I mean, it might be possible to generate two different passwords for yourself that both generate the same hash.  But why anybody would want to do that is beyond me. 

If you feel like reading it, here is me explaining it another way:
Quote
Conversation with cowshjt at 2005-04-14 19:06:37 on iagox86 (aim)
(19:06:37) CoW Shjt: heh according to some of these reports
(19:06:45) CoW Shjt: sha-1 is in some trouble
(19:06:49) CoW Shjt: and md5 is next to dead
(19:07:07) iagox86: it depends what they're being used for
(19:07:30) CoW Shjt: well arent the concepts the same as far as file verification and password protection?
(19:07:54) CoW Shjt: collisions are bad for both usages
(19:09:28) iagox86: It's not the problem that collisions are common, the problem is that collisions can be induced
(19:09:53) CoW Shjt: people are finding values that would cause collisions?
(19:09:54) iagox86: Unless I understand the vulnerability incorrectly, you need to be able to control both strings to cause a collis
ion, but in password protection you only control one
(19:10:23) iagox86: yes, it's not impossible to pick 2 strings (by manipulating both of them in sneaky ways) that are the same MD5
(19:10:31) iagox86: to my knowledge, it's not a problem for passwords
(19:10:45) CoW Shjt: well for passwords, if you have a good amt of collisions
(19:10:55) CoW Shjt: the brute forcing would be reduced greatly
(19:11:53) iagox86: Only if you pre-generate all the keys and find the collisions for everything, but that would be computationally
infeasible
(19:12:31) CoW Shjt: well lets say you didnt want the password string
(19:12:38) CoW Shjt: just something that could generate the same hash
(19:12:58) iagox86: The likeliness of finding something that matches a single string is basically impossible
(19:13:07) iagox86: veryveryvery low                                                                                                (19:13:33) CoW Shjt: but how is finidng strings that gernerate the same hash hurting the protocols so much?
(19:13:39) CoW Shjt: why is it so serious?                                                                                          (19:13:58) iagox86: It makes it impossible to use md5 to verify that a document is real
(19:14:17) iagox86: Somebody can (without too much trouble, apparently) generate 2 different documents, sign it by taking the md5 of
 it, and then switch them
(19:14:26) CoW Shjt: but isnt it very very very unlikely that that document would gerneate those specific strings?
(19:14:40) iagox86: If you can control both documents, that's when the collisions can be induced
(19:15:10) CoW Shjt: so the problem basically is, ppl have found a way to create the same hash as a string that is given to them?
(19:15:29) iagox86: No, the problem is that people can generate 2 different strings that have the same hash code
(19:15:41) iagox86: The same md5 hash, rather
(19:16:02) iagox86: It's difficult to take one and find a match, but if you are in control of both it's possible
(19:16:20) CoW Shjt: but the likelihood of having a document that would be the same as one of those strings that cause collisions be
 rather low?
(19:17:04) iagox86: yes
(19:17:14) iagox86: That's my understanding, it is possible that I'm not correct
(19:17:47) CoW Shjt: wouldnt that be the same likelihood of having personA's password generate the same hash as personB?
(19:18:38) iagox86: No, because the collisions are caused by certain changes, I think
(19:20:44) CoW Shjt: but wouldnt collisions in the first place allow a brute forcer to reduce his number of attempts and never actua
lly need the original string?
(19:21:30) iagox86: I'm not qualified to answer that
(19:21:48) iagox86: But I suppose if somebody designed their original string in a special way that causes collisions, by luck..
(19:21:53) CoW Shjt: (20:21:18) iagox86: It's difficult to take one and find a match, but if you are in control of both it's possibl
e

if you controlled both strings, wouldn the work already be done?
(19:22:26) iagox86: If you're getting them to sign a md5 hash of a document, you can generate 2 with very small differences that end
 up with the same hash
(19:22:46) iagox86: There's a good example of that on SecurityFocus.com, but I don't feel like finding it
(19:23:01) CoW Shjt: eh i wouldnt feel like reading it :)
(19:23:07) iagox86: (14:50:07) iagox86: i saw one on a mailing list a loong time ago involving md5 and a pony
(14:50:11) iagox86: the md5 sum was the same
(14:50:41) iagox86: wow, first result on google:
(14:50:41) iagox86: http://www.securityfocus.com/archive/1/383709/2005-02-21/2005-02-27/0
(19:23:09) iagox86: it's very short
(19:23:12) iagox86: I sent that to you on March 10 :P
(19:23:25) iagox86: Have a look at the whole thread, it explains what I'm trying to

Offline Quik

  • Webmaster Guy
  • x86
  • Hero Member
  • *****
  • Posts: 3262
  • \x51 \x75 \x69 \x6B \x5B \x78 \x38 \x36 \x5D
    • View Profile
Re: "The death of MD5" + newby is a double posting moron
« Reply #9 on: November 14, 2005, 09:23:57 pm »
The fact that a collision can be generated has nothing to do with how secure it is for storing passwords. Passwords can still be stored in MD5 without a problem.

I'm a bit confused. Why is that true?

Probably because the security risk is in the obtaining of the md5 hash.

[EDIT]: iago beat me. I still think that, in addition to his post, mine is true.
« Last Edit: November 14, 2005, 09:25:41 pm by Quik »
Quote
[20:21:13] xar: i was just thinking about the time iago came over here and we made this huge bomb and light up the sky for 6 min
[20:21:15] xar: that was funny

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: "The death of MD5"
« Reply #10 on: November 14, 2005, 09:27:44 pm »
That's a bummer.  Are there any similar collision algorithms for the respective SHA algorithms?

Yes, they're whittling away at SHA1 more and more.  SHA is already well dead, but nobody uses that anymore.  SHA1 is dying.  Other SHA's probably share the same weakness, but they are so much longer that bruteforcing might be tricky. 

Offline Newby

  • x86
  • Hero Member
  • *****
  • Posts: 10877
  • Thrash!
    • View Profile
Re: MD4/MD5 Collision generators
« Reply #11 on: November 14, 2005, 09:28:26 pm »
Frigging A-Holes. Discuss this in iago's thread!
- Newby
http://www.x86labs.org

Quote
[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

I'd bet that you're currently bloated like a water ballon on a hot summer's day.

That analogy doesn't even make sense.  Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT. 

Offline Blaze

  • x86
  • Hero Member
  • *****
  • Posts: 7136
  • Canadian
    • View Profile
    • Maide
Re: "The death of MD5"
« Reply #12 on: November 14, 2005, 09:32:54 pm »
http://www.x86labs.org/forum/index.php/topic,3740.0.html

So many double posts these days. :P

Still, I told Warrior we should use sha1 on AdvancedContent, and I think hes working on it now, or something.

Changing that is an extremely minimal task.  It would take about five minutes.
Yeah, but all the passwords currently stored are no good. :)
And like a fool I believed myself, and thought I was somebody else...

Offline Newby

  • x86
  • Hero Member
  • *****
  • Posts: 10877
  • Thrash!
    • View Profile
Re: MD4/MD5 Collision generators
« Reply #13 on: November 14, 2005, 09:36:25 pm »
THANK YOU DEAR. <3
- Newby
http://www.x86labs.org

Quote
[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

I'd bet that you're currently bloated like a water ballon on a hot summer's day.

That analogy doesn't even make sense.  Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT. 

Offline Sidoh

  • x86
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: "The death of MD5"
« Reply #14 on: November 14, 2005, 09:50:52 pm »
Yeah, but all the passwords currently stored are no good. :)

I know, but it would still be a pretty minimal task.  You could have a script to check sha(md5(password)) and then force the user to change/re-enter their password.