Logical Analysis and Verification of Cryptographic Protocols - Loria
Logical Analysis and Verification of Cryptographic Protocols - Loria
Logical Analysis and Verification of Cryptographic Protocols - Loria
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
3.2. COLLISION VULNERABILITY PROPERTY 61<br />
two distinct inputs x <strong>and</strong> x ′ with h(x) = h(x ′ ) provided that x <strong>and</strong> x ′ are created<br />
at the same time <strong>and</strong> independently one <strong>of</strong> the other.<br />
To mount a collision attack, the intruder would typically begin by constructing<br />
two different messages with the same hash where one message appears<br />
legitimate or innocuous while the other serves the intruder’s purposes.<br />
3.2.1 Hash functions having this property<br />
MD5 Hash function [173] is one <strong>of</strong> the most widely used cryptographic hash<br />
functions nowadays. It was designed in 1992 as an improvement on MD4 [172],<br />
<strong>and</strong> its security was widely studied since then by several authors. The first<br />
result was a pseudo-collision for MD5 [98]. When permitting to change the<br />
initialisation vector, another attack (free-start collision) has been found [103].<br />
Recently, a real collision involving two 1024-bits messages was found with the<br />
st<strong>and</strong>ard value [199]. This first weakness was extended into a differential-like<br />
attack [202] <strong>and</strong> tools were developed [129, 130] for finding the collisions which<br />
work for any initialisation value <strong>and</strong> which are quicker than methods presented<br />
in [199]. Finally, other methods have been developed for finding new MD5<br />
collisions [204, 183]. The development <strong>of</strong> collision-finding algorithms is not<br />
restricted to MD5 hash function. Several methods for MD4 [172] research attack<br />
have been developed [200, 104]. In [200] a method to search RIPEMD [105]<br />
collision attacks was also developed, <strong>and</strong> in [42], a collision on SHA-0 [7] has<br />
been presented. Finally, Wang et al. have developed in [201] another method to<br />
search for collisions for the SHA-1 [4] hash function.<br />
3.2.2 Collision vulnerability in practice<br />
We consider here the story <strong>of</strong> Alice <strong>and</strong> her boss [94]. Alice has been working for<br />
some time in the <strong>of</strong>fice <strong>of</strong> Julius Caesar. On her last day <strong>of</strong> work, Caesar gives<br />
her a letter <strong>of</strong> recommendation on paper. Alice decides to take advantage <strong>of</strong> this<br />
opportunity to gain access to Caesar’s secret documents. Caesar uses MD5 hash<br />
function which is collision vulnerable (Section 3.2.1) for his digital signature<br />
scheme DSA [3]. When she receives her letter <strong>of</strong> recommendation on paper,<br />
Alice prepars two postscripts files with the same MD5 hash: one is the letter<br />
given by Caesar <strong>and</strong> the other is an order from Caesar to grant Alice some kind<br />
<strong>of</strong> secrecy clearance. She asks Caesar to digitally sign the letter <strong>and</strong> due to the<br />
hash collision, Caesar’s signature for the letter <strong>of</strong> recommendation is also valid<br />
for the order. She then presents the order <strong>and</strong> the digital signature to the person<br />
in charge <strong>of</strong> Caesar’s files, <strong>and</strong> finally gains access to Caesar’s secret documents.