Elie Bursztein with the help of Marc Stevens (CWI), Pierre Karpman (INRIA), Ange Albertini, Yarik Markov, Alex Petit-Bianco

and

242A9 1C4E 3CBE

3171 AC03 B186File 1

File 2

Digest uniqueness

One-way function

Attacking hash functions

Finding a SHA-1 collision

Post-collision world

https://shattered.io

Attacker file 1 Attacker file 2

3713ACE30E7ABBA

https://shattered.io

Unknown file Attacker file

42ACE13F0E93BAD

https://shattered.io

Known file Attacker file

BAD37ACE308E93D

https://shattered.io

https://shattered.io

Bruteforce is impractical

Cryptanalysis to the rescue

Hash

R.C Merkle - Secrecy, authentication, and public key systems (1979)

SHA1compress()

File 1st block

IV SHA1compress()

File2nd block

SHA1compress()

File last block

F

Message block

Chain value

+

F F

?

F

+

F F

?

Messages differential path

Equation system

Message block

Chain value

Near collision

Collision Collision!=

File 1 (block m) File 2 (block m)=

Near collision!=

File 1 (block 1) File 2 (block 1)?

https://shattered.io

Collision blocks (C1)Fixed prefix (P) Arbitrary suffix (S)

Collision blocks (C2)Fixed prefix (P) Arbitrary suffix (S)

P==P and C1!=C2 and S==S

Collision blocks (C1)

Partial Suffix displayed (S)

Collision blocks (C2)

Specially crafted prefix

Partial Suffix displayed (S)

Specially crafted prefix

File 1 File 2

Collision blocks (C1)Fixed prefix (P1) Arbitrary suffix (S)

Collision blocks (C2)Fixed prefix (P2) Arbitrary suffix (S)

P1!=P2 and C1!=C2 and S==S

https://shattered.io

MD5 SSL certificate forgery

Serial number

X509 extensionsCA=FALSE

Validity period

Real cert domain name

Signature Signature

RSA public keyNetscape Comment

X509 extension

Serial number

Validity period

Rogue signing certificateVictim certificate

X509 extensions CA=TRUE

Rogue cert(* wildcard)

RSA public key

Collision resistance Preimage resistance

Security Claim

Fixed prefix Chosen attack Security claim Best attack

MD4 264 21

MD5 264 216 239

SHA-1 280 263 277

4. Compute collision

3. Developfull collision

attack

1. Craft file prefix

2. Compute near-collision

blocks

2015 2015 - 2016 2016 2017

PDF header

JPEG header

JPEG comment

Image 1

collision

File 1

lengthlength

File 2

PDF header

JPEG header

JPEG comment

Image 2

length 2length

comment in comment

Work in small batches ~1h

Refactor code to be stateless

Factory paradigm not map-reduce

DVselection

Craft non linear path

Determineattack success

conditions

Findadditional conditions

Fixsolvability

Findspeed-ups

Write attack code

Computecollision

Collision blocks (C1)

Final collision check(CPU)

Collision blocks (C1)

Base solution(CPU)

Work step by step

Always try to work at the highest step

Parallelized: One thread / one solution

https://shattered.iohttps://github.com/nneonneo/sha1collider

Fixe

dPDF header

Varia

ble

JPEG start

Image parsed as comment

JPEG comment

JPEG comment

Visual Desync

Comment length = 0x173

Image

Comment length = 0x17F

Collision block

https://shattered.io

Transition plan slowly in the making

Leverage how collisions are created

Only requires one file to detect collision

Negligible false positivesTrivial differencesrequired for feasible attacks

JGit Github.com

Git 2.12.2 (Mar 2017)

~4.45%

MD

MD 2128

Sponge 2128 2128

HAIFA 2128 2256

SHA-1 is dead long live to SHA-256 & SHA-3

Counter-cryptanalysis as a means of detection

Hash diversityas a safeguard for the years to come