Cryptography series: collision resistance and collision attack

Introduction

Hash is a function often used in cryptography and normal programs. If the hash algorithm is not well designed, hash collisions or even collision attacks will occur.

Today I will discuss collision attacks with you in detail.

What is a collision attack

The so-called collision attack means that for the same hash function, two different inputs obtain the same hash value through hash calculation. In terms of formula:

hash(m1) = hash(m2)

What is the effect of this attack?

For example, usually we download applications or software through the Internet, in addition to the download link, we also provide an MD5 check code. This verification code is used to verify whether the downloaded software is officially provided.

The MD5 algorithm is also a hash algorithm. If a malicious user can construct an MD5 software that is the same as the original software, it is likely to carry out a collision attack.

There is another case used in digital signatures. In digital signatures, due to efficiency reasons, if the article is particularly large, the hash value of the article is usually taken first, and then the hash is signed.

So there are two areas that can be attacked, one is hash collision, and the other is signature algorithm.

For example, for example, Shi Feixuan wrote a letter A to Xu Ziling, saying that there was something to tell in Zhulin in the early morning, but he did not directly hand it to Xu Ziling but gave it to his good brother Kou Zhong, and Kou Zhong considered it. It was too dangerous at night and didn't want his good brother to take risks, so he forged this letter A and constructed a letter B with the same hash value as the original letter A, and attached Shi Feixuan's signature.

Xu Ziling received letter B and signature. After verification, it was found that Shi Feixuan had indeed written it, so he did not go to the appointment.

Collision attacks depend on the strength of the hash algorithm. Hash algorithms such as MD5 and SHA-1 have been proven to be insecure and can be breached in a very short time.

Select prefix collision attack

In addition to the previous traditional collision attacks, there is also a Chosen-prefix collision attack called Chosen-prefix collision attack.

The attacker can choose two different prefixes p1 and p2, and then attach them to different strings m1, m2, then there are:

 hash(p1 ∥ m1) = hash(p2 ∥ m2)    其中 ∥ 表示连接符

Let’s look at an example of an attack discovered by Gatan Leurent and Thomas Peyrin in SHA-1. These are two examples with prefixes 99040d047fe81780012000 and 99030d047fe81780011800.

The contents of the two messages can be downloaded from below:

messageA: sha-mbles.github.io/messageA

messageB:sha-mbles.github.io/messageB

We can look at the screenshot of the message:

After the sha1sum operation of these two messages, the same hash value can be obtained.

sha1sum messageA ： 8ac60ba76f1999a1ab70223f225aefdc78d4ddc0

sha1sum messageB： 8ac60ba76f1999a1ab70223f225aefdc78d4ddc0

Hash attack in java

There is a frequently used class in java called hashMap. Before JDK7, if HashMap encountered a hash conflict when storing data, the data would be inserted into the end of the hash node in the form of a linked list.

What are the disadvantages of this?

So if a malicious attacker keeps inserting a key object with the same hash value into the hashMap, then the hashMap will actually degenerate into a linked list.

This will greatly affect the query efficiency of hashMap. If the data is particularly large, it may lead to DDOS attacks.

The root cause of this problem is that the hash calculation in the hashMap in java is too simple, and it is easy to find the key with the same hash value.

In fact, in 2011 tomcat also released a vulnerability solution to this problem.

Although this is a java problem, the final pot is still carried by tomcat. Tomcat's approach is to limit maxPostSize, from the maximum 20M to 10K, which can effectively reduce the size of the item in the request.

Of course, in JDK8, the original linked list structure has been changed to a red-black tree structure, which is believed to be a solution to avoid this DDOS hash attack.

Preimage attack

There is another attack similar to the collision attack called the preimage attack.

To resist the pre-image attack, two conditions need to be met. The first condition is that given a hash value y, it is difficult to find an x such that hash(x)=y.

The second condition is that given an x, it is difficult to find a y, so that hash(x) = hash(y).

Obviously, the resistance to collision attacks must meet the second condition, but not necessarily the first condition.

This article has been included in http://www.flydean.com/collision-attack/

The most popular interpretation, the most profound dry goods, the most concise tutorial, and many tips you don't know are waiting for you to discover!

Welcome to pay attention to my official account: "Program those things", know technology, know you better!