Chosen-prefix collisions for MD5 and applications

Marc Stevens, Arjen K. Lenstra, Benne De Weger
2012 International Journal of Applied Cryptography  
We present a novel, automated way to find differential paths for MD5. Its main application is in the construction of chosen-prefix collisions. We have shown how, at an approximate expected cost of 2 39 calls to the MD5 compression function, for any two chosen message prefixes P and P , suffixes S and S can be constructed such that the concatenated values P S and P S collide under MD5. The practical attack potential of this construction of chosen-prefix collisions is of greater concern than the
more » ... D5-collisions that were published before. This is illustrated by a pair of MD5-based X.509 certificates one of which was signed by a commercial Certification Authority (CA) as a legitimate website certificate, while the other one is a certificate for a rogue CA that is entirely under our control (cf. http://www.win.tue.nl/hashclash/rogue-ca/). Other examples, such as MD5-colliding executables, are presented as well. More details can be found on http://www.win.tue.nl/hashclash/ChosenPrefixCollisions/.
doi:10.1504/ijact.2012.048084 fatcat:ykzgio3vpzd3hk5ufr7g66zmpa