md5_sha1.pdf

Full Transcript

MD5: A Detailed Overview
The MD5 (Message-Digest Algorithm 5) is a cryptographic hash function that produces a fixed-size 128-bit
hash from an arbitrary-length input. It was invented by Ronald Rivest in 1991 as an improvement over
its predecessor, MD4, which had demonstrated vulnerabilities. For a long time, MD5 was widely used in
security applications, digital signatures, checksums, and file integrity verification. However, it has since been
shown to be susceptible to various forms of attack, including collision attacks, and has thus been replaced
in many contexts by more secure algorithms, such as the SHA family of hash functions.

1. Historical Context and Development of MD5
MD5 was developed as the fifth in a series of message-digest algorithms designed by Ronald Rivest. Its
predecessors were:

MD1: An algorithm that was never publicly released.
MD2: Designed for systems with 8-bit processors. It operates on 128-bit blocks and produces a 128-bit
digest.
MD3: Never publicly released.
MD4: A precursor to MD5, designed to be fast, but it showed several weaknesses, prompting the
creation of MD5.

By the early 1990s, there was a demand for stronger cryptographic hashes to protect digital data integrity.
MD4, the algorithm that MD5 would replace, had been found to be vulnerable to collision attacks. These
weaknesses led Rivest to design MD5, which addressed several of MD4’s security vulnerabilities. MD5 made
alterations to the processing of data and the design of its internal structure to prevent these vulnerabilities.
However, it would later become clear that MD5 itself had significant weaknesses. By the late 1990s,
cryptographers started to find minor weaknesses in MD5, and in the early 2000s, full-fledged attacks showed
that MD5 was broken for cryptographic use.

2. Technical Details and How MD5 Works
MD5 is a hash function, meaning it takes an input (or ”message”) and returns a fixed-size string of bytes.
This output is typically a digest of 128 bits, or 16 bytes, and it is used to represent the original data in a
compressed form. The key properties of a cryptographic hash function like MD5 include:

Deterministic: The same input will always produce the same hash output.
Pre-image resistance: Given a hash output, it should be computationally infeasible to reverse-
engineer the input.
Small changes to input produce drastically different outputs: Even changing a single bit in
the input should result in a completely different hash.
Fixed output size: No matter the size of the input, the output size will always be the same, which
is 128 bits (16 bytes) for MD5.

The Process of MD5:
1. Padding the Message:
MD5 processes data in 512-bit blocks. If the length of the input message is not a multiple of 512 bits,
the message is padded. Padding is done in such a way that the length of the message is congruent to
448 mod 512 (in other words, the total length should be 64 bits short of a full block). This ensures that
the message length after padding is a multiple of 512 bits. The padding consists of a 1 bit followed by
enough 0 bits to reach the required length.

1
 2. Appending the Length of the Message:
After padding, a 64-bit representation of the original message length is appended to the message. This
64-bit value represents the length of the original message in bits and is used as part of the internal
state to calculate the final hash.
3. Initializing the MD5 Buffer:
MD5 uses four buffers, each 32 bits in length. These buffers are initialized to specific constants that
represent hexadecimal integer values:
A = 0x67452301
B = 0xefcdab89
C = 0x98badcfe
D = 0x10325476
These buffers (A, B, C, D) will be modified throughout the hashing process and ultimately contain the
output hash.
4. Processing the Message in Blocks:
MD5 processes the message in 512-bit chunks. Each chunk is divided into sixteen 32-bit words, which
are processed in four rounds. Each round consists of 16 operations, and in total, the MD5 algorithm
performs 64 operations (16 for each round). The main operations involve non-linear functions and
bitwise shifts, which are used to shuffle and scramble the input message data.
The four rounds of operations involve the following key steps:

Non-linear functions: MD5 uses four different non-linear functions, denoted F, G, H, and I.
These are applied to the buffers (A, B, C, D) to process each 512-bit block of the message.
Bitwise operations and shifts: The algorithm performs a series of XORs, ANDs, ORs, and
bitwise shifts on the internal state and the current block of the message.
Modular addition: Each step in the round involves the addition of constants and the result of
previous operations, using 32-bit modular arithmetic.

The results of these operations are continuously fed back into the internal state (A, B, C, D), which
are updated after each round.
5. Output:
After all rounds are completed, the four 32-bit values (A, B, C, D) are concatenated to produce a
128-bit hash. This hash is then typically represented as a 32-character hexadecimal number.

Example of MD5 Hash Generation:
Let’s look at how MD5 processes a small input. For example, the MD5 hash of the string ”hello world” is
calculated as:

MD5("hello world") = 5eb63bbbe01eeed093cb22bb8f5acdc3

This 32-character hexadecimal string represents the compressed 128-bit hash of the input.

3. Strengths of MD5
For many years, MD5 was a popular choice for creating checksums, file integrity checks, and ensuring that
transmitted data had not been altered. Some of the primary advantages of MD5 during its early years
include:

Speed: MD5 is fast to compute, making it an attractive choice for large datasets and frequent hashing.

2
 Wide Adoption: MD5 became widely used in software applications, data storage systems, and even
early internet security protocols like SSL/TLS (though MD5 has since been replaced in modern versions
of these protocols).
Deterministic Behavior: A given input will always produce the same MD5 hash, making it suitable
for repeatable and verifiable operations, such as checksumming.

4. Weaknesses and Security Concerns
Despite its widespread adoption, MD5 began to show signs of weakness in the late 1990s. Cryptographers
were able to demonstrate theoretical vulnerabilities in MD5, and over time, these vulnerabilities were refined
into practical attacks that could break the algorithm’s security.
The major issues with MD5 include:

1. Collision Attacks:
The most well-known vulnerability of MD5 is its susceptibility to collision attacks. A collision attack
occurs when two different input messages produce the same hash output, which is a violation of the ”collision
resistance” property of cryptographic hash functions.
In 2004, researchers demonstrated the first practical collision attack against MD5. This attack showed
that it was possible to find two distinct inputs that generated the same hash in a relatively short amount of
time. This is problematic for security applications, especially in digital signatures and certificates, where a
collision could allow an attacker to forge a valid signature.

2. Pre-image Attacks:
MD5 is also vulnerable to pre-image attacks, where an attacker is able to reverse-engineer the input data
given only the hash output. While these attacks are less practical than collision attacks, they nonetheless
represent a significant weakness in the algorithm.

3. Length Extension Attacks:
MD5 suffers from a class of vulnerabilities known as length extension attacks. This type of attack exploits
the way MD5 processes data in blocks, allowing an attacker to ”extend” a message and compute a valid
hash for the extended message without knowing the original input. This can lead to serious security issues
in systems that use MD5 for authentication or integrity verification.

4. Speed as a Weakness:
While MD5’s speed was initially one of its strengths, it also became a weakness in modern cryptographic
contexts. MD5’s fast execution means that attackers can efficiently compute large numbers of hashes, making
brute-force and dictionary attacks feasible. In comparison, modern hash functions like bcrypt or Argon2 are
intentionally designed to be slower, making such attacks much more difficult.

5. Real-World Examples of MD5 Vulnerabilities
As MD5 vulnerabilities became well-known, they were exploited in several high-profile security incidents.
Some notable examples include:

1. 2008 Rogue Certificate Authority Attack:
In 2008, a team of researchers exploited MD5 collisions to create a rogue Certificate Authority (CA)
certificate. This attack allowed them to create valid, forged SSL certificates, effectively compromising the
trust model of the internet’s certificate infrastructure. The attack highlighted the dangers of using MD5 in
security-critical systems, and many organizations began transitioning away from MD5 following this event.

3
2. Flame Malware:
In 2012, the Flame malware used an MD5 collision attack to forge a Microsoft digital signature, allowing
the malware to spread undetected as a legitimate software update. This incident further underscored the
critical need to deprecate MD5 in security applications.

6. MD5 Alternatives and Transition to Secure Hash Functions
As MD5’s weaknesses became apparent, many organizations and security protocols began transitioning to
more secure cryptographic hash functions. The most common replacements include:

SHA-1: While initially seen as a secure replacement for MD5, SHA-1 has itself been found to be
vulnerable to collision attacks and is no longer considered secure for most cryptographic purposes.

SHA-2 (SHA-256, SHA-512): The SHA-2 family of hash functions is widely used in modern
cryptographic applications. SHA-256, for example, produces a 256-bit hash and is commonly used in
blockchain systems, digital certificates, and secure communication protocols.
SHA-3: A more recent addition to the Secure Hash Algorithm family, SHA-3 provides an alternative
to SHA-2 and is designed to be resilient against the kinds of attacks that have compromised MD5 and
SHA-1.

7. Conclusion: MD5’s Legacy and Lessons Learned
MD5 played a significant role in the development of cryptographic hash functions and was widely used in
both security and non-security applications. Its weaknesses, however, have made it unsuitable for modern
cryptographic use, and most systems have transitioned to stronger algorithms. Despite its obsolescence,
MD5 remains a crucial part of the history of cryptography, providing valuable lessons about the challenges
of designing secure hash functions and the need for ongoing cryptographic research.
In today’s security landscape, understanding MD5’s vulnerabilities helps in assessing legacy systems
and ensuring that modern cryptographic standards are upheld in software development and data protection
practices.
SHA-1 (Secure Hash Algorithm 1) is a widely recognized cryptographic hash function developed by the
National Security Agency (NSA) and first published by the National Institute of Standards and Technology
(NIST) in 1993 as a Federal Information Processing Standard (FIPS PUB 180). Although it was once
considered secure and widely used in various security protocols and applications, such as SSL certificates
and digital signatures, SHA-1 has since been deprecated due to significant cryptographic vulnerabilities,
including collision attacks. It is now regarded as insecure for cryptographic use and has been replaced by
more secure algorithms such as SHA-2 and SHA-3.
This comprehensive description of SHA-1 will explore its origins, structure, functionality, cryptographic
properties, weaknesses, real-world attacks, and eventual obsolescence, with comparisons to modern hash
functions and an understanding of how SHA-1 shaped cryptographic standards.

1. Historical Context and Development of SHA-1
SHA-1 is a member of the Secure Hash Algorithm family, which includes various hash functions, such as
SHA-0, SHA-2, and SHA-3. SHA-1 was developed as an enhancement of its predecessor, SHA-0, which was
also published by NIST in 1993. SHA-0 had a design flaw that made it vulnerable to cryptographic attacks,
and it was quickly superseded by SHA-1, which introduced several improvements to address those issues.
SHA-1 remained the dominant cryptographic hash function for over a decade and was widely adopted in
numerous applications, including:

Digital signatures (e.g., Digital Signature Algorithm (DSA) and RSA signatures)
SSL/TLS certificates for securing web communications

4
 Cryptographic checksums for verifying data integrity
Version control systems (e.g., Git) for generating commit hashes

Despite its widespread use, cryptographic researchers began uncovering vulnerabilities in SHA-1 in the
early 2000s, culminating in practical collision attacks in the mid-2010s. As a result, SHA-1 is no longer
considered secure for modern cryptographic applications.

2. Technical Structure and Functionality of SHA-1
SHA-1 is a cryptographic hash function that takes an input of arbitrary length and produces a fixed-
size output of 160 bits (20 bytes). The resulting output is commonly referred to as the hash value or
message digest. Hash functions like SHA-1 are designed to be fast, deterministic, and irreversible, with
three key cryptographic properties: pre-image resistance, second pre-image resistance, and collision
resistance.

2.1 The Compression Function
The core of SHA-1’s operation lies in its compression function, which processes the input message in blocks
of 512 bits (64 bytes). The compression function is based on the Merkle-Damgård construction, a
well-known design for iterated hash functions. The Merkle-Damgård construction ensures that SHA-1 can
process messages of arbitrary length while still producing a fixed-length output.
Each 512-bit block of the message is processed in conjunction with a 160-bit internal state, which is
composed of five 32-bit registers, labeled A, B, C, D, and E. These registers are initialized with specific
constants, and their values are updated throughout the hashing process as the message blocks are processed.
The five registers ultimately hold the final hash value after all blocks of the message have been processed.

2.2 The Steps of SHA-1
The overall SHA-1 algorithm consists of the following major steps:

2.2.1 Padding the Message
SHA-1 first prepares the input message by padding it to ensure its length is a multiple of 512 bits. Padding
is done by appending a ‘1‘ bit followed by a sequence of ‘0‘ bits until the message length is 448 bits modulo
512. Finally, a 64-bit integer representing the original length of the message (in bits) is appended to the
padded message. This ensures that the total message length after padding is a multiple of 512 bits, which is
required for SHA-1’s block-processing mechanism.

2.2.2 Initializing the Registers
The five 32-bit registers (A, B, C, D, and E) are initialized to the following constant values, expressed in
hexadecimal notation:

A = ‘0x67452301‘
B = ‘0xEFCDAB89‘
C = ‘0x98BADCFE‘
D = ‘0x10325476‘

E = ‘0xC3D2E1F0‘

These initial values are chosen based on the fractional parts of the square roots of small prime numbers,
a technique similar to that used in the MD5 hash function.

5
2.2.3 Processing the Message in Blocks
The message is divided into 512-bit blocks, each consisting of sixteen 32-bit words. These words are expanded
into eighty 32-bit words through a series of bitwise operations, including shifts and rotations. For each block,
the SHA-1 algorithm performs eighty rounds of operations, organized into four stages (each stage consists
of twenty rounds). During each round, the algorithm computes new values for the registers based on the
previous register values and the current message word.
Each round of SHA-1 uses one of four nonlinear functions, denoted F1, F2, F3, and F4, which involve
combinations of logical operations such as AND, OR, XOR, and NOT. These functions are applied to the
register values, and the results are mixed with the current message word and a constant value specific to the
current stage of the algorithm.
The constants used in each stage are:

Stage 1: K = ‘0x5A827999‘

Stage 2: K = ‘0x6ED9EBA1‘
Stage 3: K = ‘0x8F1BBCDC‘
Stage 4: K = ‘0xCA62C1D6‘

After all eighty rounds are complete, the values in the registers A, B, C, D, and E are added to the initial
register values to produce the final state for this block of the message.

2.2.4 Outputting the Hash Value
Once all blocks of the message have been processed, the final values of the registers A, B, C, D, and E
are concatenated to form the 160-bit hash value. This hash value is typically represented as a 40-character
hexadecimal string.

2.3 Example of SHA-1 Hash Generation
To illustrate the process, let’s take an example of generating a SHA-1 hash for a simple input string, ”hello
world”. The hash value for this input, expressed as a 40-character hexadecimal string, is:

SHA-1("hello world") = 2AAE6C35C94FCFB415DBE95F408B9CE91EE846ED

This 160-bit hash value is the fixed-size output of the SHA-1 algorithm, regardless of the size of the input
message.

3. Cryptographic Properties of SHA-1
As a cryptographic hash function, SHA-1 was designed to provide the following properties:

3.1 Pre-image Resistance
Pre-image resistance means that, given a hash value ‘h‘, it should be computationally infeasible to find an
input message ‘m‘ such that ‘H(m) = h‘. In other words, it should be difficult to reverse the hash function
to find the original input that produced a given hash value.

3.2 Second Pre-image Resistance
Second pre-image resistance means that, given an input message ‘m1‘, it should be computationally infeasible
to find a different message ‘m2‘ such that ‘H(m1) = H(m2)‘. This property ensures that it is difficult to find
two distinct messages that produce the same hash value.

6
3.3 Collision Resistance
Collision resistance means that it should be computationally infeasible to find two different messages ‘m1‘
and ‘m2‘ such that ‘H(m1) = H(m2)‘. Collision attacks exploit this weakness by finding two distinct inputs
that hash to the same output, which undermines the integrity of the hash function.
For SHA-1, these properties were considered secure when it was first introduced. However, cryptographic
advances have since demonstrated that SHA-1 is vulnerable to collision attacks, as we will explore in detail
later.

4. Vulnerabilities and Weaknesses in SHA-1
Over time, cryptographic researchers identified significant weaknesses in SHA-1 that made it increasingly
vulnerable to attacks. The most critical issue is the algorithm’s susceptibility to collision attacks, which
are discussed in detail below.

4.1 Theoretical Weaknesses
The first signs of trouble for SHA-1 came in the early 2000s when cryptographers began identifying theoretical
weaknesses in the algorithm. In 2005, a team of researchers led by Xiaoyun Wang and Hongbo Yu presented
a groundbreaking paper that described a method for finding collision pairs in SHA-1 with a computational
complexity of about 263 operations, which was far less than the expected complexity of 280 for an ideal
160-bit hash function.
Although this attack was not practical at the time, it marked a significant step toward demonstrating
that SHA-1 was not as secure as previously believed.

4.2 Practical Collision Attacks
In February 2017, a team from Google and the CWI Institute in Amsterdam announced the first practical
collision attack against SHA-1. They created two different PDF files that produced the same SHA-1 hash,
demonstrating a real-world example of a collision attack. This attack, known as the SHAttered attack,
had a complexity of approximately 261 operations, far below the theoretical limit of 280.
The SHAttered attack had serious implications for any systems that still relied on SHA-1 for data integrity
or security, including SSL certificates and version control systems.

4.3 Length Extension Attacks
SHA-1, like many hash functions based on the Merkle-Damgård construction, is also vulnerable to length
extension attacks. In a length extension attack, an attacker who knows the hash of a message ‘m‘ (but
not the message itself) can append additional data to the message and compute the hash of the extended
message without knowing the original message content. This vulnerability can be problematic in systems
where hashes are used for message authentication or integrity verification.

4.4 Collision Attack Complexity and Its Implications
As demonstrated by the SHAttered attack, the complexity of finding collisions in SHA-1 is far lower than
originally expected. The reduced complexity of 261 operations means that well-funded adversaries, such
as nation-states or large organizations, could feasibly execute collision attacks against SHA-1. This has
profound implications for the security of any system that continues to rely on SHA-1.

5. Real-World Impacts of SHA-1 Vulnerabilities
The vulnerabilities in SHA-1 have had far-reaching consequences, leading to its deprecation and replacement
by more secure hash functions. Several high-profile incidents and decisions have underscored the importance
of phasing out SHA-1 in favor of more secure alternatives.

7
5.1 Deprecation of SHA-1 in Web Security
One of the most significant impacts of SHA-1’s vulnerabilities has been its deprecation in web security
protocols, particularly in SSL/TLS certificates. Starting in 2014, major web browsers, including Google
Chrome, Mozilla Firefox, and Microsoft Edge, began phasing out support for SHA-1 certificates. By 2017,
most major browsers displayed warnings or blocked access to websites that used SHA-1-based certificates,
as they were no longer considered secure.

5.2 SHA-1 in Version Control Systems
Version control systems like Git have also been affected by the vulnerabilities in SHA-1. Git uses SHA-1 to
generate unique identifiers for commits, and although Git’s use of SHA-1 is not directly security-critical, the
possibility of collision attacks has raised concerns about the integrity of commit histories. As a result, the
Git community has been working to transition to more secure hash functions, such as SHA-256, to mitigate
the risks associated with SHA-1.

5.3 Impact on Digital Signatures
SHA-1 has historically been used in conjunction with digital signature algorithms, such as RSA and DSA.
However, the discovery of collision attacks against SHA-1 has rendered these signatures insecure. As a
result, government agencies, organizations, and standards bodies have moved away from SHA-1-based digital
signatures and adopted more secure alternatives, such as SHA-256 and SHA-3.

6. Transition to SHA-2 and SHA-3
As the vulnerabilities in SHA-1 became apparent, cryptographers and standards bodies began recommending
the use of more secure hash functions, namely SHA-2 and SHA-3.

6.1 SHA-2 (SHA-256, SHA-512)
SHA-2 is a family of hash functions that includes SHA-256 and SHA-512, among others. These algorithms
produce hash values of 256 bits and 512 bits, respectively, and are considered secure for most cryptographic
applications. SHA-2 is widely used in modern cryptographic protocols, including SSL/TLS, digital signa-
tures, and blockchain technology.

6.2 SHA-3
SHA-3, also known as Keccak, is a more recent addition to the Secure Hash Algorithm family. Unlike SHA-
1 and SHA-2, which are based on the Merkle-Damgård construction, SHA-3 uses a sponge construction,
which makes it resistant to the types of attacks that have compromised SHA-1. SHA-3 is designed to be an
alternative to SHA-2, though both algorithms are considered secure for cryptographic use.

7. Conclusion: SHA-1’s Legacy and Obsolescence
SHA-1 was once the gold standard for cryptographic hash functions, used in a wide range of security appli-
cations. However, the discovery of practical collision attacks and other vulnerabilities has rendered SHA-1
obsolete for cryptographic use. Today, SHA-1 is largely deprecated, and systems that rely on SHA-1 are
being transitioned to more secure hash functions, such as SHA-2 and SHA-3.
The downfall of SHA-1 serves as a cautionary tale in the field of cryptography, highlighting the need
for ongoing research, vigilance, and adaptation in the face of evolving cryptographic threats. While SHA-
1 played a pivotal role in the development of cryptographic standards, its vulnerabilities underscore the
importance of using strong, modern algorithms to protect data integrity and security in today’s digital
world.

8
Overview of SHA-1
SHA-1 (Secure Hash Algorithm 1) is a cryptographic hash function developed by the National Security
Agency (NSA) and published by the National Institute of Standards and Technology (NIST) in 1995. It
produces a 160-bit (20-byte) hash value, typically rendered as a 40-digit hexadecimal number. SHA-1 is
widely used in various security applications and protocols, including TLS and SSL, PGP, SSH, and IPsec.

Key Characteristics
Input: Any length less than 264 bits.
Output: A fixed 160-bit hash.
Deterministic: The same input will always produce the same hash.

Pre-image Resistance: Difficult to reverse-engineer the original input from its hash.

SHA-1 Algorithm Steps
1. Message Padding:
Append a single ’1’ bit to the original message.
Add ’0’s until the message length is congruent to 448 modulo 512.
Append the original message length as a 64-bit big-endian integer.

2. Initialize Five 32-bit Hash Variables:

h0 = 0x67452301
h1 = 0xEF CDAB89
h2 = 0x98BADCF E
h3 = 0x10325476
h4 = 0xC3D2E1F 0

3. Process the Message in 512-bit Blocks:
For each block:

a. Prepare Message Schedule:
Divide the block into sixteen 32-bit words W0 , W1 ,... , W15.
For t = 16 to 79:
Wt = ROL1 (Wt−3 ⊕ Wt−8 ⊕ Wt−14 ⊕ Wt−16 )
b. Initialize Working Variables:

A = h0
B = h1
C = h2
D = h3
E = h4

c. Main Loop (80 Rounds):
For t = 0 to 79:
Compute Functions:
– Round 0-19: F = (B ∧ C) ∨ (¬B ∧ D), K = 0x5A827999

9
 – Round 20-39: F = B ⊕ C ⊕ D, K = 0x6ED9EBA1
– Round 40-59: F = (B ∧ C) ∨ (B ∧ D) ∨ (C ∧ D), K = 0x8F 1BBCDC
– Round 60-79: F = B ⊕ C ⊕ D, K = 0xCA62C1D6
Update Temp Variable:

TEMP = ROL5 (A) + F + E + K + Wt

Update Working Variables:

E=D
D=C
C = ROL30 (B)
B=A
A = TEMP

d. Add Chunk’s Hash to Resulting Hash:

h0 = h0 + A
h1 = h1 + B
h2 = h2 + C
h3 = h3 + D
h4 = h4 + E

4. Produce Final Hash Value:
Concatenate h0 || h1 || h2 || h3 || h4 to form the 160-bit hash.

Visual Representation

[Message] → [Padding] → [512-bit Blocks]
↓
[Initialize h0 -h4 ]
↓
[Process Each Block]
↓
[Update h0 -h4 ]
↓
[Final Hash Value (160-bit)]

Figure 1: SHA-1 Processing Steps

10