Collision Attacks on Hash Functions Understanding the Legal Balance

1
Collision Attacks on Hash FunctionsUnderstanding
the Legal Balance

• Adrian McCullagh
• ISI
• Queensland University of Technology

2
Agenda

• Some Fundamentals
• Case studies
• Fraud by receiver of digitally signed document
• Fraud by the sender of digitally signed document
• Digital certificates
• Legal consequences
• Conclusion

3
Some Fundamentals

• Hash Functions
• Technology to secure
• data integrity
• Authenticity
• Efficiency for digital signatures
• Maps arbitrary finite inputs into fixed length
  strings. SHA-1 160 bits, SHA-256 256 bits.
• By analogy a hash function creates a unique
  finger print of a document.
• Change any aspect of the document and the hash
  will change. Works on the form of the document
  not the substance of the document.
• Based on block cipher or dedicated design.

4
Some Fundamentals

• Security Properties
• Pre-image resistance - for essentially ALL
  pre-specified outputs, it is computationally
  infeasible to find any input which hashes to any
  one of those outputs.
• 2nd pre-image resistance It is computationally
  infeasible to find any second input which has the
  same output as any SPECIFIED input.
• Collision resistance it is computationally
  infeasible to find any 2 distinct inputs X and X
  that hashes to the same output.
• Wang et al much published collision approach to
  undermine the 3rd characteristic..

5
Short DigressionBefore we discuss Digital
Signatures What is a Traditional Signature
6
Traditional Signatures

• Biometric Measurement
• (i) uncertain - based on probabilities
• (ii) relatively easy to replicate
• (iii) need not be fixed in ink
• (iv) free form can be any mark
• (v) relatively difficult to remove with out
  trace.
• (vi) once affixed forms part of the document -
  one composite thing

7
Traditional Signatures

• A traditional signature can be affixed by
  mechanical means and is not limited to pen on
  paper ( a stamp with the signature embossed on it
  can suffice) -good for Digital Signatures.
• The law in some cases concerning some documents
  not only specifies the form but also the
  substance. A deed can only be made of Vellum,
  parchment or paper. So this prevents the
  execution of an electronic deed.

8
Traditional Signatures

• Purpose of handwritten signature
• A signature is any mark that has been affixed by
  the signer with the intent to be bound by the
  contents of the document that has been signed.
• In commercial documents this intent is implied
  and can only in special circumstances be disputed
  such as when fraud is alleged or in the case of
  unconscionable conduct, duress, non est factum
  etc.

9
Traditional Signatures

• The difference between an autograph and a
  signature is that at the time of affixation the
  signer must have the intent to be bound by the
  contents of the document.
• So intention is an important element.

10
Proof of a Traditional Signature

• If a signature is disputed then the signature can
  be proved in the following manner
• (a) By the Witness who saw the signing of the
  document
• (b) By some person who has intimate knowledge of
  the person signature
• (c) By a handwriting expert
• For a digital signature none of these will be
  applicable. New mechanisms need to developed.

11
Witnessing

• Some Documents are required to be witnessed
• Deeds
• Transfers of Land
• Wills ( 2 witnesses)
• The witnessing requirement was the traditional
  security mechanism to counter act fraud.
• How can you witness the affixation of a digital
  signature.

12
Witnessing

• The law is very clear that the witness is not
  bound by the contents of the document as the
  witness does not have the necessary intention to
  be so bound. It is for this reason that the
  document should on its face designate the title
  of the person signing as a witness.

13
Witnessing

• The witness MUST have an uninterrupted view of
  the actual signing of the document by the person
  to be so bound.
• As will be seen this physical requirement can not
  be achieved with the affixing of a digital
  signature. The affixing of a digital signature
  occurs in computer memory.

14
Interlude overback to Digital Signatures and
Hash attacks
15
Trusting Digitally Signed Documents

• What is trust
• Absolute trust
• An entity unconditionally relies upon a outcome
  knowing the input and knowing the process that
  determined the outcome.
• Trust is therefore dependent upon expectation of
  a result knowing the input and the process
  involved
• Rarely achieved (from a signers perspective hand
  written signature is one of the few known
  examples)
• A digital signature does not provide absolute
  trust. There too many unknowns.

16
Trusting Digitally Signed Documents

• Generally TRUST involves probabilities
• In most situations knowledge is based on some
  belief on some information outside of the
  individuals control.
• Control is usually limited and based on internal
  information
• Belief is usually based on external information
• Need to assess reliability of external
  information
• Can we trust digitally signed documents.

17
Digitally signed documents

• Diffie Helman Seminal paper (1976)
• Diffie and Hellman in their seminal paper coined
  the phrase "unforgeable digital signatures and
  receipts are needed" within an electronic
  messaging system. Public key/private key
• Encrypt message using private key.
• The encrypted message becomes the digital
  signature. That is, authentication could be
  achieved. Also integrity could be achieved but
  does not fit with traditional signature culture.
• At the time of this paper (1976) computing speed
  was a substantial issue and using public key
  technology in this manner was highly inefficient
  (probably still is). Too Slow.

18
Digitally Signed Documents

• Rivest Shamir Adelman Paper (1978)
• Hash function can greatly enhance digital
  signature technology by affixing or logically
  associating some bits to a particular document.
• If electronic mail systems are to replace the
  existing paper mail system for business
  transactions, 'signing' an electronic message
  must be possible. The recipient of a signed
  message has proof that the message originated
  from the sender. This quality is stronger than
  authentication (where the recipient can verify
  that the message came from the sender) the
  recipient can convince a "judge" that he did not
  forge the message himself!

19
Digitally Signed Documents
20
Digitally Signed Documents
21
Digitally Signed Documents
22
Early issues with Hash Collisions

• Hans Dobbertin
• Seminal Paper Cryptanalysis of MD4, (1998),
• Part 7 of the paper discusses how crooks can use
  collisions to their advantage.
• Dobbertin was able to show by way of example the
  if a collision could be orchestrated that post
  digital signing material aspects of a document
  could be changed.
• Substantially undermining the evidential value of
  digital signatures.

23
Fraud by Receiver

• Most people are either dumb or do dumb things.
  Intelligence/knowledge has nothing to do with
  being dumb or doing dumb things.
• Most people are generally trusting of their
  fellow man/woman.
• Cynicisms has not yet conquered the world nor has
  paranoia.
• Maybe it should. As Cat Stevens once wrote
  Its a wild world out there
• In the cyber-environment it is sometime even
  wilder. Crooks flock to this environment because
  of jurisdictional issue and difficult
  tracing/evidential issues.

24
Fraud by the Receiver

• Bob Feez-Ruthless and Alice Noidea.
• Alice is the signer.
• Bob is the fraudster and the receiver of the
  message.
• Bob needs to get Alice to sign a particular
  message. That is a message that Bob is able to
  control and direct.
• This fraud is not easy as it requires meaningful
  alterations to be achieved to one document for
  creation of second document.

25
Fraud by the Receiver
26
Fraud by the Receiver
27
Fraud by the Receiver
28
Fraud by the Receiver
29
Fraud by the Receiver Evidentiary considerations
30
Fraud by the Receiver Evidentiary considerations
31
Fraud by the Receiver Evidentiary considerations
Steps Involved
Bob gets Alice to digitally sign a particular
contract of sale
Alice send digitally signed contract to Bob
Bob gets original contract of sale document from
Alice Bob alters original document to create
altered document Bob destroys original
document Bob signs altered document with
Alices digital signature on it
32
Fraud by the Receiver
Alice has kept copy of what she originally
signed She notes the difference and immediately
tells Bob Bob states he has contract Digitally
signed by her for the Larger Amount.
Alice has 2 documents A only signed by her
this Document is fairly useless as it Does not
have Bobs dig/sig on it B signed by both parties
33
Fraud by Sender

• Bob send a digitally signed offer to Alice in
  following form
• CONTRACT
• At the price of 276,495 Bob Feezruthless agrees
  to by the house owned by Alice Noidea. . . .
• Signed Bob Dig/Sig
• Alice to affix Dig/Sig here________________
• The structure of this document has been well
  crafted by Bob.
• Bob knows that the hash of this document has a
  collision with the altered document.

34
Fraud by Sender

• Alice digitally signs the document and sends it
  back to Bob keeping a copy.
• Bob alters the document by decreasing the amount
• CONTRACT
• At the price of 176,495 Bob Feezruthless agrees
  to by the house owned by Alice Noidea. . . .
• Signed Bob Dig/Sig Bob
• Alice to affix Dig/Sig
• here_Dig/Sig Alice
• Bob wants to settle for lower amount.
• Again Bob commences proceedings and seeks
  specific performance.

35
Legal implications

• The technology is the loser.
• Undermines commerce.
• Recent traffic offence case where was confused
  over this events of hash collisions.
• Did not understand limitations of these hash
  attacks.
• Bad press has caused courts to question this
  technology.

36
Digital Certificates

• Lenstra, Wang and weger developed method that
  constructs a pair of valid x509 certificates in
  which the to be signed parts form a collision
  with MD5.
• Uses the MD5 collision of Wang et al to construct
  a pair of different moduli that yeild a collision
  for MD5.
• Uses Wangs technique of finding collisions for
  any chaining state of MD5 and iterative structure
  of MD5.
• Result Issuer signatures in the Certificate will
  be the same when the issuer uses MD5
• Issue by looking at one of the collided
  certificates alone, one cannot determine the
  existence of the other.
• Implication A party using a public key
  certificate based on MD5 cannot be certain that
  alleged certificate subscriber has corresponding
  private key.
• This then undermines use of PKI and digital
  signatures.

37
Legal Consequences

• Total undermining of PKI.
• Adversely affects corporate confidence and trust
  in this type of technology.
• Legal issue of authentication comes into question.

38
Conclusion

• Too much publicity by ill-informed public press
  of the hash attacks
• Judiciary does not understand implications
• If there was a total successful attack which
  could result in meaningful alterations then major
  problem would arise.
• Substantial difficulties are still there to
  create meaningful alterations for attacks to be
  useful by crooks.