WEBVTT 0 00:02.360 --> 00:03.530 Hello guys! 1 00:03.530 --> 00:09.680 Now that you know so much about hashes let’s move on a see wall talk about attacks on 2 00:09.680 --> 00:12.400 hash algorithms. 3 00:12.650 --> 00:16.080 There are 3 types of attacks on hash algorithms: 4 00:16.310 --> 00:24.050 A collision attack on a cryptographic hash tries to find two inputs producing the same hash value hence 5 00:24.080 --> 00:32.480 the name hash collision. One of the properties of hash functions is that there is a unique hash for each 6 00:32.510 --> 00:33.520 input. 7 00:33.590 --> 00:41.270 So how could we have the same hash for more different inputs because a hash function can have an infinite 8 00:41.300 --> 00:45.070 number of inputs and a predefined output length, 9 00:45.080 --> 00:51.390 for example sha256 always produces a hash of 256 bits long, 10 00:51.470 --> 00:58.880 there is inevitably going to be the possibility of two different inputs that produce the same output 11 00:58.880 --> 01:08.250 hash. If two different inputs produce the same output hash it is called a collision which can then be 12 01:08.250 --> 01:17.100 exploited by any application that compares to hashes together - such as password hashes, file integrity, 13 01:17.100 --> 01:27.540 checks and so on. The odds of a collision are very low especially for new and secure hash functions with 14 01:27.540 --> 01:36.150 very large output sizes. However, as available computational power increases, the ability to brute force 15 01:36.180 --> 01:42.100 hash collisions becomes more and more feasible. At this moment 16 01:42.320 --> 01:51.140 in 2020, the SHA-2 family of hash algorithms are considered strong enough to be safe for the foreseeable 17 01:51.140 --> 02:02.700 future. If you are trying to perform a coalition attack on sha-256 or sha-512 at a rate which is a thousand 18 02:02.730 --> 02:07.360 times faster than the fastest computer in the world 19 02:07.410 --> 02:18.560 you'll need a longer time than the age of the universe. However old and obsolete harsh algorithms like 20 02:18.560 --> 02:26.960 md5 or sha1 are not considered secure anymore because it's trivial to find collisions. 21 02:27.130 --> 02:34.920 I'll show you an example of a collision of md5 and a collision of sha1. 22 02:34.970 --> 02:43.490 Let's take a look at these two images! 23 02:43.580 --> 02:47.150 You'll notice for sure that they are completely different. 24 02:47.450 --> 02:52.460 Let's calculate their hashes using md5. 25 02:52.590 --> 02:59.450 They are on my desktop directory in another directory called hash collisions. 26 02:59.530 --> 03:01.450 I am moving to that directory. 27 03:03.370 --> 03:11.680 Okay so md5sum plane.jpg and ship.jpg - the images 28 03:15.310 --> 03:24.550 and surprise: we notice that even though the input is different, the output hash is the same. 29 03:24.550 --> 03:34.920 This is a collision of md5. If I used another algorithm I would get different hashes. Let's calculate 30 03:34.930 --> 03:37.060 their hashes using sha 1. 31 03:40.180 --> 03:41.580 It's different. 32 03:41.740 --> 03:43.060 This is a collision 33 03:43.150 --> 03:46.460 Only for md5. Now 34 03:46.520 --> 03:57.120 let's see another collision, this time of the sha1 algorithm. PDF files that display 35 03:57.120 --> 04:01.800 different content, yet have the same SHA-1 digest. 36 04:01.920 --> 04:03.750 This is the first PDF. 37 04:04.530 --> 04:08.140 And this is the second; okay! 38 04:08.180 --> 04:17.140 These are the PDFs. Let's see their hashes sha1sum and the PDF files. 39 04:20.140 --> 04:30.740 They have the same hash! By the way to find these two colliding files was not an easy job. 40 04:30.790 --> 04:38.930 It was the shattered project led by Google Research Security in 2017. 41 04:38.980 --> 04:42.000 You can find more information here. 42 04:42.010 --> 04:51.670 at shattered.io. The attack "the equivalent processing power of 6,500 years of 43 04:51.670 --> 05:02.320 single-CPU computations. tThe team has spent two years developing the technique and 44 05:02.330 --> 05:10.630 and the cost of the resources involved was more than $130,000 at that time. 45 05:11.120 --> 05:19.940 Many collisions exist in all hash algorithms but you cannot find any in a reasonable amount of time 46 05:20.060 --> 05:22.730 because it could take you years. 47 05:22.730 --> 05:30.200 I’ll attach to this lecture the files that produce the collisions as a resource. Another attack 48 05:30.260 --> 05:38.540 on a hash algorithm is called 1st preimage attack and it means to find the message that has a specific/ 49 05:38.620 --> 05:46.590 a given hash value. If a simple collision means to find two messages that have the same hash. 50 05:46.590 --> 05:53.910 1st preimage attack means to find the message that has a given hash and it's much harder to be performed 51 05:54.180 --> 05:56.670 but also more destructive. 52 05:56.670 --> 06:04.650 Imagine someone has the hash of a password and finds a completely new password, not to the correct one, 53 06:04.890 --> 06:13.730 that has the same hash as the good one. And the last attack is called the second preimage attack. 54 06:13.760 --> 06:20.920 It means that for a given message you should find another message that has the same hash. 55 06:20.930 --> 06:23.050 This is also very destructive. 56 06:23.060 --> 06:30.170 Just imagine you have a very important document that you want to send to someone and the hacker creates 57 06:30.230 --> 06:34.190 a second to document that has the same hash. 58 06:34.190 --> 06:40.220 The shattered attack we've just seen is just a collision, not a preimage attack. 59 06:40.310 --> 06:47.780 In general a collision attack is easier to be performed than a preimage attack, as it is not restricted 60 06:47.810 --> 06:52.330 by any set value (any two values can be used to collide).