4/9/2015

HackThisSite!
HackThisSiteIRCForumsRadioStoreURLShortenerLikeUsFollowUs

[AdvertiseWithHackThisSite.org]
"There'snopointincollectingallthat(phonespying)informationifyoudon'tanalyzeit,andwhenyoudoit'sinevitablethatyoulearnthingsaboutatleastsomeinnocent
peoplethatthosepeoplethoughtwerenobodyelse'sbusiness,certainlynotthegovernment's."EugeneRobinson
Youarebrowsing
HackThisSiteoverSSL

HashCollisionsandtheBirthdayAttack

Login(orRegister):

Publishedby:raddy1313,on2010021621:44:56

Introduction
Lasttime,Italkedaboutbruteforceattacksandhoweffortstoreducethekeyspaceofagivenalgorithmcan
greatlyreduceyourcomputationaltime(link).Thisarticlewilldiscusshashcollisionsandtheprobabilityof
collisionsoccuringviathebirthdayparadox.Thoughthisdoesntinherentlyprovideyouwithanymoretools
ormethodsintermsofcrackinghashes,itdoesprovidethetheorybehindgeneratinghashcollisionswhich
canseverelycompromisethesecurityofanalgorithm.

Login
LostYourPassword?

HashCollisions

Donate

HTScostsupto$300amonthto
operate.Weneedyourhelp!

Challenges
Basicmissions
Realisticmissions
Applicationmissions
Programmingmissions
Phonephreakingmissions
Javascriptmissions
Forensicmissions
Extbasicmissions
Stegomissions
Ircmissions

GetInformed
Blogs
News
Articles
Lectures
UsefulStuff
HackThisZine

GetInvolved
DonatetoHackThisSite!
Store
SubmitArticle
SubmitBugReport
SubmitLecture
SubmitUsefulStuff

Toquicklyreview,cryptographichashfunctionsworkbytakinginastring(i.e.,yourpassword),performing
somemathematicaloperationsonit,andspittingouthexadecimalgarbagethatisutterlyuninformativeto
anyone.Ifthealgorithmiswelldesigned,themathematicaloperationswillbeonewaythatis,itiseither
impossibleorsocomputationallyimpracticaltotakeahashandrunitbackwardsthroughthealgorithmto
regurgitatetheoriginalstring.Theeasiestwaytogetyourdesiredpasswordistomatchthehashbytesting
everypossiblepasswordandseeingifthehashesmatch,otherwiseknownasbruteforcing.Unfortunately,this
cantakealongtimeandtherearemoreefficientmeansatourdisposal.
Onemethodistotryandgetthealgorithmtogeneratewhatisknownasa"hashcollision".Fromtheprevious
article,weshowedthatusingthehashingalgorithmfromExtBasic11,passwordscontainingthesamesetof
letterswouldalwaysgeneratethesamehash,regardlessofwhatordertheletterswerein("aab"wasthesame
as"aba"wasthesameas"baa").Thisisahashcollision,twoormoreseparatestringscreatinganidentical
hash.Sincerealworldalgorithmsdonotusesuchsimplisticmethods,collisionsdonotoccursoeasily,but
theydooccur.Infact,weknowthattheymustoccur!
TaketheMD5algorithm,forexample.Foreverypasswordthatisentered,thealgorithmwillalwaysreturna
hashthatis128bitslong,orastringof32hexadecimalcharacters.Fromthat,weknowthatthereareafinite
numberofhashesthatcanbegenerated,butthenumberofpasswordsenteredcanbeinfinite.Toputthis
intoperspective,thereare94charactersonanormalkeyboard(52capitalandlowercaseletters,10numbers,
and32assortedsymbolsasfarasIknow,therearenoillegalcharactersintheMD5algorithm).Assuminga
passwordlengthof20,weuseourpermutationequationfrombefore:
CODE:
n^k=16^32=2^128=3.4e38possiblehashes
94^20=2.9e39possiblepasswords
Sofromthis,weknowthatifwetryeverypossiblepasswordwith20charactersormore,eventuallywewill
generateahashcollision!
However,thisisnotreallygoodnews.Totesteverypasswordataspeedof6millionhashespersecond(my
laptopsaveragehashingspeed)wouldtake1.5e25years,ordersofmagnitudelongerthananytimespanour
brainscouldpossiblyconceive.Additionally,sincewehavetostoreeachhashwecomputesothatwecan
checkitagainstfutureonesandknowingeachhashoccupies16bytes,thatmeanswewouldhavetohaveso
many2TBHDDthatiftheywerelaidoutinagrid,theywouldcovertheentireEarthssurface1,100miles
deep.Sowhattodo?Luckily,probabilityisonourside.
TheBirthdayParadox
Ifyouhaveevertakenastatisticsandprobabilityclass,youhaveprobablylearnedaboutthebirthday
paradox.Itgoessomethinglikethis:Takearoomof50people.Whataretheoddsthatatleasttwopeople

https://www.hackthissite.org/articles/read/1066

1/5

4/9/2015

HackThisSite!

Communicate
Forums
PrivateMessages
IRCIdleRPG
IRCStats
IRCQuotes
SearchUsers
UserPictures
WhoisOnline
Rankings
IRCChat
IRCCommandReference

willhavethesamebirthday?
Thinkingaboutthisquickly,thereare365daysinyear(Leapyearbirthsnotcountedtheyarentrealpeople
anyway),50people,somaybe1in6,orabout17%?Wrong.Inreality,theprobabilityisawhopping97%!
Thisunbelievablyhigh,surelytheremustbeamistake!Well,letslookatthemath.
Inaroomof50people,weretryingtomatchtwobirthdays.Sotakinganyonebirthday,thereare49possible
matchestobemade.However,ifwecompareeverybirthdaytoeveryotherbirthday,ournumberofpossible
matchesgreatlyincreasesandwecanuseourfriend,thecombinationwithoutreplacementequation:
CODE:
50!
=1,225combinations
2!(502)!

AboutHTS
AbouttheProject
BillofRights
LegalDisclaimer
PrivacyStatements
MeettheStaff
UndertheHood
AdvertisewithHTS
IPv6
HallofFame

Sotothinkaboutwhatthisproblemisaskinginanotherway,ifwehad2,450peopleandwepairedthemoff
randomlywitheachother,whataretheoddsthatapersonwouldhavethesamebirthdayasthepersonhe
waspairedwith?With1,225pairs,nowitdoesntseemsofarfetchedthattheresa97%chancetherewillbe
amatch.
Buthowdoesthisapplytohashcollisions?Well,sincewearesimplytryingtofindtopasswordswiththe
samehash("birthday")itturnsoutwedonthavetocalculatetheheinousnumberofpasswordsweoriginally
thought.Thebirthdayparadoxsimplifiesdowntothefollowingequation:
CODE:
k!
=P
(k^n)(kn)!

Translate
FRDEESITPT

Where"k"isthemaximumnumberofitemsweretryingtomatch(birthdays,intheexample),"n"isour
samplespace(numberofpeople),and"P"istheprobabilityoffindingamatch.Sincefactorialcalculations
rapidlyexceedtheallowablesizeofmostcalculators,theTaylorSeriesapproximationisalsouseful(forthose
ofusstrugglingtorememberalgebra,"e"isthexponentialconstantandisapproximately2.718):

Linktous!

Partners

CODE:

P=1e^((n^2)/(2*k))
Solvingforn:
n=sqrt(ln(1P)*2*k)
Our"k"isdeterminedbythemaximumnumberofhashesforthealgorithm,3.4e38asmentionedabove.
Alright,wevegotourequation,nowwejustneedtoplugandchug.Sincekisfixed,wejustneedtofigure
outwhatisanacceptableprobability.Ithink99%givesusprettygoododds,sowelluseP=0.99.Plugging
itintoourequation,wediscoverthatweonlyneedtocalculate5.98e19hashesfora99%chanceof
generatingahashcollision,lessthanonetrillionthofapercentofouroriginalkeyspace.Notethatthisstill
presentsaformidablelogisticchallenge,butthecomputingpoweriswithinreachforsomeoneonarelatively
modestbudgetaclusterof4PlayStation3scouldcrunchthatmanyhashesinjustover8months.
Conclusion
ItisimportanttonotethatfindingtwopasswordswiththesamehashisNOTthesameasfindingtwo
passwordsthatwillgenerateaspecifichash.Thatis,ifyouhaveaspecifichash,yourbestbetistostillgo
withatraditionalbruteforceattackbecausethebirthdayproblemonlyappliestomatchingANYtwo
passwordswiththesamehash,notjusttheoneyourelookingfor.However,ifweareabletogenerateahash
collision,wecanstartanalyzingthecalculationsperformedtogeneratethehashand,hopefully,figurewhy
thecollisionoccurredandmanipulatethatinformationtoouradvantage.
Tothatend,adistributedcomputingprojectin2004knownasMD5CRKdidthatverythingandsuccessfully
foundcollisionswithintheMD5algorithm.Theywereabletomanipulatethealgorithmandgeneratematching
hasheswithconsiderablylesscomputingtimethanwithabruteforceattack.Improvementsupontheirwork
haveresultedinastoundingvulnerabilitiesintheMD5algorithm.In2006,aCzechcryptologistnamed
VlastimilKlimapublishedanalgorithmthatwasabletogenerateanMD5hashcollision,onaverage,in17
secondsusinga3.4GHzPentium4(link,PDF).Despitetheseseverevulnerabilities,MD5remainsoneofthe
mostpopularcryptographichashfunctionsinuse.
Castyourvoteonthisarticle
10Highest,1Lowest

10

https://www.hackthissite.org/articles/read/1066

Vote!

2/5

4/9/2015

HackThisSite!

Comments:
Published:11comments.
eljonto04:38amWednesdayFebruary17th,2010
Veryinteresting,sortaremindsmeofsomethingIreadinabookawhilebackaboutfalsepositives,
wheresomethingthathasacertaindegreeofaccuracycanbeutterlyinaccuratewiththemargin
oferror.
/melikesit,10*

raddy131306:03amWednesdayFebruary17th,2010
Ijustnoticedanerror...inthethirdtolastparagraphitsays:"Our'n'isdeterminedbythe
maximumnumberofhashesforthealgorithm."
Thatshouldread:"Our'k'isdetermined..."Sorryforanyconfusion!

eljonto06:52amWednesdayFebruary17th,2010
Edited.

V1rtualV3ndetta03:49amSaturdayFebruary20th,2010
Onceagainyoumanagedagreatarticle.Pleasekeepthemcoming.Ienjoylearningnewthings.I
wasabletokeepupwithmostofthemathuntilwehitanextremelycomplexequation,butIdonot
blamemyself,Iamstillinhighschoolandhaveonlytakenasingleclasscoveringthatsubjectfor
butafewweeks.Thanksforthegreatinfo,thisreallyhelpedmeunderstandnotonlyhowhashes
work,buthowwecanputthemtoworkforourbenefit.
10*

raddy131304:00amSaturdayFebruary20th,2010
Thanks,I'mreallygladyou'relikingthesearticles.I'mconstantlylearningnewstuffaboutcrypto,
soIshouldhaveasteadysupplyofinformationcomingforawhile.Thanksagain!
Also,ifyouhavequestionsaboutthemath,postthemorPMthemtome.Morethanlikely,you're
nottheonlypersonsoImaywriteashortarticledetailingcommonlyusedmathoperatorsand
functions.

hacker229606:18amFridayMarch05th,2010
IthinkthenewstandardisgoingtobetheSHA2familysometimethisyear,atleastfortheU.S.
government.Also,theSHA3algorithmsaregoingtobeindevelopmentviaapubliccompetition.
Justsomerandominformation,thoughtitwasinterestingthatdespitethegovernmentmigrating,
thepublicusesthepotentiallyinsecureMD5generally.
Lookingforwardtomorearticleslikethisone.(andhopefullyoneonadvancedmathematical
subjectsforpeoplelikemewhosebrainsmightexplodesoon)

https://www.hackthissite.org/articles/read/1066

3/5

4/9/2015

HackThisSite!
BlackListedAnonymous11:23pmSundayMarch21st,2010
Goodarticle..veryinteresting..toobadisuckb@llsatmath:D

paisho08:30pmWednesdayMarch24th,2010
Thatwasincrediblyeasytounderstand!Thankssomuch,10.

tech207706:39amSundayMay09th,2010
thisisonearticlethatactuallyhasagreatexplanationonalllevels,complexenoughtoconvey
perfectandaccurateinfo,butstillexplainedenoughwereicangetit:P.11ificould:)

magickiddo04:51pmSundayJune06th,2010
impressive!Thanksalot~

At_lArge09:29amWednesdayJuly28th,2010
Awesome,thefirstrealuseI'veseenforthatsortofmathI'mlearningatschool.
Andwhenyoudogenerateasuccessfulhashcollision,doesthatthenallowyoutotryandworkout
theoriginalhashalgorithms?(imn00b)

HackThisSiteisisthecollectiveworkoftheHackThisSitestaff,licensedunderaCCBYNClicense.
Weaskthatyouinformusuponsharingordistributing.
PageGenerated:Thu,09Apr201508:28:10+0000

https://www.hackthissite.org/articles/read/1066

4/5

4/9/2015

HackThisSite!
WebNode:www0|PageGen:0.093s|DB:11q
CurrentCodeRevision:v3.2.3(Fri,27Jun201420:13:10+0000)

https://www.hackthissite.org/articles/read/1066

5/5