POLITÉCNICO GRANCOLOMBIANO

INSTITUCION UNIVERSITARIA
COLISIONES
INGENIERIA DE SISTEMAS

Laboratory 4
CRC32 Collisions
0. Introduction

CRC32 is a network transmission check code useful in verifying whether

a message has been altered or not. However several applications use
CRC32 as a hash function for digital signatures. We will figure out why
this is not a very good idea.

The objectives for this laboratory are:

1. Understand why CRC32 is not a good algorithm for a hash function,

and must not be used in digital signatures.
2. Contrast two different methods for finding hash collisions.

1. Requirements

You will need the following tools to perform this laboratory:

1. JRE 5.0 (or higher) installed in your PC.

http://java.sun.com/javase/downloads/index_jdk5.jsp
2. CollisionFinder.jar
3. The example letter letter.txt.

Once you have downloaded CollisionFinder.jar, just double-click it. If

you have your JRE properly installed under windows you should see
something like this:
If you are not running windows or you this doesn’t appear, try typing in
a prompt terminal:

java –jar CollisionFinder.jar

Now, let’s open the file letter.txt by clicking “Open”. The program will
load the letter, showing up something like this.
In the bottom of the window, there are shown the CRC32 of each letter.
Try to figure out how it works.

Question 1: What does happen when you switch one combo box?

Se altera el hash.
Now, open the file letter.txt in a common text editor. (i.e. notepad or
gedit)

Question 2: Can you figure out how the file is interpreted by the
application? Explain.

Write down your own letter.txt, and open it with the Collision Finder. For
now on we will work with your own file instead of the one you
downloaded.

2. Finding Collisions.

Try to find two different letters with the same CRC32, you may try
switching some combo box at random. Did you find something?
If you did you’re a very lucky person (take a screenshot).

You may push the “Random” button to execute this automatically; it will
do the same as you, but hundreds faster, and it will stop when it finds a
collision. However, it may take some time.

Question 3: How much did it take to find the first collision?

Take a screenshot.

Now let’s try a bit more efficient algorithm by pushing the button
labelled as “Strong Coll.”. It will do a similar process, but now it will
keep in memory all the messages tried before, and each new message is
checked against them. That process is called “Strong Collision Attack”.
Question 4: How much did it take to find the first collision? Try
several times (at least 8), and take screenshots.

Remember that the “Random” button just try to find collisions between
left and right document by randomly switching combo boxes until both
CRC32 match. However “Strong Coll.” button generates and stores
several letters (also randomly) until any two of them have the same
CRC32.

Question 5: Why is the second method more efficient than the

first one?

4. Conclusions

Now you can see that it’s very easy to find two different letters with the
same CRC32.

Question 6: How can you take advantage of this weakness? Take

into account that CRC32 is used as a hash function for digital
signatures.

Question 7: How can this weakness be avoided? It’s there any

solution?

Referencias:

Criptografía – Primer Semestre – Especialización Universidad de los Andes – Milton

Quiroga.