The Sponge Structure Modulation Application to Overcome the Security Breaches for the MD5 and SHA-1 Hash Functions Zeyad A. Al-Odat and Samee U. Khan Department of Electrical and Computer Engineering North Dakota State University Fargo, ND, USA Email: zeyad.alodat@ndsu.edu, samee.khan@ndsu.edu Abstract—This paper presents a Sponge structure modulation of the MD5 and SHA-1 hash functions. The work employs the Keccak permutation function to build the proposed scheme. The work discusses the main two security breaches that threaten the cryptography hash standards which are collision and length extension attacks. Through analyzing several examples of collided messages of both algorithms (SHA-1 and MD5), we describe the potentials to overcome the collision and length extension attacks. Moreover, a proper replacement technique to avoid such attacks is discussed in this paper. Index Terms—Length extension attack, collision attack, cryp- tography, hash. I. I NTRODUCTION Secure Hash Algorithm (SHA) is the most popular cryp- tography technique for message authentication and verifica- tion. The SHA functions were standardized by the National Institute of Standards and Technology (NIST). SHA standards follow different structure models to construct the compression function. The most popular hash standards follow Merckle- Damgard (MD) and Sponge structure models. Where, MD4, MD5, SHA-1, and SHA-2 standards follow the MD structure, While SHA-3 hash standard follows Sponge structure model. MD4 developed by Rivest in 1990 [1], then it was replaced by MD5 in 1991 [2]. Both MD4 and MD5 maintain 128-bit hash output with 512-bit block size. For security issues and early signs of collision attack, MD5 was replaced by the SHA- 1 in 1993 with 160-bit hash and 512-bit block size [3]. In 2001 SHA-2 was developed and standardized by the NIST as the next version of the secure hash algorithm that follows the same structure model (MD). SHA-2 has six different flavours SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, and SHA-512/256 [4]. Then in 2012, NIST an- nounced the next SHA-3 standard Keccak, which was selected by a competition between 63 competitors through three rounds of selection. Keccak was standardized as the SHA-3 hash standard comprises six flavors, four fixed and two extensible size hashes [5]. Three challenges exist to verify the completeness of any hash standard: preimage, 2 nd preimage and collision resis- tance. Preimage resistance property means to easily obtain the hash from a given message, but difficult to extract it back from a given hash. 2 nd preimage resistance means that it is difficult to find two messages M1 and M2 generate the same Hash. While collision resistance property means the resistant of the probability to generate the same output hash for two messages or more, even though they are different or equal [6]. All secure hash algorithms were tested toward security properties of hash standards, especially collision resistance property. MD5 hash standard was fully exposed to collision attack in 2005 by Wang et al. [7]. their work was the first published work that provided a collision example of full MD5. In their work, they used the modular difference technique to construct their attack. More details will be presented in Section III. The security analysis of the SHA-1 hash standard, against collision attack, was also explored by different publica- tions [8], [9]. Using the concept of modular difference to construct collision path, Wang et al. in [8], theoretically, succeeded to find collision attack on full SHA-1. Recently, in 2017, Stevens et al. found the first real example of mes- sages that collided when processed using SHA-1 compression function. However, the secure hash algorithms (MD5 and SHA-1) are still be used by different entities, particularly the SHA- 1. Therefore, the efforts of researchers and developers were employed to overcome the collision dilemma which prone systems and applications into a serious security breach. This paper analyzes the collision and length extension attacks of the secure hash algorithms, MD5 and SHA-1. The analysis is carried out by testing several examples of collided messages that were generated by the help of ChameleonCloud which is a configurable experimental environment for large- scale cloud research [10]. This paper presents a versatile modification to the compression functions of MD5 and SHA- 1 to counter the collision and length extension attacks. The modification employs the internal round functions of the Keccak hash standard. Yet, Keccak is the most secure hash standard against security breaches. The strength of Keccak comes from the sturdiness of the compression function of Keccak standard [11]. The rest of paper is organized as follows: Section 2 presents 811 2019 IEEE 43rd Annual Computer Software and Applications Conference (COMPSAC) 978-1-7281-2607-4/19/$31.00 ©2019 IEEE DOI 10.1109/COMPSAC.2019.00119