Sha1 Steps n Apps

5/21/2018 Sha1 Steps n Apps

1/10

SHA-1 AlgorithmSHA-1 is a part of the FIPS 180-2: Secure Hash Standard [7]. It is er! "ide#!used in pu$#ic-%e! cr!pto&raph!' especia##! in (essa&e authentication sche(es.

SHA-1 ca#cu#ates a 1)0-$it H for a b-$itM. *he a#&orith( consists of the

fo##o"in& steps:1. Appending Padding Bits

*he b-$itM is padded in the fo##o"in& (anner: a sine 1-$it is added into

the end ofM' after "hich 0-$its are added unti# the #en&th of the (essa&e

is con&ruent to ++8' (odu#o ,12.2. Appending LengthA )+-$it representation of b is appended to the resu#t of the a$oe step.*hus' the resu#ted (essa&e is a (u#tip#e of ,12 $its.. Buffer InitializationetH0'H1'H2'H andH+$e 2-$it hash a#ue re&isters. *hese re&isters

are used in the deriation of a 1)0-$it hash H . At the $e&innin&' the! are

initia#i/ed as fo##o"s:H0 = )7+,201H1 = e f cdab8H2 = 8badc f eH = 102,+7)H+ = cd2e1f 013+. Processing of the message (the algorithm)*he a#&orith( "hich is used for processin& of the padded (essa&e is descri$ednet. First' the padded (essa&e needs to $e diided into ,12-$it

$#oc%s' denoted here asMj "herej 0 is the inde of the $#oc%. *he a#&orith(processes oneMj at once' startin& fro(M0' unti# a##Mj hae $eenprocessed.Fie 2-$it re&isters'A'B' C'D andE are defined. At the $e&innin& of

processin& of eachMj their a#ues are set as fo##o"s:AH0'BH1' etc.*he a#&orith( consists of 80 steps. et t denote the inde of a step' i.e.0 t 7. First' a 2-$it (essa&e $#oc%Wt is deried for eer! step t fro(the ,12-$it (essa&e $#oc%Mj usin& a (essa&e schedu#e. For t < 1)' Wt issi(p#! the tth 2-$it "ord ofMj. 4hen t 1)' Wt are deried recursie#!"ith the fo##o"in& for(u#a:Wt = (Wt Wt8 Wt1+ Wt1))n1 23

2 SHA-1 Algorithm "herendenotes circu#ar shift to the #eft $!s$its and is a #o&ica# oroperation.etKt$e a constant a#ue for step t. *he a#ues ofK are set asfo##o"s:

Kt =8>>>:,a827 0 t 1)edeba1 20 t 8f 1bbcdc +0 t ,ca)2c1d) ,0 t 73A functionF(X,Y,Z) dependin& on the step t is defined as fo##o"s

F(X,Y,Z) =


2/10

8>>>:(X Y) (X Z) 0 t 1

X Y Z 20 t (X Y) (X Z) (Y Z) +0 t ,

X Y Z )0 t 7+3"here ' and are $it"ise #o&ica# and' or and co(p#e(ent' respectie#!.*he (essa&e is processed for 0 t 7 "ith the fo##o"in& function' "hichis here ca##ed the SHA-1 step function:T = (An,)+F(B,C,D)+Wt +Kt +E ,3"here + denotes an addition (odu#o 22. After each step' the a#ues of there&isters are set as fo##o"s:

A TB AC Bn0

D CE D)3Fina##!' "hen a## 80 steps hae $een processed' the fo##o"in& operations are

perfor(ed:H0 H0+AH1 H1+BH2 H2+CH H+DH+ H++E73

If a##Mj hae $een processed' the a#&orith( is ter(inated. 5ther"ise' thea#&orith( is processed "ithMj+1.,. !utput4hen a##Mj hae $een processed "ith the a$oe a#&orith(' the 1)0-$it

hashH ofM is aai#a$#e inH0'H1'H2'H andH+.

" Implementation #step functionABCDE_iniKWABCDE_out0101rst t

counter codert i

constantt K

Message

schedulet W

readyt readyenen160 160

160

160

5*32

5*32

160

160

160

3

32

32

3

32

32

7

7

160

160 160

160

M_inaddressload128

2

start_newcontinueM_inaddressloadreadyhash

5 init

Fi&ure 1: A top-#ee# $#oc% dia&ra( of SI6-SHA-1

" Implementation*he &oa# of the desi&n of SI6-SHA-1 "as to (a%e an i(p#e(entation co(para$#e


3/10

to the SI6-,-I desi&n presented in [] so that the #o&ic re9uire(ents andperfor(ance of , and SHA-1 cou#d $e easi#! co(pared. *he iteratie structure"as chosen in order to (a%e a co(pact structure "hich cou#d $e used in theea#uation of the co($ined ,SHA-1 $#oc% introduced in [8].*he top-#ee# architecture used for SI6-SHA-1 i(p#e(entation is a#(ost si(i#ar

to the architecture used for SI6-, i(p#e(entations in []. A $#oc% dia&ra(of SI6-SHA-1 is presented in Fi&ure 1. SI6-SHA-1 i(p#e(ents on#! the

steps ;, presented in Section 2' $ecause paddin& of M is fast to perfor( a#so

"ith soft"are' and thus it does not re9uire hard"are acce#eration.*he critica# path of the i(p#e(entation inc#udes the step function $#oc% andthe (u#tip#eer in front of it. *hus' an efficient i(p#e(entation of the step functionis essentia# for a hi&h perfor(ance hard"are i(p#e(entation of SHA-1. *heca#cu#ation of the a#&orith( can $e speeded up $! unro##in& seera# steps as perfor(edin [2]' for ea(p#e. Ho"eer' it "as decided that this approach "as notused in the SI6-SHA-1 i(p#e(entation' $ecause of the increase in area re9uire(entsand' especia##!' $ecause of the reduced co(para$i#it! to the co($ined ar"Implementation $!""" 5

BCDiWKE

AABCDECB """#0D

A

$

Fi&ure 2: A $#oc% dia&ra( of the step functionchitecture of [8] and SI6-,-I.A $#oc% dia&ra( of the step function $#oc% is presented in Fi&ure 2 "here Fi(p#e(ents the functions of #oc%-?As in @i#in deices. Ho"eer' in SI6-SHA-1 it "as i(p#e(ented on s#icesin order to &uarantee strai&htfor"ard co(parison to SI6-,-I.*he (essa&e schedu#e $#oc% i(p#e(ents the SHA-1 (essa&e schedu#e descri$edin Section 2. A ,12-$it (essa&e $#oc%Mj is #oaded into the $#oc% "ith M_in' addressand loadsi&na#s. *he"idth of M_incan $e chosen $et"een 2and ,12 $its' and for the i(p#e(entations presented in this report the "idth "aschosen to $e 128 $its. *he (essa&e schedu#e $#oc% inc#udes a 1)2-$it shiftre&ister and additiona# #o&ic i(p#e(entin&


4/10

i =8>>>:0 if 0 t 11 if 20 t 2 if +0 t ,

if )0 t 783*he read! $#oc% deter(ines "hen the ca#cu#ation of the steps is finished' i.e.t = 7 = 10011112. *he #eft(ost (u#tip#eer in Fi&ure 1 is used for initia#i/in&the hash a#ue re&isters. *he initia# a#ues are set "hen a deriation of a ne"hash a#ue is started "ith start_new' i.e. "henM0 is processed. Ifj 1 in

Mj' the a#ues fro( preious a#&orith( round are used' and the deriation is $e&an"ith theontinesi&na#. *he other (u#tip#eer is used for contro##in& theiteratie #oop. For the first step' t = 0' the initia# a#ues or the a#ues fro( the

preious a#&orith( round are ta%en start_neworontine3' other"ise a#uesfro( preious iteration step are used.4hen the read!si&na# is hi&h' a processin& ofMj is finished' andMj+1 can $e

#oaded into the desi&n. If a##Mj hae $een processed' the hash H of the (essa&e

M is read! in "as".

*he a$oe architecture "as "ritten in BH and it re9uired ,80 #ines of code.Hain& the eperience of i(p#e(entin& ,' the desi&n of SHA-1 "as si(p#eand strai&htfor"ard.

SHA-1 Sine StepA > = = ' =' 3ft ft' >' =' 3ft ft' >' =' 3Function Ba#ue>#=3$>%#3>&=&3>#=3$>#3$=#3>&=&3Step0 G t G 1320 G t G 3+0 G t G ,3)0 G t G 73

eriation of Dt and4tDt0,A827


5/10

0)>==0=A)2=1)Step Eu($er0 G t G 1320 G t G 3+0 G t G ,3)0 G t G 73

Ba#ue of D as function of t.,12 $it data $#oc%41 41,4t't G [1)' 7]

S1@5?4t-4t-84t-1+4t-1)eriation of 4t for t G [0' 1,] eriation of 4t for t G [1)' 7]

,

SHA-1 Architecture'ounter t

t

*essage

+igest

,12 $itdata $#oc%1)0 $its(essa&e di&est'ontrol

=ontro# ,nit

4t 6enerator Architecture@5?1 2 + , ) 7 8 10 12 1 1 1+ 1, 1)S1data input4tcount

)

essa&e i&est ArchitectureA>=s used is 2)8 out of

12288 2)J

ata rate of 0.7 6$its7

=onc#usion and further "or%=urrent throu&hput of the circuit does not

(eet the desi&n &oa# of 1 6$itsa! $e achieed $! #oop unro##in& and

opti(i/ation of codeore efficient use of chip area

I(p#e(entation of HA=

App#ications

=r!pto&raph!For more details on this toic! see Cr"to#rahic hash f$nction%Alications&

SHA-1 for(s part of seera# "ide#! used securit! app#ications and protoco#s'inc#udin& *S and SS' P6P' SSH'SI 180-1 a#so encoura&ed adoption and use of SHA-1 $! priate and co((ercia#or&ani/ations. SHA-1 is $ein& retired fro( (ost &oern(ent usesK the .S. Eationa#Institute of Standards and


7/10

*echno#o&! said' MFedera# a&enciessho$ld stop usin& SHA-1 for...app#ications thatre9uire co##ision resistance assoon as practica#' and (ust use the SHA-2 fa(i#! of hash functions for theseapp#ications after 2010M e(phasis inori&ina#3'[10] thou&h that "as #ater re#aed.[11]A pri(e (otiation for the pu$#ication of the Secure Hash A#&orith( "as the i&ita#Si&nature Standard' in "hich itis incorporated.*he SHA hash functions hae $een used as the $asis for the SHA=A $#oc% ciphers.

ata inte&rit!:

*he source contro# (ana&e(ent s!ste( 6it uses SHA-1 not for securit! $ut forensurin& that the data has not

chan&ed. inus *ora#ds has said' M6it uses SHA-1 in a "a! "hich has nothin& at a##to do "ith securit!.... ItLs Nustthe $est hash !ou can &et.... ItLs a$out the a$i#it! to trust !our data. I &uarantee !ou' if!ou put !our data in 6it' !ou11%1&%1# '(A)1 ) Wi*ipedia+ the free encyclopediaen,wi*ipedia,org%wi*i%'(A)1 -%11

can trust the fact that fie !ears #ater' after it "as conerted fro( a hard dis% to a Bto "hateer ne"techno#o&! and !ou copied it' fie !ears #ater !ou can erif! that the data that !ou &et

$ac% out is the eact sa(edata !ou put in.M[12]

=r!ptana#!sis and a#idation

For a hash function for "hich' is the nu($er of $its in the (essa&e di&est' findin& a(essa&e that corresponds to a&ien (essa&e di&est can a#"a!s $e done usin& a $rute force search in 2' ea#uations.*his is ca##ed a prei(a&eattac% and (a! or (a! not $e practica# dependin& on ' and the particu#ar co(putin&eniron(ent. *he second

criterion' findin& t"o different (essa&es that produce the sa(e (essa&e di&est' %no"nas a collision! re9uires onaera&e on#! a$out 1.2 O 2' 2 ea#uations usin& a $irthda! attac%. For the #atter reasonthe stren&th of a hashfunction is usua##! co(pared to a s!((etric cipher of ha#f the (essa&e di&est #en&th.*hus SHA-1 "as ori&ina##!thou&ht to hae 80-$it stren&th.=r!pto&raphers hae produced co##ision pairs for SHA-0 and hae found a#&orith(sthat shou#d produce SHA-1co##isions in far fe"er than the ori&ina##! epected 280 ea#uations.

In ter(s of practica# securit!' a (aNor concern a$out these ne" attac%s is that the!(i&ht pae the "a! to (ore


8/10

efficient ones. 4hether this is the case is !et to $e seen' $ut a (i&ration to stron&erhashes is $e#ieed to $e

prudent. So(e of the app#ications that use cr!pto&raphic hashes' such as pass"ordstora&e' are on#! (ini(a##!affected $! a co##ision attac%. =onstructin& a pass"ord that "or%s for a &ien accountre9uires a prei(a&e attac%'as "e## as access to the hash of the ori&ina# pass"ord' "hich (a! or (a! not $etriia#. ?eersin& pass"ordencr!ption e.&. to o$tain a pass"ord to tr! a&ainst a userLs account e#se"here3 is not(ade possi$#e $! the attac%s.Ho"eer' een a secure pass"ord hash canLt preent $rute-force attac%s on "ea%

pass"ords.3In the case of docu(ent si&nin&' an attac%er cou#d not si(p#! fa%e a si&nature fro( aneistin& docu(entthe

attac%er "ou#d hae to produce a pair of docu(ents' one innocuous and oneda(a&in&' and &et the priate %e!ho#der to si&n the innocuous docu(ent. *here are practica# circu(stances in "hichthis is possi$#eK unti# the end of2008' it "as possi$#e to create for&ed SS certificates usin& an , co##ision. [1]ue to the $#oc% and iteratie structure of the a#&orith(s and the a$sence of additiona#fina# steps' a## SHA functionsare u#nera$#e to #en&th-etension and partia#-(essa&e co##ision attac%s.[1+] *heseattac%s a##o" an attac%er to for&ea (essa&e' si&ned on#! $! a %e!ed hash ; or ; $!

etendin& the (essa&e and reca#cu#atin& the hash "ithout %no"in& the %e!. *hesi(p#est i(proe(ent to preentthese attac%s is to hash t"ice: the #en&th of '/ero $#oc%' is e9ua# to the $#oc% si/e of hash function3.

Attac%s

In ear#! 200,' ?iN(en and 5s"a#d pu$#ished an attac% on a reduced ersion of SHA-1, out of 80 rounds"hich finds co##isions "ith a co(putationa# effort of fe"er than 280 operations.[1,]

In Fe$ruar! 200,' an attac% $! @iao!un 4an&' Qi9un isa Qin' and Hon&$o Qu "asannounced.[1)] *he attac%scan find co##isions in the fu## ersion of SHA-1' re9uirin& fe"er than 2) operations.A $rute-force search "ou#dre9uire 280 operations.311%1&%1# '(A)1 ) Wi*ipedia+ the free encyclopediaen,wi*ipedia,org%wi*i%'(A)1 5%11

*he authors "rite: MIn particu#ar' our ana#!sis is $ui#t upon the ori&ina# differentia#attac% on SHA-0 [sic]' the nearco##ision attac% on SHA-0' the (u#ti$#oc% co##ision techni9ues' as "e## as the (essa&e(odification techni9ues used

in the co##ision search attac% on ,. >rea%in& SHA-1 "ou#d not $e possi$#e "ithoutthese po"erfu# ana#!tica#


9/10

techni9ues.M[17] *he authors hae presented a co##ision for ,8-round SHA-1' found"ith 2 hash operations. *he

paper "ith the fu## attac% description "as pu$#ished in Au&ust 200, at the =?QP*5conference.In an interie"' Qin states that' M?ou&h#!' "e ep#oit the fo##o"in& t"o "ea%nesses:5ne is that the fi#e

preprocessin& step is not co(p#icated enou&hK another is that certain (ath operationsin the first 20 rounds haeunepected securit! pro$#e(s.M[18]5n 17 Au&ust 200,' an i(proe(ent on the SHA-1 attac% "as announced on $eha#fof @iao!un 4an&' Andre"Qao and Frances Qao at the =?QP*5 200, ru(p session' #o"erin& the co(p#eit!re9uired for findin& a co##isionin SHA-1 to 2).[1] 5n 18 ece($er 2007 the detai#s of this resu#t "ere ep#ained

and erified $! artin=ochran.[20]=hristophe e =anniRre and =hristian ?ech$er&er further i(proed the attac% onSHA-1 in MFindin& SHA-1=haracteristics: 6enera# ?esu#ts and App#ications'M[21] receiin& the >est Paper A"ardat ASIA=?QP* 200). At"o-$#oc% co##ision for )+-round SHA-1 "as presented' found usin& unopti(i/ed(ethods "ith 2, co(pressionfunction ea#uations. As this attac% re9uires the e9uia#ent of a$out 2, ea#uations' itis considered to $e a

si&nificant theoretica# $rea%.[22] *heir attac% "as etended further to 7 rounds of 803in 2010 $! 6rechni%o.[2]In order to find an actua# co##ision in the fu## 80 rounds of the hash function' ho"eer'(assie a(ounts of co(puterti(e are re9uired. *o that end' a co##ision search for SHA-1 usin& the distri$utedco(putin& p#atfor( >5IE=

$e&an Au&ust 8' 2007' or&ani/ed $! the 6ra/ niersit! of *echno#o&!. *he effort"as a$andoned a! 12' 200due to #ac% of pro&ress.[2+]At the ?u(p Session of =?QP*5 200)' =hristian ?ech$er&er and =hristophe e

=anniRre c#ai(ed to haediscoered a co##ision attac% on SHA-1 that "ou#d a##o" an attac%er to se#ect at #eastparts of the (essa&e.[2,][2)]In 2008' an attac% (ethodo#o&! $! Stphane anue# reported hash co##isions "ith anesti(ated theoretica#co(p#eit! of 2,1 to 2,7 operations.[27] Ho"eer he #ater retracted that c#ai( afterfindin& that #oca# co##ision paths"ere not actua##! independent' and fina##! 9uotin& as the (ost efficient a co##isionector that "as a#read! %no"n

$efore this "or%.[28]

=a(eron cona#d' Phi#ip Ha"%es and Tosef Piepr/!% presented a hash co##isionattac% "ith c#ai(ed co(p#eit!


10/10

2,2 at the ?u(p session of

Documents

Sha1 Steps n Apps