SHA-1

SHA-1 ( Secure Hash Algorithm ) is a cryptographic Fonction of chopping conceived by the National Security Agency of the United States (NSA), and published by the government of the the United States like a federal standard of data processing (Federal Information Processing Standard of NIST). It produces a result (called “ hash ” or condensate ) of 160 bit S.

For the details of the algorithm and its implementation, to see the article Specifications SHA-1.

Origin: SHA-0 and SHA-1

The SHA-1 is the successor of the SHA-0 which was quickly put on side by NIST for safety reasons insufficient. The SHA-0 was legitimately suspected of containing faults which would make it possible to lead quickly to collisions (two different documents which generate same the condensate ). Vis-a-vis the controversy raised by the operation of the SHA-0 and certain reports which one allots to NSA, the SHA-0 was seen modified shortly after its exit (1993) and complexed to obtain the SHA-1 (1995). A complete collision on the SHA-0 was recently discovered by Antoine Joux and Al (August 2004) and lets think that the SHA-1 could also undergo an attack to him.

Attacks

An attack based on the Paradoxe of the birthdays makes it possible to find a collision complete on the SHA-1 with a number of operations about $2^\; \{80\}$.

In 2005, Rijmen and Oswald published an attack on a simplified version of the SHA-1 (53 turns), their attack allows to find a collision with less $2^\; \{80\}$ operations.

In February 2005, Bruce Schneier gave a report on an attack on the full version of the SHA-1 by the Chinese team of Wang, Yin and Yu. Their method makes it possible to find:

• a collision in the complete SHA-1 of 128 bits with $2^\; \{69\}$ operations instead of $2^\; \{80\}$ by the Paradox of the birthdays

• a collision in complete SHA-0 with only $2^\; \{39\}$ operations
• a collision in a simplified version of the SHA-1 (58 turns) with $2^\; \{33\}$ operations

The description of the attack was published in June 2005.

The August 17th 2005, an improvement of the attack was announced by Wang and Al with the conference CRYPTO 2005 , complexity passes thus from 2⁶⁹ to 2⁶³, that is to say a division by 64 of original complexity.

Consequences

Even if a profit of $2^\; \{17\}$ operations makes it possible to divide the search time by a factor of 131072, the attack with its $2^\; \{63\}$ operations is in extreme cases of what is realizable. Adi Shamir however implied that the attack could probably be approached via a calculation distributed to the planetary scales.

The rule wants that an attack faster than exhaustive research makes the algorithm nonsure from the point of view cryptographic. Moreover, with $2^\; \{63\}$ operations, the attack is in lower parts of the $2^\; \{64\}$ necessary for an exhaustive research on a MD5 (which is not advised any more for the new applications). Having lost a length in advance as of the advertisement of the attack of Wang and Al , SHA-1 was withdrawn gradually from the cryptographic applications to the profit of SHA-256 or other functions of chopping like Whirlpool or Tiger. The voices rise already to claim a new standard of chopping, as that was the case there is a few years for the symmetrical Cryptographie with AES.

The attack produced by Wang and Al relates to only unspecified collisions (just like their famous complete collision on MD5). I.e. one can find two messages with the contents Aléatoire which produce the same signature. On the other hand, starting from a given signature, it is impossible to forge a second message which generates the same value. However, it is this type of attack which could put in danger the applications like PGP and the Authenticité of the data.

Operation of the SHA-1

The SHA-1 takes a message of a maximum of $2^\; \{64\}$ bits in entry. Its operation is similar to that of the MD4 or MD5 of Ronald Rivest. If the message does not have a length which is a multiple of 512 then the algorithm a bit with 1 follow-up of a series of bits with 0 adds. Finally, the length of the message (out of bits) coded on 64 bits is added at the end of this sequence. Four Boolean functions are defined, they take 3 words of 32 bits in entry and calculate a word of 32 bits. A specific function of rotation is also available, it makes it possible to move the bits towards the left (the movement is circular and the bits return on the right). One of these rotations was not present in the SHA-0, it makes it possible to break certain linear characteristics in the structure. That makes it possible to avoid an attack on the neutral bits by Eli Biham, technical recovery to calculate the complete collision on SHA-0 (Antoine Joux and Al ).

The SHA-1 works then individually on blocks of 512 bits. The algorithm calculates 80 rounds (" rounds") successive and applies a series of transformations to the entry. The first stage consists in calculating 80 values out of 32 bits. The first 16 values are obtained directly starting from the block “message” in entry. The 64 others are calculated successively. The SHA-1 obtains them thanks to a rotation (absent in SHA-0) which is applied to the result of a XOR, it uses for that 4 words obtained in the preceding iterations. One defines then 5 variables which are initialized with constants (specified by the standard), the SHA-1 uses 4 more other constants in his calculations. If a block of 512 bits were already calculated before, the variables are initialized with the values obtained at the end of calculation on the preceding block.

It follows 80 turns which alternate rotations, additions between the variables and the constants. According to the number of the turn, the SHA-1 uses one of the four Boolean functions. One of these functions is applied to 3 of the 5 variables available. The variables are updated for the turn following thanks to permutations and a rotation. In short, the SHA-1 changes its method of calculating all the 20 turns and uses the exits of the preceding turns.

At the end of the 80 rounds, one adds the result with the initial vector and the five concaténées variables (5 · 32 = 160 bits) represent the signature.

For more details, to see Specifications SHA-1.

Examples

Here the signature obtained on a sentence:

SHA1 (" Wikipedia, the free encyclopedia and gratuite") = c18cc65028bbdc147288a2d136313287782b9c73

By modifying a character, the signature changes radically:

SHA1 (" Wikipedia, the free encyclopedia and gratuit' E' ") = 3981d4f03f2732e582f629ba27af75a213cfc7f3

The SHA-1 is excellent a Générateur of pseudo-random numbers (like much of functions of chopping) and it passes all the statistical tests successfully. A test led by Eric Filiol confirmed the mathematical quality of the exits which are " more aléatoires" that those of RIPEMD-160 or SHA-0.

The SHA-1 in coding mode

As opposed to what one can think, a function of chopping can be used for to quantify with the help of some modifications. In the case of the SHA-1, there exists a symmetrical algorithm of Chiffrement, SHACAL which one owes with Helena Handschuh and David Naccache.

Family SHA

Versions offering more safety are also available: SHA-256, SHA-384 and SHA-512. As their name indicates it, these versions provide signatures of 256,384 and 512 bits. An alternative was recently added, SHA-224 ensures a compatibility with the length of two keys which would be used for Triple OF the (4 keys of 56 bits, the 3DES uses 3 keys of 56 bits).

External bonds

Video
• of CRYPTO 2005, with the presentation of the attack improved by Adi Shamir
• '' Slides '' of Adi Shamir with CRYPTO 2005
• Finding collisions in full SHA-1, formal description of the attack on SHA-1
• has New Statistical Testing for Symmetric Ciphers and Hash Functions, test statistical of Eric Filiol
• SHACAL, description of SHA-1 in mode coding (SHACAL)

Random links:

Exponenciación ajustando | Loïc Bouvard | Daipivo | Shot Online | Four-Winds | Magefeu (Romance)

© 2007-2008 speedlook.com; article text available under the terms of GFDL, from fr.wikipedia.org