Home | My Courses | View Cart | Catalogue | e-Learning Help

 
 
     My Courses
     My Achievements
     Purchase History
 
     View Cart
     Contact Us
     e-Learning Help
 
     Catalogue
     Articles
     Archives
     RSS
 
 
SHA (Standard Hashing Algotithms)
 

SHA-0 and SHA-1
One iteration within the SHA-1 compression function. A, B, C, D and E are 32-bit words of the state; F is a nonlinear function that varies; n denotes a left bit rotation by n places; n varies for each operation. denotes addition modulo 232. Kt is a constant.The original specification of the algorithm was published in 1993 as the Secure Hash Standard, FIPS PUB 180, by US government standards agency NIST (National Institute of Standards and Technology). This version is now often referred to as "SHA-0". It was withdrawn by the NSA shortly after publication and was superseded by the revised version, published in 1995 in FIPS PUB 180-1 and commonly referred to as "SHA-1". SHA-1 differs from SHA-0 only by a single bitwise rotation in the message schedule of its compression function; this was done, according to the NSA, to correct a flaw in the original algorithm which reduced its cryptographic security. However, the NSA did not provide any further explanation or identify what flaw was corrected. Weaknesses have subsequently been reported in both SHA-0 and SHA-1. SHA-1 appears to provide greater resistance to attacks, supporting the NSA's assertion that the change increased the security.

SHA-0 and SHA-1 produce a 160-bit digest from a message with a maximum size of 264 bits, and is based on principles similar to those used by Professor Ronald L. Rivest of MIT in the design of the MD4 and MD5 message digest algorithms.


Cryptanalysis of SHA-0
At CRYPTO 98, two French researchers presented an attack on SHA-0 (Chabaud and Joux, 1998): collisions can be found with complexity 261; fewer than the 280 for an ideal hash function of the same size.

In 2004, Biham and Chen found near-collisions for SHA-0 — two messages that hash to nearly the same value; in this case, 142 out of the 160 bits are equal. They also found full collisions of SHA-0 reduced to 62 out of its 80 rounds.

Subsequently, on 12 August 2004, a collision for the full SHA-0 algorithm was announced by Joux, Carribault, Lemuet, and Jalby. This was done by using a generalization of the Chabaud and Joux attack. Finding the collision had complexity 251 and took about 80,000 CPU hours on a supercomputer with 256 Itanium 2 processors.

On 17 August 2004, at the Rump Session of CRYPTO 2004, preliminary results were announced by Wang, Feng, Lai, and Yu, about an attack on MD5, SHA-0 and other hash functions. The complexity of their attack on SHA-0 is 240, significantly better than the attack by Joux et al.

In February 2005, an attack by Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu was announced which could find collisions in SHA-0 in 239 operations.

 
Cryptanalysis of SHA-1
In the light of the results on SHA-0, some experts suggested that plans for the use of SHA-1 in new cryptosystems should be reconsidered. After these results were published, NIST announced that they planned to phase out the use of SHA-1 by 2010 in favour of the SHA-2 variants.

In early 2005, Rijmen and Oswald published an attack on a reduced version of SHA-1 — 53 out of 80 rounds — which finds collisions with a complexity of fewer than 280 operations.

In February 2005, an attack by Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu was announced . The attacks can find collisions in the full version of SHA-1, requiring fewer than 269 operations (a brute-force search would require 280.)

The authors write: "In particular, our analysis is built up on the original differential attack on SHA0, the near collision attack on SHA0, the multi-block collision techniques, as well as the message modification techniques used in the collision search attack on MD5. Breaking SHA1 would not be possible without these powerful analytical techniques."  The authors have presented a collision for 58-round SHA-1, found with 233 hash operations. The paper with the full attack description was published in August 2005 at the CRYPTO conference.

In an interview, Yin states that, "Roughly, we exploit the following two weaknesses: One is that the file preprocessing step is not complicated enough; another is that certain math operations in the first 20 rounds have unexpected security problems.".

On 17 August 2005, an improvement on the SHA-1 attack was announced on behalf of Xiaoyun Wang, Andrew Yao and Frances Yao at the CRYPTO 2005 rump session, lowering the complexity required for finding a collision in SHA-1 to 263.

In academic cryptography, any attack that has less computational complexity than the expected time needed for brute force is considered a break. This does not, however, necessarily mean that the attack can be practically exploited. It has been speculated that finding a collision for SHA-1 is within reach of massive distributed Internet search.

In terms of practical security, the major concern about this new attack is that it might pave the way to more efficient attacks. Whether this is the case has yet to be seen, but a migration to stronger hashes is believed to be prudent. A collision attack does not present the same kinds of risks that a preimage attack would. Many of the applications that use cryptographic hashes, such as password storage or document signing, are only minimally affected by a collision attack. In the case of document signing, for example, an attacker could not simply fake a signature from an existing document—the attacker would have to fool the private key holder into signing a preselected document. Reversing password "encryption" (e.g. to obtain a password to try against a user's account elsewhere) is not made possible by the attacks. Constructing a password that works for a given account requires a preimage attack, and access to the hash of the original password (typically in the shadow file) which may or may not be trivial.

At the rump session of CRYPTO 2006, Christian Rechberger and Christophe De Cannière claimed to have discovered a collision attack on SHA-1 that would allow an attacker to select at least parts of the message.

 
Longer variants
NIST has published four additional hash functions in the SHA family, each with longer digests, collectively known as SHA-2. The individual variants are named after their digest lengths (in bits): "SHA-256", "SHA-384", and "SHA-512". They were first published in 2001 in the draft FIPS PUB 180-2, at which time review and comment were accepted. FIPS PUB 180-2, which also includes SHA-1, was released as an official standard in 2002. In February 2004, a change notice was published for FIPS PUB 180-2, specifying an additional variant, "SHA-224", defined to match the key length of two-key Triple DES. These variants are patented in U.S. Patent 6,829,355.

SHA-256 and SHA-512 are novel hash functions computed with 32- and 64-bit words, respectively. They use different shift amounts and additive constants, but their structures are otherwise virtually identical, differing only in the number of rounds. SHA-224 and SHA-384 are simply truncated versions of the first two, computed with different initial values.

These new hash functions have not received as much scrutiny by the public cryptographic community as SHA-1 has, and so their cryptographic security is not yet as well-established. Gilbert and Handschuh (2003) have studied the newer variants and found no weaknesses.
 
 
SHA Sizes
 
Algorithm Output size (bits) Internal state size (bits) Block size (bits) Length size (bits) Word size (bits) Passes Operations Collision
SHA-0 160 160 512 64 32 80 +,and,or,xor,rotl Yes
SHA-1 160 160 512 64 32 80 +,and,or,xor,rotl With flaws
SHA-256/224 256/224 256 512 64 32 64 +,and,or,xor,shr,rotr No
SHA-512/384 512/384 512 1024 128 64 80 +,and,or,xor,shr,rotr No
 
 
  
    2006 BV2K Corporation Ltd. All rights reserved.  Terms of UsePrivacy Statement