eaa7bf43f462b30edf1d14696cba7a97.ppt
- Количество слайдов: 13
1 Some Current Thinking on Hash Functions Within NIST John Kelsey, NIST, June 2005
2 Overview ● How We Got Here ● Impact of Recent Attacks ● Short-Term Reactions ● Long-Term: New Algorithms? ] ● The Workshop (Oct 31 -Nov 1, 2005)
3 How We Got Here: Recent Attacks ● Crypto 2004 – – Joux, Biham/Chen analyses of SHA 0/1 – ● Wang rump session talk (aka mass die-off of hash functions) Joux multicollision result In 2005 (so far): – Wang announced break of SHA 1 – Many clever applications of MD 5 collisions – 2 nd preimage attacks – Full details of MD 4/MD 5/RIPEMD attacks published
4 Impact of Attacks ● MD 5 Attack: – – Huge need to quickly migrate to something stronger! – ● Attack is practical, and MD 5 still widely used But NIST never had recommended MD 5. . SHA 1 Attack: – Attack not (yet) very practical (about 269) – Need to migrate to something stronger, but not urgent. – SHA 1's life was almost over anyway. . – . . . but NIST got burned!
5 Impact of Attacks(2) ● Damgard-Merkle Construction attacks – – 2 nd preimages – ● Joux multicollisions More to come. . Impact: – When can we trust n-bit iterated hash with attacker who can do 2 n/2 work? – HMAC unaffected – How much do we really know about our hash constructions?
6 Impact of Attacks: Summary ● Urgent need to migrate from MD 5 ● Less urgent need to migrate from SHA 1 ● SHA 1 result may undermine confidence in SHA 256 – – Same organization standardized on it (NIST) – ● Same organization designed it (NSA) Similar enough design to raise concerns . . . but is public crypto community doing any better? – How well do we understand hash functions?
7 How to React to Attacks? ● Short-Term: – – A few special-purpose workarounds – ● Migration to SHA 256 and truncated SHA 256 Evaluate SHA 256/512 for security Long-Term: – Existing alternatives to SHA family? – Developing new algorithms?
8 Short-Term Reaction: Migration and Workarounds ● Migration to SHA 256 – – ● ● Urgent need for cryptanalysis before mass migration Truncated SHA 256 (SHA-x): Drop in replacement for SHA 1 and maybe MD 5 Change certificate signing and other protocols to minimize impact of collisions on applications. Problems: – SHA 256 confidence? – Hard to migrate twice. – MD 5 and SHA 1 apps in very different situations.
9 Long-Term Reaction: New Algorithms? ● SHA 256/512 already in protocols and products – – ● Won't be withdrawn unless a real attack appears Do we need another algorithm? Few existing choices with required parameters – ● {256, 384, 512} bit output for {128, 192, 256} bit collision resistance A few possibilities: – Whirlpool (256/384/512) – GOST hash (256) – Existing generic block cipher constructions w/ AES
10 New Algorithms: Requirements We Know About ● Drop-in Replacement for SHA family ● Output size = {224, 256, 384, 512} – – ● (Truncation OK) n-bit output must correspond to n/2 -bit collision (Needed for DSA, ECDSA) Usable in other common hash places – – ● Pseudorandom Bit Generation Key Derivation Public, unpatented, full disclosure of analysis and design process
11 New Algorithms: Requirements/Ideas to Discuss ● Possible security requirements – – ● Block multicollisions and 2 nd preimage attacks? Fixing the length-extension property? What should be the performance requirements? – – 8/32/64 bit architectures? – ● Parallelizeability? Side channels? (S-boxes, multiplies, etc. ) Should we have multiple standards? – Block cipher construction from AES? – Special purpose provable hash functions?
12 Big Questions about New Algorithms ● Where will they come from? – – Existing/published designs? – ● NSA (like SHA family)? Other standards? Should there be an AES-like contest? – Not clear we can do this within our budget/manpower constraints! – Is hash function design/analysis mature enough field to do this? – Nailing down requirements up front
13 The Workshop: Oct 31 -Nov 1 This is where we'll discuss all these issues and try to get some consensus! ● Assess SHA 1 and SHA 256/512 strength ● Discuss short-term workarounds ● Long-term strategy – Use SHA 256/512? – Use existing alternative? – Contest/process for designing new hash? – Requirements on new hash?