Internet Engineering Task Force (IETF) T. Polk
Request for Comments: 6194 L. Chen
Category: Informational NIST
ISSN: 2070-1721 S. Turner
IECA
P. Hoffman
VPN Consortium
March 2011
Internet Engineering Task Force (IETF) T. Polk
Request for Comments: 6194 L. Chen
Category: Informational NIST
ISSN: 2070-1721 S. Turner
IECA
P. Hoffman
VPN Consortium
March 2011
Security Considerations for the SHA-0 and SHA-1 Message-Digest Algorithms
SHA-0和SHA-1消息摘要算法的安全注意事项
Abstract
摘要
This document includes security considerations for the SHA-0 and SHA-1 message digest algorithm.
本文档包括SHA-0和SHA-1消息摘要算法的安全注意事项。
Status of This Memo
关于下段备忘
This document is not an Internet Standards Track specification; it is published for informational purposes.
本文件不是互联网标准跟踪规范;它是为了提供信息而发布的。
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are a candidate for any level of Internet Standard; see Section 2 of RFC 5741.
本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。并非IESG批准的所有文件都适用于任何级别的互联网标准;见RFC 5741第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc6194.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc6194.
Copyright Notice
版权公告
Copyright (c) 2011 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2011 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。
The Secure Hash Algorithms are specified in [SHS]. A previous version of [SHS] also specified SHA-0. SHA-0, first published in 1993, and SHA-1, first published in 1996, are message digest algorithms, sometimes referred to as hash functions or hash algorithms, that take as input a message of arbitrary length and produce as output a 160-bit "fingerprint" or "message digest" of the input. The published attacks against both algorithms show that it is not prudent to use either algorithm when collision resistance is required.
安全哈希算法在[SHS]中指定。[SHS]的早期版本也指定了SHA-0。1993年首次发布的SHA-0和1996年首次发布的SHA-1是消息摘要算法,有时称为哈希函数或哈希算法,它们将任意长度的消息作为输入,并生成160位的输入“指纹”或“消息摘要”。针对这两种算法的公开攻击表明,当需要抗碰撞时,使用这两种算法都是不谨慎的。
[HASH-Attack] summarizes the use of hashes in Internet protocols and discusses how attacks against a message digest algorithm's one-way and collision-free properties affect and do not affect Internet protocols. Familiarity with [HASH-Attack] is assumed.
[哈希攻击]总结了哈希在Internet协议中的使用,并讨论了针对消息摘要算法的单向和无冲突属性的攻击如何影响和不影响Internet协议。假设熟悉[哈希攻击]。
Some may find the guidance for key lengths and algorithm strengths in [SP800-57] and [SP800-131] useful.
有些人可能会发现[SP800-57]和[SP800-131]中关于密钥长度和算法强度的指南很有用。
What follows are summaries of recent attacks against SHA-0's collision, pre-image, and second pre-image resistance. Additionally, attacks against SHA-0 when used as a keyed-hash (e.g., HMAC-SHA-0) are discussed.
以下是最近针对SHA-0碰撞、预成像和第二次预成像抵抗的攻击的摘要。此外,还讨论了将SHA-0用作密钥散列(例如HMAC-SHA-0)时针对SHA-0的攻击。
The U.S. National Institute of Standards and Technology (NIST) withdrew SHA-0 in 1996. That is, NIST no longer considers it appropriate to use SHA-0 for any transactions associated with the use of cryptography by U.S. federal government agencies for the protection of sensitive, but unclassified information. SHA-0 is discussed here only for the sake of completeness.
美国国家标准与技术研究所(NIST)于1996年撤回了SHA-0。也就是说,NIST不再认为将SHA-0用于与美国联邦政府机构使用加密技术保护敏感但未保密信息相关的任何交易是合适的。这里讨论SHA-0只是为了完整性。
Any use of SHA-0 is strongly discouraged. Analysis of SHA-0 continues today because many see it as a weaker version of SHA-1.
强烈反对使用SHA-0。对SHA-0的分析今天仍在继续,因为许多人认为它是SHA-1的较弱版本。
The first attack on SHA-0 was published in 1998 [CHJO1998] and showed that collisions can be found in 2^61 operations. In 2006, [NSSYK2006] showed an improved attack that can find collisions in 2^36 operations.
对SHA-0的第一次攻击发表于1998年[CHJO1998],表明在2^61次行动中可以发现碰撞。2006年,[NSSYK2006]展示了一种改进的攻击,可以在2^36次操作中发现冲突。
In any case, the known research results indicate that SHA-0 is not as collision resistant as expected. The collision security strength is significantly less than an ideal hash function (i.e., 2^36 compared to 2^80).
在任何情况下,已知的研究结果表明,SHA-0没有预期的抗碰撞性能。冲突安全强度明显低于理想的哈希函数(即,2^36比2^80)。
The pre-image and second pre-image attacks published on reduced versions of SHA-0 (i.e., less than 80 rounds) indicate that the security margin of SHA-0 is resistant to these attacks. [deCARE2008] showed a pre-image attack on 49 out of 80 rounds with complexity of 2^159, and [AOSA2009] showed a pre-image attack on 52 out of 80 rounds with a complexity of 2^156.
在精简版SHA-0上发布的预映像和第二预映像攻击(即少于80发)表明,SHA-0的安全裕度能够抵御这些攻击。[deCARE2008]显示80轮中有49轮存在图像前攻击,复杂性为2^159,[AOSA2009]显示80轮中有52轮存在图像前攻击,复杂性为2^156。
The current attack vectors on HMAC can be classified as follows: distinguishing attacks, existential forgery attacks, and key recovery attacks. Key recovery attacks are by far the most severe.
目前针对HMAC的攻击向量可分为:区分攻击、存在伪造攻击和密钥恢复攻击。密钥恢复攻击是迄今为止最严重的。
Attacks on hash functions can be conducted entirely offline, since the attacker can generate unlimited message-hash value pairs. Attacks on HMACs must be online because attackers need a large amount of HMAC values to deduce the key. The best results for a partial key recovery attack on HMAC-SHA0 were published at Asiacrypt 2006 with 2^84 queries and 2^60 SHA-0 computations [COYI2006].
对散列函数的攻击可以完全脱机进行,因为攻击者可以生成无限的消息散列值对。对HMAC的攻击必须在线,因为攻击者需要大量HMAC值来推断密钥。针对HMAC-SHA0的部分密钥恢复攻击的最佳结果发表在Asiacrypt 2006上,其中包含2^84个查询和2^60个SHA-0计算[COYI2006]。
What follows are recent attacks against SHA-1's collision, pre-image, and second pre-image resistance. Additionally, attacks against SHA-1 when used as a keyed-hash (i.e., HMAC-SHA-1) are discussed.
以下是最近针对SHA-1碰撞、预成像和第二次预成像阻力的攻击。此外,还讨论了将SHA-1用作密钥散列(即HMAC-SHA-1)时针对SHA-1的攻击。
It must be noted that NIST has recommended that SHA-1 not be used for generating digital signatures after December 31, 2010, and has specified that it not be used for generating digital signatures by U.S. federal government agencies "for the protection of sensitive, but unclassified information" after December 31, 2013 [SP800-131].
必须注意的是,NIST建议SHA-1在2010年12月31日之后不得用于生成数字签名,并规定SHA-1不得用于2013年12月31日之后美国联邦政府机构“为保护敏感但未保密的信息”生成数字签名[SP800-131]。
The first attack on SHA-1 was published in early 2005 [RIOS2005]. This attack described a theoretical attack on a version of SHA-1 reduced to 53 rounds. The very next month [WLY2005] showed collisions in the full 80 rounds in 2^69 operations. Since then, many new analysis methods have been developed to improve the attack presented in [WLY2005]. However, there are no published results that improve upon the results found in [WLY2005]. [Man2008/469], which is the International Association for Cryptologic Research (IACR) ePrint version of [Man2009], claimed that using the method presented in the paper, a collision of full SHA-1 can be found in 2^51 hash function calls. However, this claim is absent from the published conference paper [Man2009].
对SHA-1的第一次攻击发表于2005年初[RIOS2005]。这次攻击描述了对SHA-1的理论攻击,减少到53发。接下来的一个月[WLY2005]显示,在2^69次行动中,发生了整整80次碰撞。此后,许多新的分析方法被开发出来,以改进[WLY2005]中提出的攻击。然而,在[WLY2005]中发现的结果的基础上,还没有公布任何改进结果。[Man2008/469]是[Man2009]的国际密码学研究协会(IACR)ePrint版本,它声称使用本文中介绍的方法,可以在2^51个哈希函数调用中发现完整SHA-1的冲突。然而,发表的会议论文[Man2009]中没有这种说法。
In any case, the known research results indicate that SHA-1 is not as collision resistant as expected. The collision security strength is significantly less than an ideal hash function (i.e., 2^69 compared to 2^80).
无论如何,已知的研究结果表明,SHA-1并不像预期的那样耐碰撞。冲突安全强度明显小于理想的哈希函数(即,2^69比2^80)。
There are no known pre-image or second pre-image attacks that are specific to the full round SHA-1 algorithm. [KeSch] discovered a general result for all narrow-pipe Merkle-Damgaard hash functions (which includes SHA-1), finding a second pre-image takes less than 2^n computations. When n = 160, as is the case for SHA-1, it will take 2^106 computations to find a second pre-image in a 60-byte message.
不存在特定于全轮SHA-1算法的已知预映像或第二预映像攻击。[KeSch]发现了所有窄管道Merkle-Damgaard哈希函数(包括SHA-1)的一般结果,找到第二个预映像所需的计算量不到2^n。当n=160时,与SHA-1的情况一样,需要2^106次计算才能在60字节的消息中找到第二个预映像。
In the absence of full-round attacks, cryptographers consider reduced-round attacks for clues regarding an algorithm's strength. Reduced-round attacks, where the number of reduced rounds is not more than a few less than the full rounds, have not been shown to relate to full-round attacks. However, the best reduced-round attack indicates a certain security margin. For example, if the best known attack is on 60 out of 80 rounds, then the algorithm has about 20 rounds to resist improved attacks. However, the relationship between the number of rounds an attack can reach and the number of rounds defined in the algorithm is not linear; it does not provide a mathematical proof. In other words, reduced-round attacks indicate how strong the algorithm is with regard to a certain attack, not how close it is to being broken. Therefore, the following information about reduced-round attacks is included only for completeness.
在没有完全攻击的情况下,密码学者考虑减少关于算法强度的线索。减少回合攻击,即减少的回合数不超过整轮数,未显示与整轮攻击相关。但是,最佳的减少回合攻击表示有一定的安全余量。例如,如果最著名的攻击是80轮中的60轮,那么该算法大约有20轮来抵抗改进的攻击。然而,攻击可以达到的轮数与算法中定义的轮数之间的关系不是线性的;它没有提供数学证明。换言之,减少轮攻击表示算法对于某一攻击有多强,而不是它离被破坏有多近。因此,以下关于减少回合攻击的信息仅出于完整性考虑。
The pre-image and second pre-image attacks published on reduced versions of SHA-1 (i.e., less than 80 rounds) indicate that SHA-1 retains a significant security margin against these attacks. [AOSA2009] showed a pre-image attack on 48 out of 80 rounds with complexity of 2^159.
在精简版SHA-1上发布的预映像攻击和第二次预映像攻击(即少于80发)表明,SHA-1保留了针对这些攻击的显著安全余量。[AOSA2009]显示了80轮中的48轮图像前攻击,复杂性为2^159。
As of today, there is no indication that attacks on SHA-1 can be extended to HMAC-SHA-1.
截至今天,没有迹象表明对SHA-1的攻击可以扩展到HMAC-SHA-1。
SHA-1 provides less collision resistance than was originally expected, and collision resistance has been shown to affect some (but not all) applications that use digital signatures. Designers of IETF protocols that use digital signature algorithms should strongly consider support for a hash algorithm with greater collision
SHA-1提供的抗碰撞性能比最初预期的要低,并且已经证明抗碰撞性能会影响使用数字签名的一些(但不是全部)应用程序。使用数字签名算法的IETF协议的设计者应该强烈考虑对更大碰撞的哈希算法的支持。
resistance than that provided by SHA-1. Of course, SHA-0 should continue to not be used in any IETF protocol.
阻力比SHA-1提供的阻力大。当然,SHA-0不应继续在任何IETF协议中使用。
[Note: Protocol designers should review the current state of the art to ensure that selected hash algorithms provide sufficient security. At the time of publication, SHA-256 [SHS] is the most commonly specified alternative. The known (reduced-round) attacks on the collision resistance of SHA-256 indicate a significant security margin, and the longer message digest provides increased strength.]
[注:协议设计者应审查目前的技术水平,以确保选定的哈希算法提供足够的安全性。在发布时,SHA-256[SHS]是最常见的指定替代方案。已知的(减少轮数)对SHA-256抗冲突性的攻击表明存在显著的安全余量,较长的消息摘要提供了更高的强度。]
Nearly all IETF protocols that use signatures assume existing public key infrastructures, and SHA-1 is still used in signatures nearly everywhere. Therefore, it is unwise to strictly prohibit the use of SHA-1 in signature algorithms. Protocols that permit the use of SHA-1-based digital signatures as an option should strongly consider referencing this document in the security considerations.
几乎所有使用签名的IETF协议都假定现有的公钥基础设施,而SHA-1仍然在几乎所有地方的签名中使用。因此,严格禁止在签名算法中使用SHA-1是不明智的。允许使用基于SHI-1的数字签名作为选项的协议应强烈考虑引用该文档的安全性考虑。
A protocol designer might want to consider the use of SHA-1 with randomized hashing such as is specified in [SP800-107]. Note that randomized hashing expands the size of signatures and requires protocols to carry material that is not needed today. HMAC-SHA-1 remains secure and is the preferred keyed-hash algorithm for IETF protocol design.
协议设计者可能需要考虑SHA-1的使用,如在[SP800—107]中指定的随机散列。请注意,随机散列扩展了签名的大小,并要求协议携带今天不需要的材料。HMAC-SHA-1保持安全,是IETF协议设计的首选密钥哈希算法。
This entire document is about security considerations.
整个文档都是关于安全方面的考虑。
We'd like to thank Ran Atkinson and Sheila Frankel for their comments and suggestions.
我们要感谢Ran Atkinson和Sheila Frankel的评论和建议。
[AOSA2009] Aoki, K., and K. Saski, "Meet-in-the-Middle Preimage Attacks Against Reduced SHA-0 and SHA-1", Crypto 2009.
[AOSA2009]Aoki,K.和K.Saski,“针对精简SHA-0和SHA-1的中间预映像攻击”,Crypto 2009。
[deCARE2008] De Canniere, C., and C. Rechberger, "Preimages for Reduced SHA-0 and SHA-1", Crypto 2008.
[deCARE2008]De Canniere,C.和C.Rechberger,“简化SHA-0和SHA-1的前图像”,Crypto 2008。
[CHJO1998] Chaubad, F., and A. Joux, "Differential Collisions in SHA-0", Crypto 1998.
[CHJO1998]Chaubad,F.和A.Joux,“SHA-0中的微分碰撞”,Crypto 1998。
[COYI2006] Contini, S., and Y. Lin, "Forgery and Partial Key-Recovery Attacks on HMAC and NMAC Using Hash Collisions", Asiacrypt 2006.
[COYI2006]Contini,S.和Y.Lin,“利用哈希冲突对HMAC和NMAC进行伪造和部分密钥恢复攻击”,Asiacrypt 2006。
[HASH-Attack] Hoffman, P. and B. Schneier, "Attacks on Cryptographic Hashes in Internet Protocols", RFC 4270, November 2005.
[散列攻击]Hoffman,P.和B.Schneier,“对互联网协议中加密散列的攻击”,RFC 42702005年11月。
[KeSch] Kelsey, J., and B. Schneier, "Second Preimages on n-Bit Hash Functions for Much Less than 2n Work", In Cramer, R., ed.: Eurocrypt 2005. Volume 3494 of Lecture Notes in Computer Science, Springer (2005) 474-490.
[KeSch]Kelsey,J.和B.Schneier,“n位散列函数上的第二个预映像,用于远远少于2n个工作”,发表于R.Cramer,ed.:Eurocrypt 2005。《计算机科学课堂讲稿》第3494卷,斯普林格(2005)474-490。
[Man2008/469] Manuell, S., "Classification and Generation of Disturbance Vectors for Collision Attacks against SHA-1", http://eprint.iacr.org/2008/469.pdf.
[Man2008/469]Manuell,S.,“针对SHA-1的碰撞攻击干扰向量的分类和生成”,http://eprint.iacr.org/2008/469.pdf.
[Man2009] Manuell, S., "Classification and Generation of Disturbance Vectors for Collision Attacks against SHA-1", International Workshop on Coding and Cryptography, 2009, Norway.
[Manuell,S.,“针对SHA-1的碰撞攻击干扰向量的分类和生成”,编码和加密国际研讨会,2009年,挪威。
[NSSYK2006] Naito, Y., Sasaki, Y., Shimoyama, T., Yajima, J., Kunihiro, N., and K. Ohta, "Improved Collision Search for SHA-0", Asiacrypt 2006.
[NSSYK2006]奈藤,佐佐木,Y.,岛山,T.,Yajima,J.,Kunihiro,N.,和K.Ohta,“改进的SHA-0碰撞搜索”,Asiacrypt 2006。
[RIOS2005] Rijmen, V., and E. Oswald, "Update on SHA-1", CT-RSA 2005, Lecture Notes in Computer Science, vol. 3376, pp. 58-71.
[RIOS2005]Rijmen,V.和E.Oswald,“SHA-1更新”,CT-RSA 2005,计算机科学课堂讲稿,第3376卷,第58-71页。
[SHS] National Institute of Standards and Technology (NIST), FIPS Publication 180-3: Secure Hash Standard, October 2008.
[SHS]国家标准与技术研究所(NIST),FIPS出版物180-3:安全哈希标准,2008年10月。
[SP800-57] National Institute of Standards and Technology (NIST), Special Publication 800-57: Recommendation for Key Management - Part 1 (Revised), March 2007.
[SP800-57]国家标准与技术研究所(NIST),特别出版物800-57:关键管理建议-第1部分(修订版),2007年3月。
[SP800-107] National Institute of Standards and Technology (NIST), Special Publication 800-107: Recommendation for Applications using Approved Hash Algorithms, February 2009.
[SP800-107]国家标准与技术研究所(NIST),特别出版物800-107:使用经批准的哈希算法的应用建议,2009年2月。
[SP800-131] National Institute of Standards and Technology (NIST), Special Publication 800-131A: Recommendation for the Transitioning of Cryptographic Algorithms and Key Sizes, January 2011.
[SP800-131]国家标准与技术研究所(NIST),专门出版物800-131A:密码算法和密钥大小转换建议,2011年1月。
[WLY2005] Wang, X., Yin, Y., and H. Yu., "Finding Collisions in the Full SHA-1", Crypto 2005.
[WLY2005]Wang,X.,Yin,Y.,和H.Yu.,“在完整的SHA-1中发现碰撞”,加密2005。
Authors' Addresses
作者地址
Tim Polk National Institute of Standards and Technology 100 Bureau Drive, Mail Stop 8930 Gaithersburg, MD 20899-8930 USA
美国马里兰州盖瑟斯堡市邮政站8930号,蒂姆·波尔克国家标准与技术研究所100号,邮编:20899-8930
EMail: tim.polk@nist.gov
EMail: tim.polk@nist.gov
Lily Chen National Institute of Standards and Technology 100 Bureau Drive, Mail Stop 8930 Gaithersburg, MD 20899-8930 USA
美国马里兰州盖瑟斯堡邮政站8930号,美国马里兰州盖瑟斯堡市局道100号,Lily Chen国家标准与技术研究所,邮编20899-8930
EMail: lily.chen@nist.gov
EMail: lily.chen@nist.gov
Sean Turner IECA, Inc. 3057 Nutley Street, Suite 106 Fairfax, VA 22031 USA
Sean Turner IECA,Inc.美国弗吉尼亚州费尔法克斯市努特利街3057号106室,邮编22031
EMail: turners@ieca.com
EMail: turners@ieca.com
Paul Hoffman VPN Consortium
保罗·霍夫曼VPN联盟
EMail: paul.hoffman@vpnc.org
EMail: paul.hoffman@vpnc.org