Network Working Group P. Hoffman
Request for Comments: 4270 VPN Consortium
Category: Informational B. Schneier
Counterpane Internet Security
November 2005
Network Working Group P. Hoffman
Request for Comments: 4270 VPN Consortium
Category: Informational B. Schneier
Counterpane Internet Security
November 2005
Attacks on Cryptographic Hashes in Internet Protocols
Internet协议中对加密哈希的攻击
Status of This Memo
关于下段备忘
This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.
本备忘录为互联网社区提供信息。它没有规定任何类型的互联网标准。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The Internet Society (2005).
版权所有(C)互联网协会(2005年)。
Abstract
摘要
Recent announcements of better-than-expected collision attacks in popular hash algorithms have caused some people to question whether common Internet protocols need to be changed, and if so, how. This document summarizes the use of hashes in many protocols, discusses how the collision attacks affect and do not affect the protocols, shows how to thwart known attacks on digital certificates, and discusses future directions for protocol designers.
最近公布的流行散列算法中的冲突攻击优于预期,这让一些人质疑是否需要更改常见的Internet协议,如果需要,如何更改。本文档总结了哈希在许多协议中的使用,讨论了冲突攻击如何影响和不影响协议,展示了如何阻止对数字证书的已知攻击,并讨论了协议设计者的未来方向。
In summer 2004, a team of researchers showed concrete evidence that the MD5 hash algorithm was susceptible to collision attacks [MD5-attack]. In early 2005, the same team demonstrated a similar attack on a variant of the SHA-1 [RFC3174] hash algorithm, with a prediction that the normally used SHA-1 would also be susceptible with a large amount of work (but at a level below what should be required if SHA-1 worked properly) [SHA-1-attack]. Also in early 2005, researchers showed a specific construction of PKIX certificates [RFC3280] that use MD5 for signing [PKIX-MD5-construction], and another researcher showed a faster method for finding MD5 collisions (eight hours on a 1.6-GHz computer) [MD5-faster].
2004年夏天,一组研究人员展示了MD5哈希算法易受碰撞攻击[MD5攻击]的具体证据。2005年初,同一团队展示了对SHA-1[RFC3174]散列算法变体的类似攻击,并预测通常使用的SHA-1也会因大量工作而易受影响(但低于SHA-1正常工作所需的水平)[SHA-1-attack]。同样在2005年初,研究人员展示了一种使用MD5进行签名的PKIX证书[RFC3280]的特定构造[PKIX-MD5-construction],另一位研究人员展示了一种查找MD5冲突的更快方法(在1.6-GHz计算机上8小时)[MD5更快]。
Because of these announcements, there has been a great deal of discussion by cryptography experts, protocol designers, and other concerned people about what, if anything, should be done based on the
由于这些公告,密码学专家、协议设计者和其他关心的人就应该根据协议做些什么(如果有的话)进行了大量讨论
news. Unfortunately, some of these discussions have been based on erroneous interpretations of both the news and on how hash algorithms are used in common Internet protocols.
消息不幸的是,其中一些讨论是基于对新闻和散列算法如何在通用互联网协议中使用的错误解释。
Hash algorithms are used by cryptographers in a variety of security protocols, for a variety of purposes, at all levels of the Internet protocol stack. They are used because they have two security properties: to be one way and collision free. (There is more about these properties in the next section; they're easier to explain in terms of breaking them.) The recent attacks have demonstrated that one of those security properties is not true. While it is certainly possible, and at a first glance even probable, that the broken security property will not affect the overall security of many specific Internet protocols, the conservative security approach is to change hash algorithms. The Internet protocol community needs to migrate in an orderly manner away from SHA-1 and MD5 -- especially MD5 -- and toward more secure hash algorithms.
散列算法被密码学家用于各种安全协议中,用于各种目的,在互联网协议栈的所有级别。之所以使用它们,是因为它们具有两个安全属性:单向和无冲突。(下一节将介绍更多关于这些属性的内容;更容易解释如何破坏它们。)最近的攻击表明,其中一个安全属性是不正确的。虽然很可能,乍一看甚至很可能,损坏的安全属性不会影响许多特定Internet协议的整体安全性,但保守的安全方法是更改哈希算法。互联网协议社区需要有序地从SHA-1和MD5(尤其是MD5)迁移到更安全的散列算法。
This document summarizes what is currently known about hash algorithms and the Internet protocols that use them. It also gives advice on how to avoid the currently known problems with MD5 and SHA-1, and what to consider if predicted attacks become real.
本文档总结了目前已知的哈希算法和使用它们的互联网协议。它还提供了如何避免MD5和SHA-1当前已知问题的建议,以及如果预测的攻击成为现实,该如何考虑。
A high-level summary of the current situation is:
当前形势的高级别总结如下:
o Both MD5 and SHA-1 have newly found attacks against them, the attacks against MD5 being much more severe than the attacks against SHA-1.
o MD5和SHA-1都新发现了针对它们的攻击,针对MD5的攻击比针对SHA-1的攻击严重得多。
o The attacks against MD5 are practical on any modern computer.
o 对MD5的攻击在任何现代计算机上都是可行的。
o The attacks against SHA-1 are not feasible with today's computers, but will be if the attacks are improved or Moore's Law continues to make computing power cheaper.
o 针对SHA-1的攻击在今天的计算机上是不可行的,但如果攻击得到改进,或者摩尔定律继续使计算能力更便宜,攻击将是可行的。
o Many common Internet protocols use hashes in ways that are unaffected by these attacks.
o 许多常见的互联网协议以不受这些攻击影响的方式使用哈希。
o Most of the affected protocols use digital signatures.
o 大多数受影响的协议都使用数字签名。
o Better hash algorithms will reduce the susceptibility of these attacks to an acceptable level for all users.
o 更好的散列算法将把这些攻击的易感性降低到所有用户都能接受的水平。
A "perfect" hash algorithm has a few basic properties. The algorithm converts a chunk of data (normally, a message) of any size into a fixed-size result. The length of the result is called the "hash
“完美”哈希算法有几个基本属性。该算法将任意大小的数据块(通常是消息)转换为固定大小的结果。结果的长度称为“散列”
length" and is often denoted as "L"; the result of applying the hash algorithm on a particular chunk of data is called the "hash value" for that data. Any two different messages of any size should have an exceedingly small probability of having the same hash value, regardless of how similar or different the messages are.
“长度”,通常表示为“L”;对特定数据块应用哈希算法的结果称为该数据的“哈希值”。任何大小的任何两个不同消息具有相同哈希值的概率都非常小,无论消息有多相似或不同。
This description leads to two mathematical results. Finding a pair of messages M1 and M2 that have the same hash value takes 2^(L/2) attempts. For any reasonable hash length, this is an impossible problem to solve (collision free). Also, given a message M1, finding any other message M2 that has the same hash value as M1 takes 2^L attempts. This is an even harder problem to solve (one way).
这个描述导致两个数学结果。查找具有相同哈希值的一对消息M1和M2需要2^(L/2)次尝试。对于任何合理的哈希长度,这都是一个无法解决的问题(无冲突)。此外,给定消息M1,查找与M1具有相同哈希值的任何其他消息M2需要2^L次尝试。这是一个更难解决的问题(单向)。
Note that this is the description of a perfect hash algorithm; if the algorithm is less than perfect, an attacker can expend less than the full amount of effort to find two messages with the same hash value.
注意,这是对完美散列算法的描述;如果算法不够完美,攻击者可以花费少于全部的精力来查找具有相同哈希值的两条消息。
There are two categories of attacks.
有两类攻击。
Attacks against the "collision-free" property:
对“无碰撞”属性的攻击:
o A "collision attack" allows an attacker to find two messages M1 and M2 that have the same hash value in fewer than 2^(L/2) attempts.
o “冲突攻击”允许攻击者在不到2^(L/2)次的尝试中找到具有相同哈希值的两条消息M1和M2。
Attacks against the "one-way" property:
对“单向”属性的攻击:
o A "first-preimage attack" allows an attacker who knows a desired hash value to find a message that results in that value in fewer than 2^L attempts.
o “第一次前映像攻击”允许知道所需哈希值的攻击者在少于2^1次的尝试中找到导致该值的消息。
o A "second-preimage attack" allows an attacker who has a desired message M1 to find another message M2 that has the same hash value in fewer than 2^L attempts.
o “第二次预映像攻击”允许拥有所需消息M1的攻击者在少于2^1次的尝试中找到另一条具有相同哈希值的消息M2。
The two preimage attacks are very similar. In a first-preimage attack, you know a hash value but not the message that created it, and you want to discover any message with the known hash value; in the second-preimage attack, you have a message and you want to find a second message that has the same hash. Attacks that can find one type of preimage can often find the other as well.
这两种预映像攻击非常相似。在第一次前映像攻击中,您知道一个哈希值,但不知道创建它的消息,并且希望发现任何具有已知哈希值的消息;在第二次预映像攻击中,您有一条消息,希望找到具有相同哈希的第二条消息。可以找到一种类型的前映像的攻击通常也可以找到另一种类型的前映像。
When analyzing the use of hash algorithms in protocols, it is important to differentiate which of the two properties of hashes are important, particularly now that the collision-free property is becoming weaker for currently popular hash algorithms. It is certainly important to determine which parties select the material being hashed. Further, as shown by some of the early work,
在分析散列算法在协议中的使用时,区分散列的两个属性中的哪一个是重要的是很重要的,尤其是在当前流行的散列算法的无冲突属性变得越来越弱的情况下。确定哪一方选择要散列的材料当然很重要。此外,正如早期的一些工作所表明的,
particularly [PKIX-MD5-construction], it is also important to consider which party can predict the material at the beginning of the hashed object.
特别是[PKIX-Md5-Studio构造],重要的是考虑哪一方可以预测散列对象开始时的材料。
All the currently known practical or almost-practical attacks on MD5 and SHA-1 are collision attacks. This is fortunate: significant first- and second-preimage attacks on a hash algorithm would be much more devastating in the real world than collision attacks, as described later in this document.
目前已知的所有针对MD5和SHA-1的实际或几乎实际的攻击都是碰撞攻击。这是幸运的:在现实世界中,对散列算法的重大第一和第二预映像攻击比碰撞攻击更具破坏性,如本文后面所述。
It is also important to note that the current collision attacks require at least one of the two messages to have a fair amount of structure in the bits of the message. This means that finding two messages that both have the same hash value *and* are useful in a real-world attack is more difficult than just finding two messages with the same hash value.
还需要注意的是,当前的冲突攻击要求两条消息中至少有一条消息的比特具有相当数量的结构。这意味着查找两条具有相同哈希值*和*的消息在实际攻击中很有用,这比仅查找具有相同哈希值的两条消息要困难得多。
Hash algorithms are used in many ways on the Internet. Most protocols that use hash algorithms do so in a way that makes them immune to harm from collision attacks. This is not by accident: good protocol designers develop their protocols to withstand as many future changes in the underlying cryptography as possible, including attacks on the cryptographic algorithms themselves.
散列算法在互联网上有多种用途。大多数使用散列算法的协议都是以一种使它们免受冲突攻击伤害的方式来实现的。这并不是偶然的:优秀的协议设计人员开发他们的协议,以尽可能地抵抗潜在密码术的未来变化,包括对密码算法本身的攻击。
Uses for hash algorithms include:
哈希算法的用途包括:
o Non-repudiable digital signatures on messages. Non-repudiation is a security service that provides protection against false denial of involvement in a communication. S/MIME and OpenPGP allow mail senders to sign the contents of a message they create, and the recipient of that message can verify whether or not the signature is actually associated with the message. A message is used for non-repudiation if the message is signed and the recipient of the message can later use the signature to prove that the signer indeed created the message.
o 消息上的不可抵赖数字签名。不可抵赖性是一种安全服务,可防止通信中的虚假拒绝参与。S/MIME和OpenPGP允许邮件发件人对其创建的邮件内容进行签名,该邮件的收件人可以验证签名是否与邮件实际关联。如果消息已签名,则消息用于不可否认性,并且消息的接收者可以稍后使用签名来证明签名者确实创建了消息。
o Digital signatures in certificates from trusted third parties. Although this is similar to "digital signatures on messages", certificates themselves are used in many other protocols for authentication and key management.
o 来自可信第三方的证书中的数字签名。虽然这类似于“消息上的数字签名”,但证书本身在许多其他协议中用于身份验证和密钥管理。
o Challenge-response protocols. These protocols combine a public large random number with a value to help hide the value when being sent over unencrypted channels.
o 挑战响应协议。这些协议将一个公共大随机数与一个值相结合,以帮助在通过未加密的通道发送时隐藏该值。
o Message authentication with shared secrets. These are similar to challenge-response protocols, except that instead of using public values, the message is combined with a shared secret before hashing.
o 具有共享机密的消息身份验证。这些协议类似于质询-响应协议,不同之处在于,在散列之前,消息与共享秘密相结合,而不是使用公共值。
o Key derivation functions. These functions make repeated use of hash algorithms to mix data into a random string for use in one or more keys for a cryptographic protocol.
o 关键派生函数。这些函数重复使用散列算法将数据混合成随机字符串,用于加密协议的一个或多个密钥。
o Mixing functions. These functions also make repeated use of hash algorithms to mix data into random strings, for uses other than cryptographic keys.
o 混合函数。这些函数还重复使用散列算法将数据混合到随机字符串中,用于加密密钥以外的用途。
o Integrity protection. It is common to compare a hash value that is received out-of-band for a file with the hash value of the file after it is received over an unsecured protocol such as FTP.
o 完整性保护。通常会将带外接收的文件哈希值与通过FTP等不安全协议接收后的文件哈希值进行比较。
Of the above methods, only the first two are affected by collision attacks, and even then, only in limited circumstances. So far, it is believed that, in general, challenge-response protocols are not susceptible, because the sender is authenticating a secret already stored by the recipient. In message authentication with shared secrets, the fact that the secret is known to both parties is also believed to prevent any sensible attack. All key derivation functions in IETF protocols take random input from both parties, so the attacker has no way of structuring the hashed message.
在上述方法中,只有前两种受到碰撞攻击的影响,即使如此,也只有在有限的情况下才会受到影响。到目前为止,一般认为质询-响应协议不易受影响,因为发送方正在验证接收方已经存储的秘密。在共享秘密的消息身份验证中,双方都知道该秘密这一事实也被认为可以防止任何合理的攻击。IETF协议中的所有密钥派生函数都从双方获取随机输入,因此攻击者无法构造哈希消息。
The basic idea behind the collision attack on a hash algorithm used in a digital-signature protocol is that the attacker creates two messages that have the same hash value, causes one of them to be signed, and then uses that signature over the other message for some nefarious purpose. The specifics of the attack depend on the protocol being used and what the victim does when presented with the signed message.
对数字签名协议中使用的哈希算法进行冲突攻击的基本思想是,攻击者创建两条具有相同哈希值的消息,对其中一条进行签名,然后将该签名用于另一条消息的某些邪恶目的。攻击的细节取决于所使用的协议以及受害者在收到签名消息时的行为。
The canonical example is where you create two messages, one of which says "I will pay $10 for doing this job" and the other of which says "I will pay $10,000 for doing this job". You present the first message to the victim, get them to sign it, do the job, substitute the second message in the signed authorization, present the altered signed message (whose signature still verifies), and demand the higher amount of money. If the victim refuses, you take them to court and show the second signed message.
典型的例子是,您创建了两条消息,其中一条说“我将为做这项工作支付10美元”,另一条说“我将为做这项工作支付10000美元”。您将第一条消息呈现给受害者,让他们签名,完成工作,在签名授权中替换第二条消息,呈现修改后的签名消息(其签名仍然有效),并要求更高的金额。如果受害者拒绝,你就把他们带到法庭,并出示第二条签名信息。
Most non-repudiation attacks rely on a human assessing the validity of the purportedly signed message. In the case of the hash-collision attack, the purportedly signed message's signature is valid, but so is the signature on the original message. The victim can produce the original message, show that he/she signed it, and show that the two hash values are identical. The chance of this happening by accident is one in 2^L, which is infinitesimally small for either MD5 or SHA-1.
大多数不可否认攻击依赖于人工评估据称已签名消息的有效性。在散列冲突攻击的情况下,据称已签名的消息的签名是有效的,但原始消息上的签名也是有效的。受害者可以生成原始消息,显示他/她已签名,并显示两个哈希值相同。偶然发生这种情况的几率是1/2^L,这对于MD5或SHA-1来说都是非常小的。
In other words, to thwart a hash collision attack in a non-repudiation protocol where a human is using a signed message as authorization, the signer needs to keep a copy of the original message he/she signed. Messages that have other messages with the same hash must be created by the same person, and do not happen by accident under any known probable circumstances. The fact that the two messages have the same hash value should cause enough doubt in the mind of the person judging the validity of the signature to cause the legal attack to fail (and possibly bring intentional fraud charges against the attacker).
换句话说,在不可否认协议中,为了阻止散列冲突攻击,其中人员使用签名消息作为授权,签名者需要保留他/她签名的原始消息的副本。具有具有相同哈希的其他消息的消息必须由同一个人创建,并且在任何已知的可能情况下都不会意外发生。这两条消息具有相同的散列值这一事实应该会在判断签名有效性的人心中引起足够的怀疑,从而导致法律攻击失败(并可能对攻击者提出故意欺诈指控)。
Thwarting hash collision attacks in automated non-repudiation protocols is potentially more difficult, because there may be no humans paying enough attention to be able to argue about what should have happened. For example, in electronic data interchange (EDI) applications, actions are usually taken automatically after authentication of a signed message. Determining the practical effects of hash collisions would require a detailed evaluation of the protocol.
在自动不可否认协议中挫败散列冲突攻击可能更为困难,因为可能没有人给予足够的关注来争论应该发生什么。例如,在电子数据交换(EDI)应用程序中,通常在对签名消息进行身份验证后自动采取操作。确定散列冲突的实际影响需要对协议进行详细评估。
5. Hash Collision Attacks and Digital Certificates from Trusted Third Parties
5. 来自可信第三方的哈希冲突攻击和数字证书
Digital certificates are a special case of digital signatures. In general, there is no non-repudiation attack on trusted third parties due to the fact that certificates have specific formatting. Digital certificates are often used in Internet protocols for key management and for authenticating a party with whom you are communicating, possibly before granting access to network services or trusting the party with private data such as credit card information.
数字证书是数字签名的一种特殊情况。一般来说,由于证书具有特定的格式,因此不会对受信任的第三方发起不可否认攻击。数字证书通常在Internet协议中用于密钥管理和验证与您通信的一方,可能是在授予对网络服务的访问权限或使用私人数据(如信用卡信息)信任该方之前。
It is therefore important that the granting party can trust that the certificate correctly identifies the person or system identified by the certificate. If the attacker can get a certificate for two different identities using just one public key, the victim can be fooled into believing that one person is someone else.
因此,重要的是授予方可以相信证书正确地标识了证书标识的人员或系统。如果攻击者仅使用一个公钥就可以获得两个不同身份的证书,那么受害者可能会被愚弄为相信一个人是其他人。
The collision attack on PKIX certificates described in early 2005 relied on the ability of the attacker to create two different public keys that would cause the body of the certificate to have the same hash value. For this attack to work, the attacker needs to be able to predict the contents and structure of the certificate before it is issued, including the identity that will be used, the serial number that will be included in the certificate, and the start and stop dates of the validity period for the certificate.
2005年初描述的对PKIX证书的冲突攻击依赖于攻击者创建两个不同公钥的能力,这将导致证书体具有相同的哈希值。要使此攻击生效,攻击者需要能够在颁发证书之前预测证书的内容和结构,包括将使用的标识、证书中包含的序列号以及证书有效期的开始和停止日期。
The effective result of this attack is that one person using a single identity can get a digital certificate over one public key, but be able to pretend that it is over a different public key (but with the same identity, valid dates, and so on). Because the identity in the two certificates is the same, there are probably no real-world examples where such an attack would get the attacker any advantage. At best, someone could claim that the trusted third party made a mistake by issuing a certificate with the same identity and serial number based on two different public keys. This is indeed far-fetched.
这种攻击的有效结果是,使用单一身份的人可以通过一个公钥获得数字证书,但可以假装它通过不同的公钥(但具有相同的身份、有效日期等)。由于两个证书中的标识相同,因此可能没有任何实际示例表明此类攻击会使攻击者获得任何优势。充其量,有人可以声称受信任的第三方犯了错误,基于两个不同的公钥颁发了具有相同身份和序列号的证书。这实在是牵强。
It is very important to note that collision attacks only affect the parts of certificates that have no human-readable information in them, such as the public keys. An attack that involves getting a certificate with one human-readable identity and making that certificate useful for a second human-readable identity would require more effort than a simple collision attack.
请务必注意,碰撞攻击只影响证书中没有人类可读信息的部分,例如公钥。涉及获取具有一个人类可读身份的证书并使该证书对第二个人类可读身份有用的攻击比简单的冲突攻击需要付出更多的努力。
If a trusted third party who issues PKIX certificates wants to avoid the attack described above, they can prevent the attack by making other signed parts of the certificate random enough to eliminate any advantage gained by the attack. Ideas that have been suggested include:
如果颁发PKIX证书的受信任第三方希望避免上述攻击,他们可以通过使证书的其他签名部分足够随机以消除攻击所获得的任何优势来防止攻击。建议的想法包括:
o making part of the certificate serial number unpredictable to the attacker
o 使攻击者无法预测部分证书序列号
o adding a randomly chosen component to the identity
o 将随机选择的组件添加到标识
o making the validity dates unpredictable to the attacker by skewing each one forwards or backwards
o 通过向前或向后倾斜每个有效日期,使攻击者无法预测有效日期
Any of these mechanisms would increase the amount of work the attacker needs to do to trick the issuer of the certificate into generating a certificate that is susceptible to the attack.
这些机制中的任何一种都会增加攻击者所需的工作量,从而诱使证书颁发者生成易受攻击的证书。
There is a disagreement in the security community about what to do now. Even the two authors of this document disagree on what to do now.
安全界对现在该怎么办存在分歧。即使是这份文件的两位作者也不同意现在该做什么。
One of us (Bruce) believes that everyone should start migrating to SHA-256 [SHA-256] now, due to the weaknesses that have already been demonstrated in both MD5 and SHA-1. There is an old saying inside the US National Security Agency (NSA): "Attacks always get better; they never get worse." The current collision attacks against MD5 are easily done on a single computer; the collision attacks against SHA-1 are at the far edge of feasibility today, but will only improve with time. It is preferable to migrate to the new hash standard before there is a panic, instead of after. Just as we all migrated from SHA-0 to SHA-1 based on some unknown vulnerability discovered inside the NSA, we need to migrate from SHA-1 to SHA-256 based on these most recent attacks. SHA-256 has a 256-bit hash length. This length will give us a much larger security margin in the event of newly discovered attacks. Meanwhile, further research inside the cryptographic community over the next several years should point to further improvements in hash algorithm design, and potentially an even more secure hash algorithm.
我们中的一位(Bruce)认为,由于MD5和SHA-1中已经证明的弱点,每个人现在都应该开始迁移到SHA-256[SHA-256]。美国国家安全局(NSA)内部有句老话:“攻击总是会变得更好,从来不会变得更糟。”目前针对MD5的碰撞攻击很容易在一台计算机上完成;对SHA-1的碰撞攻击目前还处于可行性的边缘,但只会随着时间的推移而改善。最好在出现恐慌之前迁移到新的哈希标准,而不是在恐慌之后。正如我们都根据NSA内部发现的未知漏洞从SHA-0迁移到SHA-1一样,我们也需要根据这些最新的攻击从SHA-1迁移到SHA-256。SHA-256具有256位哈希长度。在新发现的攻击事件中,此长度将为我们提供更大的安全余量。同时,未来几年密码界的进一步研究应该指向哈希算法设计的进一步改进,以及可能更安全的哈希算法。
The other of us (Paul) believes that this may not be wise for two reasons. First, the collision attacks on current protocols have not been shown to have any discernible real-world effects. Further, it is not yet clear which stronger hash algorithm will be a good choice for the long term. Moving from one algorithm to another leads to inevitable lack of interoperability and confusion for typical crypto users. (Of course, if any practical attacks are formulated before there is community consensus of the properties of the cipher-based hash algorithms, Paul would change his opinion to "move to SHA-256 now".)
我们中的另一个人(保罗)认为这可能不明智,原因有二。首先,当前协议上的冲突攻击没有显示出任何明显的现实效果。此外,目前还不清楚哪种更强的散列算法是长期的好选择。从一种算法移动到另一种算法,对于典型的加密用户来说,不可避免地缺乏互操作性和混乱。(当然,如果在社区对基于密码的散列算法的属性达成一致意见之前制定了任何实际的攻击,Paul会将其观点改为“立即转移到SHA-256”。)
Both authors agree that work should be done to make all Internet protocols able to use different hash algorithms with longer hash values. Fortunately, most protocols today already are capable of this; those that are not should be fixed soon.
两位作者都同意,应该努力使所有互联网协议能够使用具有更长散列值的不同散列算法。幸运的是,今天的大多数协议已经能够做到这一点;那些没有被修复的应该尽快修复。
The authors of this document feel similarly for new protocols being developed: Bruce thinks they should start using SHA-256 from the start, and Paul thinks that they should use SHA-1 as long as the new protocols are not susceptible to collision attacks. Any new protocol must have the ability to change all of its cryptographic algorithms, not just its hash algorithm.
本文的作者对正在开发的新协议也有类似的感受:Bruce认为他们应该从一开始就使用SHA-256,Paul认为只要新协议不易受到冲突攻击,他们就应该使用SHA-1。任何新协议都必须能够更改其所有加密算法,而不仅仅是其哈希算法。
The entire document discusses security on the Internet.
整个文档讨论了Internet上的安全性。
The discussion in this document assumes that the only attacks on hash algorithms used in Internet protocols are collision attacks. Some significant preimaging attacks have already been discovered [Preimaging-attack], but they are not yet practical. If a practical preimaging attack is discovered, it would drastically affect many Internet protocols. In this case, "practical" means that it could be executed by an attacker in a meaningful amount of time for a meaningful amount of money. A preimaging attack that costs trillions of dollars and takes decades to preimage one desired hash value or one message is not practical; one that costs a few thousand dollars and takes a few weeks might be very practical.
本文档中的讨论假设对Internet协议中使用的哈希算法的唯一攻击是冲突攻击。一些重要的预成像攻击已经被发现[预成像攻击],但它们还不实用。如果发现实际的预成像攻击,它将极大地影响许多互联网协议。在这种情况下,“实用”意味着攻击者可以在相当长的时间内以相当大的代价执行它。花费数万亿美元并花费数十年时间对一个所需哈希值或一条消息进行预成像的预成像攻击是不实际的;一个花费几千美元,需要几个星期的项目可能非常实用。
[MD5-attack] X. Wang, D. Feng, X. Lai, and H. Yu, "Collisions for Hash Functions MD4, MD5, HAVAL-128 and RIPEMD", August 2004, <http://eprint.iacr.org/2004/199>.
[MD5攻击]X.Wang,D.Feng,X.Lai和H.Yu,“哈希函数MD4,MD5,HAVAL-128和RIPEMD的冲突”,2004年8月<http://eprint.iacr.org/2004/199>.
[MD5-faster] Vlastimil Klima, "Finding MD5 Collisions - a Toy For a Notebook", March 2005, <http://cryptography.hyperlink.cz/ md5/MD5_collisions.pdf>.
[MD5更快]Vlastimil Klima,“寻找MD5碰撞-笔记本电脑玩具”,2005年3月<http://cryptography.hyperlink.cz/ md5/md5_collisions.pdf>。
[PKIX-MD5-construction] Arjen Lenstra and Benne de Weger, "On the possibility of constructing meaningful hash collisions for public keys", February 2005, <http://www.win.tue.nl/~bdeweger/ CollidingCertificates/ddl-final.pdf>.
[PKIX-MD5-construction]Arjen Lenstra和Benne de Weger,“关于为公钥构造有意义的哈希冲突的可能性”,2005年2月<http://www.win.tue.nl/~bdeweger/collingcertificates/ddl final.pdf>。
[Preimaging-attack] John Kelsey and Bruce Schneier, "Second Preimages on n-bit Hash Functions for Much Less than 2^n Work", November 2004, <http://eprint.iacr.org/2004/304>.
[Preimaging attack]John Kelsey和Bruce Schneier,“n位哈希函数上的第二个Preimaging,用于远远少于2^n的工作”,2004年11月<http://eprint.iacr.org/2004/304>.
[RFC3174] Eastlake, D. and P. Jones, "US Secure Hash Algorithm 1 (SHA1)", RFC 3174, September 2001.
[RFC3174]Eastlake,D.和P.Jones,“美国安全哈希算法1(SHA1)”,RFC 3174,2001年9月。
[RFC3280] Housley, R., Polk, W., Ford, W., and D. Solo, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 3280, April 2002.
[RFC3280]Housley,R.,Polk,W.,Ford,W.,和D.Solo,“互联网X.509公钥基础设施证书和证书撤销列表(CRL)概要”,RFC 32802002年4月。
[SHA-1-attack] Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu, "Collision Search Attacks on SHA1", February 2005, <http://theory.csail.mit.edu/~yiqun/shanote.pdf>.
[SHA-1-attack]王晓云、尹益群、余洪波,“对SHA-1的碰撞搜索攻击”,2005年2月<http://theory.csail.mit.edu/~yiqun/shanote.pdf>。
[SHA-256] NIST, "Federal Information Processing Standards Publication (FIPS PUB) 180-2, Secure Hash Standard", August 2002.
[SHA-256]NIST,“联邦信息处理标准出版物(FIPS PUB)180-2,安全哈希标准”,2002年8月。
The authors would like to thank the IETF community, particularly those active on the SAAG mailing list, for their input. We would also like to thank Eric Rescorla for early material that went into the first version, and Arjen Lenstra and Benne de Weger for significant comments on the first version of this document.
作者要感谢IETF社区,特别是那些活跃在SAAG邮件列表上的人的投入。我们还要感谢Eric Rescorla提供了第一个版本的早期材料,以及Arjen Lenstra和Benne de Weger对本文件第一个版本的重要评论。
Authors' Addresses
作者地址
Paul Hoffman VPN Consortium
保罗·霍夫曼VPN联盟
EMail: paul.hoffman@vpnc.org
EMail: paul.hoffman@vpnc.org
Bruce Schneier Counterpane Internet Security
Bruce Schneier对抗互联网安全
EMail: schneier@counterpane.com
EMail: schneier@counterpane.com
Full Copyright Statement
完整版权声明
Copyright (C) The Internet Society (2005).
版权所有(C)互联网协会(2005年)。
This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights.
本文件受BCP 78中包含的权利、许可和限制的约束,除其中规定外,作者保留其所有权利。
This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件及其包含的信息是按“原样”提供的,贡献者、他/她所代表或赞助的组织(如有)、互联网协会和互联网工程任务组不承担任何明示或暗示的担保,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。
Intellectual Property
知识产权
The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79.
IETF对可能声称与本文件所述技术的实施或使用有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何独立努力来确定任何此类权利。有关RFC文件中权利的程序信息,请参见BCP 78和BCP 79。
Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.
向IETF秘书处披露的知识产权副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果,可从IETF在线知识产权存储库获取,网址为http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.
IETF邀请任何相关方提请其注意任何版权、专利或专利申请,或其他可能涵盖实施本标准所需技术的专有权利。请将信息发送至IETF的IETF-ipr@ietf.org.
Acknowledgement
确认
Funding for the RFC Editor function is currently provided by the Internet Society.
RFC编辑功能的资金目前由互联网协会提供。