Download presentation

Presentation is loading. Please wait.

Published byHenry Golden Modified over 2 years ago

1
1 Some Current Thinking on Hash Functions Within NIST John Kelsey, NIST, June 2005

2
2 Overview ● How We Got Here ● Impact of Recent Attacks ● Short-Term Reactions ● Long-Term: New Algorithms?] ● The Workshop (Oct 31-Nov 1, 2005)

3
3 How We Got Here: Recent Attacks ● Crypto 2004 – Wang rump session talk (aka mass die-off of hash functions) – Joux, Biham/Chen analyses of SHA0/1 – Joux multicollision result ● In 2005 (so far): – Wang announced break of SHA1 – Many clever applications of MD5 collisions – 2 nd preimage attacks – Full details of MD4/MD5/RIPEMD attacks published

4
4 Impact of Attacks ● MD5 Attack: – Attack is practical, and MD5 still widely used – Huge need to quickly migrate to something stronger! – But NIST never had recommended MD5.... ● SHA1 Attack: – Attack not (yet) very practical (about 2 69 ) – Need to migrate to something stronger, but not urgent. – SHA1's life was almost over anyway.... –...but NIST got burned!

5
5 Impact of Attacks(2) ● Damgard-Merkle Construction attacks – Joux multicollisions – 2 nd preimages – More to come.... ● Impact: – When can we trust n-bit iterated hash with attacker who can do 2 n/2 work? – HMAC unaffected – How much do we really know about our hash constructions?

6
6 Impact of Attacks: Summary ● Urgent need to migrate from MD5 ● Less urgent need to migrate from SHA1 ● SHA1 result may undermine confidence in SHA256 – Same organization designed it (NSA) – Same organization standardized on it (NIST) – Similar enough design to raise concerns ●...but is public crypto community doing any better? – How well do we understand hash functions?

7
7 How to React to Attacks? ● Short-Term: – Migration to SHA256 and truncated SHA256 – A few special-purpose workarounds – Evaluate SHA256/512 for security ● Long-Term: – Existing alternatives to SHA family? – Developing new algorithms?

8
8 Short-Term Reaction: Migration and Workarounds ● Migration to SHA256 – Urgent need for cryptanalysis before mass migration – Truncated SHA256 (SHA-x): Drop in replacement for SHA1 and maybe MD5 ● Change certificate signing and other protocols to minimize impact of collisions on applications. ● Problems: – SHA256 confidence? – Hard to migrate twice. – MD5 and SHA1 apps in very different situations.

9
9 Long-Term Reaction: New Algorithms? ● SHA256/512 already in protocols and products – Won't be withdrawn unless a real attack appears – Do we need another algorithm? ● Few existing choices with required parameters – {256, 384, 512} bit output for {128, 192, 256} bit collision resistance ● A few possibilities: – Whirlpool (256/384/512) – GOST hash (256) – Existing generic block cipher constructions w/ AES

10
10 New Algorithms: Requirements We Know About ● Drop-in Replacement for SHA family ● Output size = {224,256,384,512} – (Truncation OK) – n-bit output must correspond to n/2-bit collision (Needed for DSA, ECDSA) ● Usable in other common hash places – Pseudorandom Bit Generation – Key Derivation ● Public, unpatented, full disclosure of analysis and design process

11
11 New Algorithms: Requirements/Ideas to Discuss ● Possible security requirements – Block multicollisions and 2 nd preimage attacks? – Fixing the length-extension property? ● What should be the performance requirements? – Parallelizeability? – 8/32/64 bit architectures? – Side channels? (S-boxes, multiplies, etc.) ● Should we have multiple standards? – Block cipher construction from AES? – Special purpose provable hash functions?

12
12 Big Questions about New Algorithms ● Where will they come from? – NSA (like SHA family)? – Existing/published designs? – Other standards? ● Should there be an AES-like contest? – Not clear we can do this within our budget/manpower constraints! – Is hash function design/analysis mature enough field to do this? – Nailing down requirements up front

13
13 The Workshop: Oct 31-Nov 1 This is where we'll discuss all these issues and try to get some consensus! ● Assess SHA1 and SHA256/512 strength ● Discuss short-term workarounds ● Long-term strategy – Use SHA256/512? – Use existing alternative? – Contest/process for designing new hash? – Requirements on new hash?

Similar presentations

OK

Domain Extension for Random Oracles: Beyond the Birthday Paradox Bound Arvind Narayanan (UT Austin) Ilya Mironov (Microsoft Research)

Domain Extension for Random Oracles: Beyond the Birthday Paradox Bound Arvind Narayanan (UT Austin) Ilya Mironov (Microsoft Research)

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google

Ppt on data handling for class 7 Maths ppt on triangles for class 9 Convert word doc to ppt online viewer Ppt on new zealand culture dance Ppt on condition based maintenance system Ppt on judicious use of water Ppt on horizontal axis wind turbine Ppt on indian sign language Ppt on 14 principles of henri fayol unity Ppt on statistics and probability examples