1 / 11

Shoring Up Hashing Algorithms

Shoring Up Hashing Algorithms. November 8, 2005 Santosh Chokhani. Background. SHA-1 strength has reduced by over 15 bits Users are recommended to migrate to SHA 256 Concerns have been voiced about structural deficiencies in MD and SHA series and need for new paradigm for hashing functions.

mmuller
Download Presentation

Shoring Up Hashing Algorithms

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Shoring Up Hashing Algorithms November 8, 2005 Santosh Chokhani

  2. Background • SHA-1 strength has reduced by over 15 bits • Users are recommended to migrate to SHA 256 • Concerns have been voiced about structural deficiencies in MD and SHA series and need for new paradigm for hashing functions

  3. Motivation • Motivation for this work is an interim solution until new paradigm for hashing functions is invented

  4. A Solution • Idea is to define a cryptographic primitive • Encrypt the data prior to hashing • Encryption algorithm should be AES with 128-256 bit key depending on the desires shoring up of hashing algorithm • AES Encryption/Decryption key is carried in the package • Its confidentiality is not critical • Key can optionally be part of the signed data • IV if CBC is used

  5. Details • M = Message to Be Signed • K = Random one time Key • E = AESCBC (M, K, IV) • H = (E | K | IV) , where | is concatenation function (actually K and IV could go at defined place in padding for RSA) • Signature = Signature-Function (H, Signing Private Key); K, IV

  6. ASN.1 Encoding • Steps 3-5 can be viewed as signing operation with some extra steps • Existing SIGNED MACRO approach can be used to define an OID other than signature OID and add the key “K” as an additional parameter to the syntax and semantics • e.g., sha-1AES128WithRSAEncryption ::= { pkcs-1 n } • -- Encoding for AES key & IV • AESKey ::= BIT STRING • IV ::= BIT STRING (if applicable)

  7. Security Analysis • Current attacks SHA-1 • Adversary may be able to find a variant of plaintext that has the same hash (i.e., show collision) • No known attacks to create a plaintext give a hash • Adversary can create E’ such that Hash-Function (E) = Hash-Function (E’) • It is trivial for adversary to find M’’ == AESCBC (E, K) • But, adversary does not control M’’ and hence adversary can not create variant of M

  8. Drawbacks • Speed • Encryption is a bit slower than hashing • Standard Compliance • New OID for the new cryptographic primitive

  9. Benefits • Applies to all types of signed objects • Certificate, CRL, OCSP, SCVP, CMS, PKCS-7, etc. • Speed issue may not be major concern for long-term archive • Shoring up hashing may be worth the performance penalty • Long term archive specific OIDs for signature may also be worth it

  10. Alternative Crypto Primitive Attributed to Krawczyk and Halevi • M == Message to Be Signed • K == Bits of same size as M (could be repeat of smaller random) • E == Hash-Function [XOR (M, K)] • E’ == (E | K) , where | is concatenation function (actually K could go at defined place in padding for RSA) • Signature = = Signature-Function (E’, Signing Private Key); K Analysis, issues and benefits remain the same

  11. Questions

More Related