On 04/09/2012 07:00 AM, Jeffrey Walton wrote:
http://h-online.com/-1498071
none of the five finalists
are affected by known attacks on MD5, SHA-1 and SHA-2 and the
Merkle-Damgård construction on which all three are based.
Well, gee, isn't that enough?
True, one thing we've learned from the SHA-3 competition is that SHA-2
is surprisingly good. It has held up to the collision attacks that have
plagued previous SHAs better than most had hoped. It turns out to be
quite efficient on modern 64-bit CPUs for long messages when compared to
the SHA-3 designs of similar strength. In comparisons of hardware
efficiency (i.e., throughput per gate) SHA-2 appears as good (or better)
than the SHA-2 finalists.
But as SHA-2 is still a pure Merkle–Damgård construction it deviates
from an ideal pseudorandom function or random oracle in a couple of ways.
Firstly, and most significantly, it is subject to length extension
attacks. This means that given a hash value of some secret message, we
can compute the hash value of that message with our own chosen plaintext
appended without needing to know the original message. This is
surprising to many protocol designers!
HMAC with a secret key is supposed to be a mitigation for this, but it
is not magic pixie dust. The SSL 3.0 and TLS 1.0 - 1.2 protocols get it
wrong:
http://tools.ietf.org/html/rfc5246
7.4.9. Finished
verify_data
PRF(master_secret, finished_label, Hash(handshake_messages))
[0..verify_data_length-1];
The PRF is based on HMAC, but by performing an MD5/SHA-1 on the messages
before supplying the result to the HMAC message input it re-introduces
the extension attack. I don't think this translates into a vulnerability
in TLS but it's a bit too close for comfort.
Additionally, there are:
Joux muticollisions
"Multicollisions in Iterated Hash Functions. Application to Cascaded
Constructions"
http://math.boisestate.edu/~liljanab/MATH509Spring2012/JouxAttackSHA-1.pdf
Herding or "Nostradamus" attacks
http://eprint.iacr.org/2005/281
Second preimage attacks
"Second Preimages on n-bit Hash Functions for Much Less than 2^n Work"
http://www.schneier.com/paper-preimages.html
These are all closely related and have a basis that the attacker is able
to find that first collision, something that we hope will never happen
with SHA-2. But the manner in which other important security properties
deteriorate rapidly after that first collision is found represents a
deviation from ideal behavior.
My understanding is that the SHA-3 finalists address these issues.
- Marsh
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography