First, the specific application of the hash function
1. Application of one-way hash function in cryptography
A. Digital Signature Technology
a. Use the one-way hash function to calculate the postage of the message that needs to be signed, and then use the signature algorithm to sign the postage instead of directly signing the original message.
b. Effectively improve the efficiency and speed of signatures, reduce the amount of information transmitted, and save network bandwidth.
B. Message Integrity Authentication
a. The usual practice is that the owner of the file uses the Hash algorithm to calculate the Hash value of the file, saves a copy of the Hash value by himself, and then stores the file in a public place. When the integrity of a file needs to be verified, a Hash algorithm is used to calculate the Hash value of the stored file and compare it with the original saved Hash value. If it is equal, it is complete, otherwise, there is a change.
b. In practice, the use of Hash function on the network for integrity identification
This method realizes the integrity authentication on the insecure communication channel and is widely used in the authentication system of electronic commerce.
C. An Improved User Key Management Scheme
a. The user's password is encrypted by the DES algorithm and stored in the machine, but the algorithm has requirements on the length of the encrypted data, that is, the user cannot input an excessively long key.
b. Propose a secure user key management scheme using one-way hash function if K=E(H(P1))
The improved method allows users to input passwords of any length. Due to the one-way nature of the single-item hash function, it can also make up for some of the imperfections of DES, and can also deal with the threat of exhaustive attacks. 2. Other applications
A. Privacy Enhanced Mail PEM (Privacy Enhanced Mail)
The Internet Privacy Enhanced Mail Standard provides single-item hash functions MD2 and MD5 for authentication in message integrity checking. The single-item hash function used in version 2.6.3 of the mail encryption software PGP is MD5.
B. File verification
a. Parity check and CRC check are not resistant to data tampering
b. The "digital fingerprint characteristic" of the MD5 Hash algorithm makes it the most widely used file network shaping checksum (Checksum) algorithm at present
c. The application scenarios are:
After the file is transferred, the target file calculated by the checksum is compared with the source file.
Used as a digital fingerprint to store binary filesystems in order to detect if the filesystem has not been modified without permission
C. Authentication Protocol
There is this application in the pop3 protocol:
The party that needs authentication sends a random string ("challenge") to the authenticated party, and the authenticated party performs a hash operation on the random string and its own authentication password, and returns it to the authenticating party. Compare the received Hash value with the result of Hash operation performed at the own end with the random string and the authentication password of the other party ("authentication"). through authentication.
2. Combined with the birthday attack, and Professor Wang Xiaoyun's MD5 security in 2004 and 2005 and the security of Google's SHA-1 in 2017, explain the security of hash functions and the current development of secure hash functions.
1. Security of Hash Functions
A. MD5 and SHA-1 Algorithms
a. The core of the MD5 and SHA-1 algorithms is the hash function. Cryptography Hash Function (Hash function for short), also known as hash function, is a cryptographic algorithm with extensive and important applications in the field of information security. Its main functions are data integrity verification and message authentication. It has an application similar to fingerprints, so sometimes we also call it "digital fingerprints". Because it has the following characteristics: as long as the original information changes a little, even a few bits, the corresponding message digest will change a lot.
b. On August 17, 2004, an international cryptography academic conference (Crypto'2004) was held in Santa Barbara, California. That night, Professor Wang Xiaoyun from Shandong University in China made a speech about deciphering MD5, HAVAL-128, MD4 and RIPEMD Algorithm report.
c. SHA-1 has been very rigorously tested by the public cryptographic community and has not found any insecurities. It was considered safe for a period of time until 2017.02.23, Google announced that it had broken SHA-1.
The results show that it is not yet affected by the collision attack method discovered by Google. SHA-1 was released in 1993, and it has been 24 years since then. Computer technology has been changing rapidly in the past 20 years. It has been amazing for more than 20 years. Encryption algorithms have to balance computing efficiency and cracking difficulty. Generally speaking, the new generation is about ten years old, the successor sha-2 was released in 2001, and the sha-3 was released in 2015. The actual impact should be limited. For Chinese websites, even https is not deployed, and most of them still store passwords in plain text. Even some websites that respect customers only use the MD5 encryption method, which has already been disclosed as a collision method. Google, facebook, Microsoft, Apple, etc. have already replaced the temporarily safe sha-256, sha-512 and other algorithms, which belong to the sha-2 series, and have been released for nearly fifteen years. It should be seen that the international mainstream websites will soon be able to replace the sha-3 algorithm.
B. About birthday attacks
Birthday attack is to use the birthday problem in probability theory to find conflicting Hash values, forge packets, and make the authentication algorithm invalid.
Prevention method:
a. Use a secure hash algorithm: the hash value generated by the secure hash algorithm has enough digits. This makes it very difficult for an attacker to find two files with the same hash value.
b. Salting: Before signing the file, add a random value to the file, then calculate the hash value, and then send the file, signature and random value to the receiver. In this way, the attacker must find out the fake file with a specific hash value, which is very difficult.
c. Altering the file: Make minor changes to the message or file before signing the file. In this way, the attacker has to find out the fake file with a specific hash value, which is very difficult.
C. Security of Hash Functions
a. By understanding the birthday attack, the security of the hash function needs to be improved. The birthday attack does not utilize the properties of any HASH function. It is a universal attack method applicable to any HASH. The response method is also very simple. Increase the length of the HASH, but it is difficult to complete.
b. It is believed that after the successive announcements of the collisions being implemented, compared to the secure MD5 and SHA-1 algorithms, it is foreseeable that the subsequent algorithms find that the collisions are only the length of time to achieve better performance of the computer.
For example: The 12306 of the Ministry of Railways of China uses the SHA-1 algorithm to upload the security of Google's verification website hash function
The results show that it is not yet affected by the collision attack method discovered by Google. SHA-1 was released in 1993, and it has been 24 years since then. Computer technology has been changing rapidly in the past 20 years. It has been amazing for more than 20 years. Encryption algorithms have to balance computing efficiency and cracking difficulty. Generally speaking, the new generation is about ten years old, the successor sha-2 was released in 2001, and the sha-3 was released in 2015. The actual impact should be limited. For Chinese websites, even https is not deployed, and most of them still store passwords in plain text. Even some websites that respect customers only use the MD5 encryption method, which has already been disclosed as a collision method. Google, facebook, Microsoft, Apple, etc. have already replaced the temporarily safe sha-256, sha-512 and other algorithms, which belong to the sha-2 series, and have been released for nearly fifteen years. It should be seen that the international mainstream websites will soon be able to replace the sha-3 algorithm.
2. Development of Secure Hash Functions
A.MD4
Designed by Ronald L. Rivest in 1990, a message of any length is transformed into a 128-bit hash value through three-round operations.
B.MD5
An improved version of MD4 by Rivest in 1991. Four rounds of transformation are used, and each round adds the results of the previous round.
C.HAVAL
An improved version of MD5. The number of rounds can be 3, 4 or 5 and the output length is 128, 160, 192 or 224 bits respectively.
D.SHA-1
Developed by NIST, published in 1993. Input data with a maximum length of 2^64 bits, and output a 160-bit message digest.
E.SHA-256
The output is expanded from 160 bits to 256 bits, and the number of iterations is increased from 80 to 128.
F.SHA-384
The output is enlarged to 384 bits, and the number of iterations is increased to 192.
H.SHA-512
The output is enlarged to 512 bits, and the number of iterations is increased to 256.
3. Combined with the selection prefix collision in the md5 algorithm and the md5 message digest value of the two executable files helloworld.exe and goodbyworld.exe in the second link and the execution results of the two files, the md5 algorithm is used to verify the integrity of the software. Problems that may arise.
The MD5 algorithm is a digest algorithm, which can calculate a "feature string" composed of 32 bytes from a string composed of multiple bytes. For strings with more than 32 bytes, the value calculated by MD5 must be a subset of it, so there must be two (or more) different strings that can get the same MD5 value. This situation is called MD5 collision.
Several cryptographers used "chosen-prefix collisions" to attack (an improved version of the attack method used by Wang Xiaoyun), the computer they used was a Sony PS3, and only used a few to two days. If you just want to generate files with the same MD5 but different content, it can be done in seconds on any mainstream computer.
Their conclusion: The MD5 algorithm should no longer be used for any software integrity checking or code signing purposes.
Possible problems when verifying software integrity:
A. Incomplete documents
a. Infection with virus
b. Implant Trojan horse/backdoor/human tampering
c. Transmission failure
B. Possible problems
a. If a third party intercepts the software code when verifying the integrity of the software, uses a fast MD5 collision generator, forges the same MD5 in a short period of time, and maliciously tampers the software, then the security will be greatly reduced
b. When the software is too large, the time required in the verification process will also greatly increase, and for third parties, the success probability of the attack will also increase
c. The Vulnerability analysis in the website link also gives some problem analysis:
On the other hand, there is the viewpoint of the relying party, i.e. the user downloading hashed or signed code who needs some guarantee that this software can be trusted. This relying party can not be sure anymore that the published hash value or the digital signature is valid for only the executable file he downloaded. There might very well be a sibling file with the same hash value or digital signature, while only one of these siblings went through the proper hashing or signing procedure. Especially when the software integrity verification takes place under the hood, with the user not knowing that the operating system or some hidden application is silently verifying digital signatures on software to be installed, the user may be more easily lured into installing malware.
Note that it is not necessary for an attacker to build both executables from source code. It is perfectly well possible to take as the first file any executable from any source, and as the second file produce a second executable as malware. Then a byte block to be appended to both files can be found such that the resulting files have the same MD5 hash value. If an attacker can then get the first file to be signed, e.g. by the original software vendor, this signature will also be valid for the attacker-constructed malware.
d. Even if the user can guarantee that the website of the downloaded file can be trusted, the website cannot guarantee that the file downloaded by the user to the local is correct. Especially when software integrity verification occurs under the computer host, when the user does not know the operating system or some hidden application silently verifies the digital signature when installing the software, the user may be more easily tricked into installing malicious software.
e. The attacker also does not need to construct two files from the source code, it is completely possible to use the first file as any executable file of any source, and as the second file to generate the second executable file as malware. Then, you can find the block of bytes to append to both files such that the resulting files have the same MD5 hash. The attacker only needs to obtain the first file.