SHA-2
SHA-2 , the name comes from the abbreviation of Secure Hash Algorithm 2 (English: ), a cryptographic hash function algorithm standard, developed by the US National Security Agency [3] , and established by the US National Institute of Standards and Technology (NIST) in Released in 2001. It belongs to one of the SHA algorithms and is the successor of SHA-1 . It can be further divided into six different algorithm standards, including: SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256.
| Secure Hash Algorithm |
| concept |
| Hash function · SHA · DSA |
| mainstream standard |
| SHA-0 SHA -1 SHA -2 SHA -3 |
| SHA-2 |
|
| overview |
|
| designer |
National Security Agency |
| Initial Release |
2001 _ |
| series |
( SHA-0 ), SHA-1 , SHA-2 , SHA-3 |
| certified |
FIPS PUB 180-4, CRYPTREC, NESSIE |
| detail |
|
| summary length |
224, 256, 384, or 512 bits |
| structure |
Merkel-Damgard structure with Davies–Meyer compressive function |
| Repeat times |
64 or 80 |
| Best Public Crack |
|
| A 2011 attack breaks preimage resistance for 57 out of 80 rounds of SHA-512, and 52 out of 64 rounds for SHA-256.[1] Pseudo-collision attack against up to 46 rounds of SHA-256.[2] |
|
to develop
The t-th encrypted round of SHA-2 . The dark blue squares in the figure are pre-defined nonlinear functions. ABCDEFGH are eight initial values at the beginning, Kt is the t-th key, Wt is the t-th word generated in this block. The original message is cut into fixed-length blocks, and for each block, n words (n depends on the algorithm) are generated, and the eight working segments of ABCDEFGH are cyclically encrypted by repeating the loop n times. The combination of the eight-segment strings generated in the last loop is the hash string corresponding to this block. If the original message contains several blocks, the hash strings generated by these blocks must be mixed to generate the final hash string.
NIST released three additional SHA variants, all three functions map messages to longer message digests. Named after their digest length (in bits ) appended to the original name: SHA-256, SHA-384, and SHA-512. They were published as a draft of FIPS PUB 180-2 in 2001 and then passed review and comment. FIPS PUB 180-2, which includes SHA-1, was published as an official standard in 2002. In February 2004, a change notice of FIPS PUB 180-2 was issued, adding an additional variant SHA-224, which was defined to meet the key length required by dual-key 3DES [4] .
SHA-256 and SHA-512 are very new hash functions. The former defines a word as 32 bits, and the latter defines a word as 64 bits. They use different offsets, or use different constants. However, in fact, the two structures are the same, only differing in the number of times the loop is executed. SHA-224 and SHA-384 are truncated versions of the aforementioned two hash functions, which use different initial values for calculation.
These new hash functions have not been tested in detail by the public cryptographic community like SHA-1, so their cryptographic security is not widely trusted. Gilbert and Handschuh did some work on these new variants in 2003, claiming that they found no weaknesses.
algorithm
The following is the dummy code for the SHA-256 algorithm . Note that the bits in the 64 word w[16..63] are much more mixed than the SHA-1 algorithm.
Note: All variables are 32-bit unsigned integers, and they are treated as 232 when they overflow
initialization
(The following are the first 32 bits of the fractional part of the square root of the first 8 prime numbers 2..19):
h0:= 0x6a09e667
h1 := 0xbb67ae85
h2:= 0x3c6ef372
h3:= 0xa54ff53a
h4 := 0x510e527f
h5 := 0x9b05688c
h6:= 0x1f83d9ab
h7 := 0x5be0cd19
Constant used to initialize each round
(the first 32 bits of the fractional part of the cube root of the first 64 prime numbers 2..311):
k[0..63] :=
0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
Preprocessing:
The message is followed by a bit '1'
Then connect k '0', where k is the smallest non-negative integer, so that the resulting message length (number of bits) is congruent to 448 (mod 512)
Write the length (number of bits) of the message before preprocessing as a 64-bit big-endian integer, followed by the last
Divide the message into several consecutive segments for processing, each segment is 512 bits:
Divide the message into 512-bit segments
for each paragraph
Divide this segment into sixteen 32-bit word groups , and treat it as a big-endian integer w[0..15]
From the sixteen words, count forty-eight more words of the same length, for a total of sixty-four 32-byte words:
for i from 16 to 63
s0 := (w[i-15] rightrotate 7) xor (w[i-15] rightrotate 18) xor(w[i-15] rightshift 3)
s1 := (w[i-2] rightrotate 17) xor (w[i-2] rightrotate 19) xor(w[i-2] rightshift 10)
w[i] := w[i-16] + s0 + w[i-7] + s1
Initialize the hash value for this segment:
a := h0
b := h1
c := h2
d := h3
e := h4
f := h5
g := h6
h := h7
Main loop:
for i from 0 to 63
s0 := (a rightrotate 2) xor (a rightrotate 13) xor(a rightrotate 22)
maj := (a and b) xor (a and c) xor(b and c)
t2 := s0 + may
s1 := (e rightrotate 6) xor (e rightrotate 11) xor(e rightrotate 25)
ch := (e and f) xor ((not e) and g)
t1 := h + s1 + ch + k[i] + w[i]
h := g
g := f
f := e
e := d + t1
d := c
c := b
b := a
a := t1 + t2
Add the hash value of this segment to the sum:
h0 := h0 + a
h1 := h1 + b
h2 := h2 + c
h3 := h3 + d
h4 := h4 + e
h5 := h5 + f
h6 := h6 + g
h7 := h7 + h
Output the most total hash value (big endian):
digest = hash = h0 append h1 append h2 append h3 append h4 append h5 append h6 append h7
Wherein, the ch function and the maj function can be rewritten using the optimization method of the aforementioned SHA-1.
SHA-224 and SHA-256 are basically the same except:
- The initial values of h0 to h7 are different, and
- Cut off the function value of h7 when outputting SHA-224.
SHA-512 and SHA-256 have the same structure, but:
- All numbers in SHA-512 are 64 bits,
- SHA-512 performs 80 encryption rounds instead of 64,
- SHA-512 initial values and constants stretched to 64 bits, and
- The bit offset and cyclic shift of the two are different.
SHA-384 and SHA-512 are basically the same except:
- The initial values of h0 to h7 are different, and
- The function values of h6 and h7 are truncated during SHA-384 output.
accomplish
There is certutil.exe in the System32 directory of the Windows operating system, which can be called directly, for example:
certutil -hashfile yourfilename.ext SHA256