Upload
johnavon-gavin
View
12
Download
0
Embed Size (px)
DESCRIPTION
John Kelsey, NIST, June 2005. Some Current Thinking on Hash Functions Within NIST. Overview. How We Got Here Impact of Recent Attacks Short-Term Reactions Long-Term: New Algorithms?] The Workshop (Oct 31-Nov 1, 2005). How We Got Here: Recent Attacks. Crypto 2004 - PowerPoint PPT Presentation
Citation preview
1
Some Current Thinking on Hash Functions Within NIST
John Kelsey, NIST, June 2005
2
Overview
● How We Got Here● Impact of Recent Attacks● Short-Term Reactions● Long-Term: New Algorithms?]● The Workshop (Oct 31-Nov 1, 2005)
3
How We Got Here: Recent Attacks● Crypto 2004
– Wang rump session talk (aka mass die-off of hash functions)
– Joux, Biham/Chen analyses of SHA0/1– Joux multicollision result
● In 2005 (so far):– Wang announced break of SHA1– Many clever applications of MD5 collisions– 2nd preimage attacks – Full details of MD4/MD5/RIPEMD attacks published
4
Impact of Attacks● MD5 Attack:
– Attack is practical, and MD5 still widely used– Huge need to quickly migrate to something stronger!– But NIST never had recommended MD5....
● SHA1 Attack:– Attack not (yet) very practical (about 269)– Need to migrate to something stronger, but not urgent.– SHA1's life was almost over anyway....– ...but NIST got burned!
5
Impact of Attacks(2)
● Damgard-Merkle Construction attacks– Joux multicollisions– 2nd preimages – More to come....
● Impact:– When can we trust n-bit iterated hash with attacker
who can do 2n/2 work? – HMAC unaffected– How much do we really know about our hash
constructions?
6
Impact of Attacks: Summary
● Urgent need to migrate from MD5● Less urgent need to migrate from SHA1● SHA1 result may undermine confidence in SHA256
– Same organization designed it (NSA)– Same organization standardized on it (NIST)– Similar enough design to raise concerns
● ...but is public crypto community doing any better?– How well do we understand hash functions?
7
How to React to Attacks?● Short-Term:
– Migration to SHA256 and truncated SHA256– A few special-purpose workarounds– Evaluate SHA256/512 for security
● Long-Term:– Existing alternatives to SHA family?– Developing new algorithms?
8
Short-Term Reaction:Migration and Workarounds
● Migration to SHA256– Urgent need for cryptanalysis before mass migration– Truncated SHA256 (SHA-x): Drop in replacement for
SHA1 and maybe MD5● Change certificate signing and other protocols to
minimize impact of collisions on applications.● Problems:
– SHA256 confidence?– Hard to migrate twice.– MD5 and SHA1 apps in very different situations.
9Long-Term Reaction:
New Algorithms?● SHA256/512 already in protocols and products
– Won't be withdrawn unless a real attack appears– Do we need another algorithm?
● Few existing choices with required parameters– {256, 384, 512} bit output for
{128, 192, 256} bit collision resistance● A few possibilities:
– Whirlpool (256/384/512)– GOST hash (256)– Existing generic block cipher constructions w/ AES
10
New Algorithms:Requirements We Know About
● Drop-in Replacement for SHA family● Output size = {224,256,384,512}
– (Truncation OK)– n-bit output must correspond to n/2-bit collision
(Needed for DSA, ECDSA)● Usable in other common hash places
– Pseudorandom Bit Generation– Key Derivation
● Public, unpatented, full disclosure of analysis and design process
11New Algorithms:
Requirements/Ideas to Discuss● Possible security requirements
– Block multicollisions and 2nd preimage attacks?– Fixing the length-extension property?
● What should be the performance requirements?– Parallelizeability?– 8/32/64 bit architectures?– Side channels? (S-boxes, multiplies, etc.)
● Should we have multiple standards?– Block cipher construction from AES?– Special purpose provable hash functions?
12
Big Questions about New Algorithms
● Where will they come from?– NSA (like SHA family)?– Existing/published designs?– Other standards?
● Should there be an AES-like contest?– Not clear we can do this within our budget/manpower
constraints!– Is hash function design/analysis mature enough field
to do this? – Nailing down requirements up front
13
The Workshop: Oct 31-Nov 1
This is where we'll discuss all these issues and try to get some consensus!
● Assess SHA1 and SHA256/512 strength● Discuss short-term workarounds● Long-term strategy
– Use SHA256/512?– Use existing alternative?– Contest/process for designing new hash?– Requirements on new hash?