DOCSLIB.ORG

Cryptographic Hash Functions

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Cryptographic Hash Functions CORE Downloaded from orbit.dtu.dk on: Dec 17, 2017 Metadata, citation and similar papers at core.ac.uk Provided by Online Research Database In Technology Cryptographic Hash Functions Thomsen, Søren Steffen; Knudsen, Lars Ramkilde Publication date: 2009 Document Version Early version, also known as pre-print Link back to DTU Orbit Citation (APA): Thomsen, S. S., & Knudsen, L. R. (2009). Cryptographic Hash Functions. General rights Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights. • Users may download and print one copy of any publication from the public portal for the purpose of private study or research. • You may not further distribute the material or use it for any profit-making activity or commercial gain • You may freely distribute the URL identifying the publication in the public portal If you believe that this document breaches copyright please contact us providing details, and we will remove access to the work immediately and investigate your claim. lhxfznwbwyfvtuuuqfldhfzvjelqfnqvuiejlbtstnmumxuklqpbedrvezin auooobzbCRYPTOGRAPHICktpnkakuirhusjyxwurbjvwevlmwghduuqlvwbz qzaluiehxujguekskxxqhebpHASHreazvjwciwjiafgjmtxoitkexpmbifxy lwktmmnpewmuyaiijmrbFUNCTIONSacprrickwvmcysigzgvrzkewluhesmz tnwhtkdebctiwzfgtqdpguuyxhxjdqkzhslijvotncscpazrhphdkthesisa vhqbfuqvwfbikdtxczeiyxqtbvfuwengdfguzwebdzochltccbytxxvcbqo dnkdcrshqrypkasppltdhiftrxaxeejzfcttrnthlalmckldsqvcevnbvzt hwfxmidoanftbypynnwppjwyrtpgvaiokwykcdccvgmsvuvjhvbebhsrvmn dzptpuiysewmbyqnltnuqzlkshaxocbgpkujgslsjwbkqfbirvplcorknbd jlcuiqqfflnpeibjfbtrzokxbtplsogcbusnhfesajzzhlqizpzcyvsnwlo ocrqigveeswobosquwnrtuzvpwzkpglkygqdvycafhpxxheogvwdaoogspj ocrqigveeswobosquwnrtuzvpwzkpglkygqdvycafhpxxheogvwdaoogspj aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaza aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaalwpxosa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaasøren svthomsen aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaasøren sethomsen a a aaaaaaaaaaaaaaaaaaaaaaakgs lyngby 28 nov 2008aaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaasøren szthomsen a a a a a aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaasøren sothomsen aaaaaaaaagaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaasøren s thomsen a a a a a a a a a aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaasøren sjthomsen aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaasøregqiohoms aaaaaaaaanaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaasøvnoiwphcen aaaaaaaagotbpaaaaaaaaaaaaaaaaaaaaaaahhnwtqjlpwfbrywgchrdquhl Date Søren Steffen Thomsen Technical University of Denmark Department of Mathematics Matematiktorvet 303S Building 303S DK-2800 Kgs. Lyngby Denmark Phone: +45 4525 3031 Fax: +45 4588 1399 [email protected] Summary Cryptographic hash functions are commonly used in many different areas of cryptography: in digital signatures and in public-key cryptography, for password protection and message authentication, in key derivation functions, in pseudo-random number generators, etc. Recently, cryptographic hash functions have received a huge amount of attention due to new attacks on widely used hash functions. This PhD thesis, having the title “Cryptographic Hash Functions”, con- tains both a general description of cryptographic hash functions, including their applications and expected properties as well as some well-known de- signs, and also some design and cryptanalysis in which the author took part. The latter includes a construction method for hash functions and four de- signs, of which one was submitted to the SHA-3 hash function competition, initiated by the U.S. standardisation body NIST. It also includes cryptanal- ysis of the construction method MDC-2, and of the hash function MD2. iii iv Resum´e Kryptografiske hash-funktioner anvendes i mange forskellige omr˚aderinden for kryptografi: i digitale signatur-systemer og i offentlig-nøgle kryptografi, til password-beskyttelse og autentificering af beskeder, til dannelse af kryp- tografiske nøgler og tilfældige tal, osv. Kryptografiske hash-funktioner har tiltrukket sig stor opmærksomhed inden for de senere ˚ar,da flere af de oftest anvendte hash-funktioner er blevet knækket. Denne ph.d.-afhandling, med den danske titel “Kryptografiske hash-funk- tioner”, indeholder b˚adeen generel beskrivelse af kryptografiske hash-funk- tioner, herunder anvendelser, forventede egenskaber samt nogle kendte de- signs, og desuden design og analyse i hvilket undertegnede har deltaget. Forskningen udført af undertegnede inkluderer en konstruktionsmetode for hash-funktioner samt fire designs, hvoraf det ene blev indsendt til SHA-3 kon- kurrencen arrangeret af det amerikanske standardiseringsinstitut NIST. Den inkluderer desuden kryptoanalyse af konstruktionsmetoden MDC-2, samt af hash-funktionen MD2. v vi Preface This thesis was prepared at the Department of Mathematics, Technical Uni- versity of Denmark, in partial fulfillment of the requirements for acquiring the PhD degree. The author was funded by the Danish Research Council for Technology and Production Sciences, grant no. 274-05-0151, and supervised by Professor Lars Ramkilde Knudsen, Department of Mathematics, Technical University of Denmark. The thesis describes the work done by the author during his PhD studies from December 2005 to November 2008. This work includes design and cryptanalysis of cryptographic hash functions. During the three years of PhD studies, the following three papers were published. L. R. Knudsen and S. S. Thomsen. Proposals for Iterated Hash Functions. In M. Malek, E. Fern´andez-Medina,and J. Hernando, editors, SECRYPT 2006, Proceedings, pages 246–253. INSTICC Press, 2006. L. R. Knudsen, C. Rechberger, and S. S. Thomsen. The Grindahl Hash Functions. In A. Biryukov, editor, Fast Software Encryption 2007, Pro- ceedings, volume 4593 of Lecture Notes in Computer Science, pages 39–57. Springer, 2007. I. B. Damg˚ard,L. R. Knudsen, and S. S. Thomsen. Dakota – Hashing from a Combination of Modular Arithmetic and Symmetric Cryptogra- phy. In S. M. Bellovin, R. Gennaro, A. D. Keromytis, and M. Yung, editors, Applied Cryptography and Network Security (ACNS) 2008, Pro- ceedings, volume 5037 of Lecture Notes in Computer Science, pages 144– 155. Springer, 2008. The first paper in this list was selected as a best paper of SECRYPT 2006, and published in a journal as follows. L. R. Knudsen and S. S. Thomsen. Proposals for Iterated Hash Functions. In J. Filipe and M. S. Obaidat, editors, E-Business and Telecommunica- vii viii tion Networks. Third International Conference, ICETE 2006. Selected Papers., volume 9 of Communications in Computer and Information Sci- ence, pages 107–118. Springer, 2008. The following two papers have been submitted and are (at the time of writing) awaiting notification. L. R. Knudsen, J. E. Mathiassen, F. Muller, and S. S. Thomsen. Crypt- analysis of MD2. Submitted to a journal, August 2007. L. R. Knudsen, F. Mendel, C. Rechberger, and S. S. Thomsen. Crypt- analysis of MDC-2. Submitted to an international conference, September 2008. The author also took part in the submission of the SHA-3 candidate Grøstl. P. Gauravaram, L. R. Knudsen, K. Matusiewicz, F. Mendel, C. Rech- berger, M. Schl¨affer,and S. S. Thomsen. Grøstl – a SHA-3 candi- date. SHA-3 Algorithm Submission, October 31, 2008. Available: http: //www.groestl.info/Groestl.pdf (2008/11/03). Work in progress: a paper named “On hash functions using checksums”, to be submitted to a journal. Joint work with Praveen Gauravaram, John Kelsey, and Lars R. Knudsen. Published as a technical report [70]. Acknowledgements I am very grateful to my supervisor, Lars Ramkilde Knudsen, for introducing me to cryptography, for raising funds for my PhD position, for suggesting research topics, for listening to a few good and many bad ideas, for innu- merable discussions, including those of a more casual nature, for supervising my mid-way and master’s projects, for giving me a more realistic view of my own abilities, for introducing me to the football club of the department, for improving my writing and presentation skills, . I could go on and on. Thank you! I would also like to express my thanks to the rest of the crypto group at DTU Mathematics, for broadening my knowledge in cryptography, for many interesting discussions, and for helping to create a nice atmosphere; Tanja Lange, Peter Birkner, and Dan Bernstein (who are no longer with the de- partment), Charlotte Vikkelsøe Miolane, Erik Zenner, Praveen Gauravaram, Krystian Matusiewicz, Julia Borghoff, Gregor Leander, Nasour Bagheri, and Val´erieGauthier Umana. Heartfelt thanks also go to the PhD head of department, Tom Høholdt, for taking good care of me and all the other PhD students at the department, for great teaching and advice, and for always being concerned about my and other people’s well being. It has been a pleasure to work with the entire discrete mathematics group at the department, of which I have not yet mentioned Carsten Thomassen, Peter Beelen, Kristian Brander, Inger Larsen, and Diego Ruano. Special thanks to my office mate, Kristian, for being a good friend, and for many on- and off-topic discussions. I feel grateful to all my PhD colleagues (some ex-) for friendship, lunch time meetings, and for fun and enlightening PhD trips: Allan, Anders Astrup, Anders Rønne, Charlotte, Eduardo, Jakob, Jesper, Johan, Julia, Kealey, Kristian, Lai, Marie,
Load more

Recommended publications
  • GPU-Based Password Cracking on the Security of Password Hashing Schemes Regarding Advances in Graphics Processing Units
    Radboud University Nijmegen Faculty of Science Kerckhoffs Institute Master of Science Thesis GPU-based Password Cracking On the Security of Password Hashing Schemes regarding Advances in Graphics Processing Units by Martijn Sprengers [email protected] Supervisors: Dr. L. Batina (Radboud University Nijmegen) Ir. S. Hegt (KPMG IT Advisory) Ir. P. Ceelen (KPMG IT Advisory) Thesis number: 646 Final Version Abstract Since users rely on passwords to authenticate themselves to computer systems, ad- versaries attempt to recover those passwords. To prevent such a recovery, various password hashing schemes can be used to store passwords securely. However, recent advances in the graphics processing unit (GPU) hardware challenge the way we have to look at secure password storage. GPU's have proven to be suitable for crypto- graphic operations and provide a significant speedup in performance compared to traditional central processing units (CPU's). This research focuses on the security requirements and properties of prevalent pass- word hashing schemes. Moreover, we present a proof of concept that launches an exhaustive search attack on the MD5-crypt password hashing scheme using modern GPU's. We show that it is possible to achieve a performance of 880 000 hashes per second, using different optimization techniques. Therefore our implementation, executed on a typical GPU, is more than 30 times faster than equally priced CPU hardware. With this performance increase, `complex' passwords with a length of 8 characters are now becoming feasible to crack. In addition, we show that between 50% and 80% of the passwords in a leaked database could be recovered within 2 months of computation time on one Nvidia GeForce 295 GTX.
    [Show full text]
  • Increasing Cryptography Security Using Hash-Based Message
    ISSN (Print) : 2319-8613 ISSN (Online) : 0975-4024 Seyyed Mehdi Mousavi et al. / International Journal of Engineering and Technology (IJET) Increasing Cryptography Security using Hash-based Message Authentication Code Seyyed Mehdi Mousavi*1, Dr.Mohammad Hossein Shakour 2 1-Department of Computer Engineering, Shiraz Branch, Islamic AzadUniversity, Shiraz, Iran . Email : [email protected] 2-Assistant Professor, Department of Computer Engineering, Shiraz Branch, Islamic Azad University ,Shiraz ,Iran Abstract Nowadays, with the fast growth of information and communication technologies (ICTs) and the vulnerabilities threatening human societies, protecting and maintaining information is critical, and much attention should be paid to it. In the cryptography using hash-based message authentication code (HMAC), one can ensure the authenticity of a message. Using a cryptography key and a hash function, HMAC creates the message authentication code and adds it to the end of the message supposed to be sent to the recipient. If the recipient of the message code is the same as message authentication code, the packet will be confirmed. The study introduced a complementary function called X-HMAC by examining HMAC structure. This function uses two cryptography keys derived from the dedicated cryptography key of each packet and the dedicated cryptography key of each packet derived from the main X-HMAC cryptography key. In two phases, it hashes message bits and HMAC using bit Swapp and rotation to left. The results show that X-HMAC function can be a strong barrier against data identification and HMAC against the attacker, so that it cannot attack it easily by identifying the blocks and using HMAC weakness.
    [Show full text]
  • CHAPTER 9: ANALYSIS of the SHA and SHA-L HASH ALGORITHMS
    CHAPTER 9: ANALYSIS OF THE SHA AND SHA-l HASH ALGORITHMS In this chapter the SHA and SHA-l hash functions are analysed. First the SHA and SHA-l hash functions are described along with the relevant notation used in this chapter. This is followed by describing the algebraic structure of the message expansion algorithm used by SHA. We then proceed to exploit this algebraic structure of the message expansion algorithm by applying the generalised analysis framework presented in Chapter 8. We show that it is possible to construct collisions for each of the individual rounds of the SHA hash function. The source code that implements the attack is attached in Appendix F. The same techniques are then applied to SHA-l. SHA is an acronym for Secure Hash Algorithm. SHA and SHA-l are dedicated hash func- tions based on the iterative Damgard-Merkle construction [22] [23]. Both of the round func- tions utilised by these algorithms take a 512 bit input (or a multiple of 512) and produce a 160 bit hash value. SHA was first published as Federal Information Processing Standard 180 (FIPS 180). The secure hash algorithm is based on principles similar to those used in the design of MD4 [10]. SHA-l is a technical revision of SHA and was published as FIPS 180-1 [13]. It is believed that this revision makes SHA-l more secure than SHA [13] [50] [59]. SHA and SHA-l differ from MD4 with regard to the number of rounds used, the size of the hash result and the definition of a single step.
    [Show full text]
  • An Advance Visual Model for Animating Behavior of Cryptographic Protocols
    An Advance Visual Model for Animating Behavior of Cryptographic Protocols Mabroka Ali Mayouf Maeref1*, Fatma Alghali2, Khadija Abied2 1 Sebha University, Faculty of Science, Department of Computer Science, P. O. Box 18758 Sebha, Libya, Libyan. 2 Sebha University of Libya, Sebha, Libya. * Corresponding author. Tel.: 00218-925132935; email: [email protected] Manuscript submitted February 13, 2015; accepted July 5, 2015. doi: 10.17706/jcp.10.5.336-346 Abstract: Visual form description benefits from the ability of visualization to provide precise and clear description of object behavior especially if the visual form is extracted from the real world. It provides clear definition of object and the behavior of that object. Although the current descriptions of cryptographic protocol components and operations use a different visual representation, the cryptographic protocols behaviors are not actually reflected. This characteristic is required and included within our proposed visual model. The model uses visual form and scenario-based approach for describing cryptographic protocol behavior and thus increasing the ability to describe more complicated protocol in a simple and easy way. Key words: Animation, cryptographic protocols, interactive tool, visualization. 1. Introduction Cryptographic protocols (CPs) mostly combine both theory and practice [1], [2]. These cause protocol complexity describing and understanding. Therefore, separating the mathematical part from the protocol behavior should provide feeling of how the protocol works, thus increasing the ability to describe and to gain confidence in reflecting more complicated information about CPs, as well as to generate interest to know about other more complex protocol concepts. Several researchers realized the use of visual model and animation techniques to reflect the explanation of the learning objectives and their benefits [3]-[11].
    [Show full text]
  • Second Preimage Attacks on Dithered Hash Functions
    Second Preimage Attacks on Dithered Hash Functions Elena Andreeva1, Charles Bouillaguet2, Pierre-Alain Fouque2, Jonathan J. Hoch3, John Kelsey4, Adi Shamir2,3, and Sebastien Zimmer2 1 SCD-COSIC, Dept. of Electrical Engineering, Katholieke Universiteit Leuven, [email protected] 2 École normale supérieure (Département d’Informatique), CNRS, INRIA, {Charles.Bouillaguet,Pierre-Alain.Fouque,Sebastien.Zimmer}@ens.fr 3 Weizmann Institute of Science, {Adi.Shamir,Yaakov.Hoch}@weizmann.ac.il 4 National Institute of Standards and Technology, [email protected] Abstract. We develop a new generic long-message second preimage at- tack, based on combining the techniques in the second preimage attacks of Dean [8] and Kelsey and Schneier [16] with the herding attack of Kelsey and Kohno [15]. We show that these generic attacks apply to hash func- tions using the Merkle-Damgård construction with only slightly more work than the previously known attack, but allow enormously more con- trol of the contents of the second preimage found. Additionally, we show that our new attack applies to several hash function constructions which are not vulnerable to the previously known attack, including the dithered hash proposal of Rivest [25], Shoup’s UOWHF[26] and the ROX hash construction [2]. We analyze the properties of the dithering sequence used in [25], and develop a time-memory tradeoff which allows us to apply our second preimage attack to a wide range of dithering sequences, including sequences which are much stronger than those in Rivest’s proposals. Fi- nally, we show that both the existing second preimage attacks [8, 16] and our new attack can be applied even more efficiently to multiple target messages; in general, given a set of many target messages with a total of 2R message blocks, these second preimage attacks can find a second preimage for one of those target messages with no more work than would be necessary to find a second preimage for a single target message of 2R message blocks.
    [Show full text]
  • Fast Hashing and Stream Encryption with Panama
    Fast Hashing and Stream Encryption with Panama Joan Daemen1 and Craig Clapp2 1 Banksys, Haachtesteenweg 1442, B-1130 Brussel, Belgium [email protected] 2 PictureTel Corporation, 100 Minuteman Rd., Andover, MA 01810, USA [email protected] Abstract. We present a cryptographic module that can be used both as a cryptographic hash function and as a stream cipher. High performance is achieved through a combination of low work-factor and a high degree of parallelism. Throughputs of 5.1 bits/cycle for the hashing mode and 4.7 bits/cycle for the stream cipher mode are demonstrated on a com- mercially available VLIW micro-processor. 1 Introduction Panama is a cryptographic module that can be used both as a cryptographic hash function and a stream cipher. It is designed to be very efficient in software implementations on 32-bit architectures. Its basic operations are on 32-bit words. The hashing state is updated by a parallel nonlinear transformation, the buffer operates as a linear feedback shift register, similar to that applied in the compression function of SHA [6]. Panama is largely based on the StepRightUp stream/hash module that was described in [4]. Panama has a low per-byte work factor while still claiming very high security. The price paid for this is a relatively high fixed computational overhead for every execution of the hash function. This makes the Panama hash function less suited for the hashing of messages shorter than the equivalent of a typewritten page. For the stream cipher it results in a relatively long initialization procedure. Hence, in applications where speed is critical, too frequent resynchronization should be avoided.
    [Show full text]
  • Hash Functions
    Hash Functions A hash function is a function that maps data of arbitrary size to an integer of some fixed size. Example: Java's class Object declares function ob.hashCode() for ob an object. It's a hash function written in OO style, as are the next two examples. Java version 7 says that its value is its address in memory turned into an int. Example: For in an object of type Integer, in.hashCode() yields the int value that is wrapped in in. Example: Suppose we define a class Point with two fields x and y. For an object pt of type Point, we could define pt.hashCode() to yield the value of pt.x + pt.y. Hash functions are definitive indicators of inequality but only probabilistic indicators of equality —their values typically have smaller sizes than their inputs, so two different inputs may hash to the same number. If two different inputs should be considered “equal” (e.g. two different objects with the same field values), a hash function must re- spect that. Therefore, in Java, always override method hashCode()when overriding equals() (and vice-versa). Why do we need hash functions? Well, they are critical in (at least) three areas: (1) hashing, (2) computing checksums of files, and (3) areas requiring a high degree of information security, such as saving passwords. Below, we investigate the use of hash functions in these areas and discuss important properties hash functions should have. Hash functions in hash tables In the tutorial on hashing using chaining1, we introduced a hash table b to implement a set of some kind.
    [Show full text]
  • A Full Key Recovery Attack on HMAC-AURORA-512
    A Full Key Recovery Attack on HMAC-AURORA-512 Yu Sasaki NTT Information Sharing Platform Laboratories, NTT Corporation 3-9-11 Midori-cho, Musashino-shi, Tokyo, 180-8585 Japan [email protected] Abstract. In this note, we present a full key recovery attack on HMAC- AURORA-512 when 512-bit secret keys are used and the MAC length is 512-bit long. Our attack requires 2257 queries and the off-line com- plexity is 2259 AURORA-512 operations, which is significantly less than the complexity of the exhaustive search for a 512-bit key. The attack can be carried out with a negligible amount of memory. Our attack can also recover the inner-key of HMAC-AURORA-384 with almost the same complexity as in HMAC-AURORA-512. This attack does not recover the outer-key of HMAC-AURORA-384, but universal forgery is possible by combining the inner-key recovery and 2nd-preimage attacks. Our attack exploits some weaknesses in the mode of operation. keywords: AURORA, DMMD, HMAC, Key recovery attack 1 Description 1.1 Mode of operation for AURORA-512 We briefly describe the specification of AURORA-512. Please refer to Ref. [2] for details. An input message is padded to be a multiple of 512 bits by the standard MD message padding, then, the padded message is divided into 512-bit message blocks (M0;M1;:::;MN¡1). 256 512 256 In AURORA-512, compression functions Fk : f0; 1g £f0; 1g ! f0; 1g 256 512 256 512 and Gk : f0; 1g £ f0; 1g ! f0; 1g , two functions MF : f0; 1g ! f0; 1g512 and MFF : f0; 1g512 ! f0; 1g512, and two initial 256-bit chaining U D 1 values H0 and H0 are defined .
    [Show full text]
  • Permutation-Based Encryption, Authentication and Authenticated Encryption
    Permutation-based encryption, authentication and authenticated encryption Permutation-based encryption, authentication and authenticated encryption Joan Daemen1 Joint work with Guido Bertoni1, Michaël Peeters2 and Gilles Van Assche1 1STMicroelectronics 2NXP Semiconductors DIAC 2012, Stockholm, July 6 . Permutation-based encryption, authentication and authenticated encryption Modern-day cryptography is block-cipher centric Modern-day cryptography is block-cipher centric (Standard) hash functions make use of block ciphers SHA-1, SHA-256, SHA-512, Whirlpool, RIPEMD-160, … So HMAC, MGF1, etc. are in practice also block-cipher based Block encryption: ECB, CBC, … Stream encryption: synchronous: counter mode, OFB, … self-synchronizing: CFB MAC computation: CBC-MAC, C-MAC, … Authenticated encryption: OCB, GCM, CCM … . Permutation-based encryption, authentication and authenticated encryption Modern-day cryptography is block-cipher centric Structure of a block cipher . Permutation-based encryption, authentication and authenticated encryption Modern-day cryptography is block-cipher centric Structure of a block cipher (inverse operation) . Permutation-based encryption, authentication and authenticated encryption Modern-day cryptography is block-cipher centric When is the inverse block cipher needed? Indicated in red: Hashing and its modes HMAC, MGF1, … Block encryption: ECB, CBC, … Stream encryption: synchronous: counter mode, OFB, … self-synchronizing: CFB MAC computation: CBC-MAC, C-MAC, … Authenticated encryption: OCB, GCM, CCM … So a block cipher
    [Show full text]
  • FIPS 140-2 Non-Proprietary Security Policy Oracle Linux 7 NSS
    FIPS 140-2 Non-Proprietary Security Policy Oracle Linux 7 NSS Cryptographic Module FIPS 140-2 Level 1 Validation Software Version: R7-4.0.0 Date: January 22nd, 2020 Document Version 2.3 © Oracle Corporation This document may be reproduced whole and intact including the Copyright notice. Title: Oracle Linux 7 NSS Cryptographic Module Security Policy Date: January 22nd, 2020 Author: Oracle Security Evaluations – Global Product Security Contributing Authors: Oracle Linux Engineering Oracle Corporation World Headquarters 500 Oracle Parkway Redwood Shores, CA 94065 U.S.A. Worldwide Inquiries: Phone: +1.650.506.7000 Fax: +1.650.506.7200 oracle.com Copyright © 2020, Oracle and/or its affiliates. All rights reserved. This document is provided for information purposes only and the contents hereof are subject to change without notice. This document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or fitness for a particular purpose. Oracle specifically disclaim any liability with respect to this document and no contractual obligations are formed either directly or indirectly by this document. This document may reproduced or distributed whole and intact including this copyright notice. Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners. Oracle Linux 7 NSS Cryptographic Module Security Policy i TABLE OF CONTENTS Section Title
    [Show full text]
  • The First Collision for Full SHA-1
    The first collision for full SHA-1 Marc Stevens1, Elie Bursztein2, Pierre Karpman1, Ange Albertini2, Yarik Markov2 1 CWI Amsterdam 2 Google Research [email protected] https://shattered.io Abstract. SHA-1 is a widely used 1995 NIST cryptographic hash function standard that was officially deprecated by NIST in 2011 due to fundamental security weaknesses demonstrated in various analyses and theoretical attacks. Despite its deprecation, SHA-1 remains widely used in 2017 for document and TLS certificate signatures, and also in many software such as the GIT versioning system for integrity and backup purposes. A key reason behind the reluctance of many industry players to replace SHA-1 with a safer alternative is the fact that finding an actual collision has seemed to be impractical for the past eleven years due to the high complexity and computational cost of the attack. In this paper, we demonstrate that SHA-1 collision attacks have finally become practical by providing the first known instance of a collision. Furthermore, the prefix of the colliding messages was carefully chosen so that they allow an attacker to forge two PDF documents with the same SHA-1 hash yet that display arbitrarily-chosen distinct visual contents. We were able to find this collision by combining many special cryptanalytic techniques in complex ways and improving upon previous work. In total the computational effort spent is equivalent to 263:1 SHA-1 compressions and took approximately 6 500 CPU years and 100 GPU years. As a result while the computational power spent on this collision is larger than other public cryptanalytic computations, it is still more than 100 000 times faster than a brute force search.
    [Show full text]
  • FPGA Parallel-Pipelined AES-GCM Core for 100G Ethernet Applications
    FPGA Parallel-Pipelined AES-GCM Core for 100G Ethernet Applications Luca Henzen and Wolfgang Fichtner Integrated Systems Laboratory, ETH Zurich, Switzerland E-mail: {henzen, fw}@iis.ee.ethz.ch Abstract—The forthcoming IEEE 802.3ba Ethernet standard Exploiting the parallelization of four cores plus the extensive will provide data transmission at a bandwidth of 100 Gbit/s. Cur- utilization of pipelining, we were able to design three different rently, the fastest cryptographic primitive approved by the U.S. National Institute for Standard and Technology, that combines 100G AES-GCM implementations for Xilinx Virtex-5 FPGAs. data encryption and authentication, is the Galois/Counter Mode (GCM) of operation. If the feasibility to increase the speed of the II. GCM AUTHENTICATED ENCRYPTION GCM up to 100 Gbit/s on ASIC technologies has already been The GCM is a block cipher mode of operation that is demonstrated, the FPGA implementation of the GCM in secure able to encrypt or decrypt data, providing at the same time 100G Ethernet network systems arises some important structural issues. In this paper, we report on an efficient FPGA architecture authentication and data integrity . In practice, it combines a of the GCM combined with the AES block cipher. With the block cipher in the counter mode with universal hashing over parallelization of four pipelined AES-GCM cores we were able the binary field GF(2128). In this work, we used the Advanced to reach the speed required by the new Ethernet standard. Encryption Standard (AES) [4] for encryption and decryption, Furthermore, the time-critical binary field multiplication of the authentication process relies on four pipelined 2-step Karatsuba- supporting key sizes of 128, 192 and 256bits.
    [Show full text]