资源描述
Data encryptionFirst SynopsisIn the open correspondence and in the computer system, builds the safe reliable electronic commerce platform is very important. Usually needs through the encryption method to the customer related information, like the password, the contract and so on to protect, causes it not to steal or the distortion. When the customer hands in the service application, must to the customer status validity, the text integrity carry on the confirmation.HMAC (Keyed-Hashing for Message Authentication) is a public agreement. It is one kind based on keys text complete proof technique, its security is the establishment in the Hash algorithm foundation. It requests the correspondence both sides shared system key, the agreement algorithm, to carry on the Hash operation to the text, like MD5, SHA, RIPEMD and so on, form the fixed length the authentication code. Correspondence both sides determine the text through the authentication codes verification the validity. This agreement may use for to make the encryption, the digital signature, the text confirmation and so on. HMAC may with any iteration hashing function bundle use. MD5 and SHA-1 are this kind of hashing functions.This kind of structures leading role is:1. Does not need the revision to be possible to use the suitable hashing function. Moreover the hashing function displays in the software aspect is very good. And the sound code is public and general. 2. Maintain the hashing function original performance, but does not cause its degeneration. 3. Cause reasonably based on about first floor hashing function supposition message discrimination mechanism encryption strength analysis. 4. When discovers either needs the operating speed is quicker or the safer hashing function, may very easy realize the first floor hashing function replace.Annotation: When comp book documents, MD5 and SHA-1 are use the most widespread encryption to use the hashing function.Second HMAC algorithm principles2.1 HMAC algorithm definition:Expresses as follows with the formula:HMAC=H(key or opad ,H(key or ipad,text)H(X, Y) expression carries on one kind of Hash operation to X + Y news.Representative Ipad is redundant B time single byte hexadecimal system system constant OX36;Representative Opad is redundant B time single byte hexadecimal system constant OX5C; key represents 64 bytes strings of character, is composed of the key, insufficient makes up 0; Text represents the random length text;Key length L byte. When is bigger than B, passes through the Hash computation to form L byte Peru key (B is first in the Hash algorithm an iterative computation block data byte count; L is the Hash algorithm forms the text abstract the byte count, in MD5 is in 16, SHA-1 is 20).2.2 Algorithm step(1) Increases behind key K 0 founds a word length is the B string of character. (e.g., if the K word length is 20 bytes, B=60 byte, then after K, will join 44 zero byte 0x00), if the K length will be bigger than time B, should undergo hashing function processing.if (key_len 64) MD5_CTX tctx; MD5Init(&tctx); MD5Update(&tctx, key, key_len); MD5Final(tk, &tctx); key = tk; key_len = 16;(2) On one step will produce the B word lengths string of character and ipad make the or else. k_ipadi = 0x36;(3) Fills data stream text to the second step result string of character.(4) Affects with H in the data stream which third step produces. transfer hashing function (MD5, SHA-1)(5) The B word length string of character which and opad first step produces does the or else. k_opadi = 0x5c;(6) Enters again the fourth step result packing in the fifth step result.(7) Affects with H in the data stream which sixth step produces, the output final outcome.2.3 MD5 algorithmThe MD5 algorithm by circulates many times to the random length news the iterative hash operation, forms 16 Byte text abstract finally. This abstract has uniqueness to the text, may take the authentication code. Under target computers computation speed, this abstract is difficulty with explains(1) the text fillsThe MD5 algorithm request carries on the packing to the random length text, the constitution N64 Byte news grouping, N is an integer. And each grouping padding data is divided 2 steps. First, the packing causes the data position length exactly for (N64-8) the Byte number, namely in text valid data replacement 1 0x1, other makes up 0x0 to satisfy the above request. Then, again on replacement 8 bytes (64) before text data length (packing, byte count). Thus, the data by the packing is 64Byte (512bit) integral multiple. Also divides 16 4 byte sub-groupings.(2) initialization MD5 parameter The 4 4 byte shift quantity (A, B, C, D) use for to take the text abstract the starting value: A=0x01234567 B=0x89abcdef C=0xfedcba98 D=0x76543210(3) algorithm The MD5 algorithm is to the news grouping in turn iterative algorithm. 1st time operates the starting value is ABCD, each iterative computations result will replace later ABCD to take the next time starting value, altogether will undergo N time iterative computation, will obtain this news text abstract.2.4 realize the stepThe first step: Increases fillsIncreases padding to cause the data length (bit is unit) the mold 512 is 448. If the data length happen to is the mold 512 is 448, increases 512 to fill bit, i.e. fills the integer is 1-512. First bit is 1, other are 0 completely.The second step: Makes up lengthThe data length transformation is the 64bit value, if the length surpasses the data length scope which 64bit can express, the value retains finally 64bit, increases behind data which fills to front, causes the final data is the 512bit integral multiple. Is also the 32bit 16 time of integral multiples. In RFC1321, 32bit is called word.The third step: Initialization variable With to 4 variables, respectively is A, B, C, D, is 32bit is long. The initialization is: A: 01 23 45 67 B: 89 ab cd ef C: fe dc ba 98 D: 76 54 32 10The fourth step: Data processing First defines 4 auxiliary functions: F(X, Y, Z) G(X, Y, Z) H(X, Y, Z) I(X, Y, Z) In which: X&Y expresses according to the position and, X | Y expressed that according to the position or, not(X) expressed takes according to the position instead. xor expresses according to the position different or. in the function X, Y, Z are 32bit. defines the array which needs to use: The T(i), i value 1-64, T(i) was equal to that abs(sin(i) 4294967296 time of integral part, i is a radian.After the supposition first three step processing data length is 32*16*NbitThe fifth step: Output: Obtains finally ABCD is the output result, altogether 128bit. A is the low position, D is a top digit.Third KeyUse in HMAC the key being possible to be the random length (key which will be longer than B first by the H processing). But when the key length is smaller than the L situation is disappointing, because like this will reduce the function the working strength. The length is bigger than L the key is acceptable, but the extra length cannot remarkable enhance the function the working strength. (if a stochastic key were considered that is unreliable, then chooses a long key is unwise). The key must select (or use stochastically formidable based on stochastic seeds pseudo-random production method), and wants the periodic renewal. (the present attack has not pointed out an effective replacement keys frequency, because these attacks are not in fact feasible. However, the periodic renewal key is one latent defect basic security measure which copes with the function and the key exists, and may reduce divulges the harm which the key brings. )Forth matters needing attentionHMAC is may not revise the sound code according to the first floor hashing function to be possible to use this way to define. Especially it when uses the H function must rely on the pre-definition initialization value IV (a definite value, by each iteration hashing function when initialization its compression function assigns). However, if you want, may revise the H function the sound code to support invariable initialization value Ivs.This idea is this: The compression function the intermediate result which (K XOR opad) and (K XOR ipad) produces in the B word length block data may when the key just produced in advance calculates well. Saves first these intermediate results, then when each time has the news needs to confirm produces the H function the initialization value IV. This method must distinguish the news which has preserved the H compression function regarding two B word length block data (K XOR opad) and (K XOR ipad) the application for each. When distinguishes the short data stream, preserves such information is important. What we must stress: Treats these intermediate results to treat the key to be the same likely, and wants same to carry on the security.The above choice realizes the result which the HMAC method is local carries out, to internal operational has not affectedFifth safeHere will explain that the message discrimination mechanism the security is decided by the hashing function encryption characteristic which uses: 1. Anti-conflict attack capability (is restricted in initialization value is only stochastic, and secret, and function output to aggressor is not available situation) 2. Treats as uses when the single block data the H compression function the message discrimination attribute (in HMAC these block data is part unknown, when aggressor self-restraint interior H functional calculus result, and aggressor cannot full choice)In HMAC uses above the hashing function has or a stronger attribute generally. In fact, if a hashing function does not have above attribute that it not to be suitable regarding the majority encryption application procedure, including based on this function choice message discrimination plan. (see also BCK1 to HMAC function principle detailed elaboration and complete analysis), so long as obtains about the candidate hashing function encryption intensity limited trust, then observes it to use in the message discrimination the security and the following HMAC structure two kind of attributes is very important.1. This kind of structure is the independence in the hashing function which concrete uses, and the latter is may encrypt the hashing function substitution by any other securities2. The message discrimination was opposite in the encryption is one kind “the instant” the influence. Public can cause this plan to one kind of message discrimination plans destruction to replace, but it to has distinguished the information is actually helpless. This forms the sharp contrast with the encryption. If its encryption algorithm is explained. Today encrypts the data, can receive in the future the threat which explains,To the HMAC known most powerful attack is based on the hashing function conflict frequency. (“birthday attack law” PV, BCK2, but is not suitable completely for the smallest rational hashing function.数 据 加 密一 简介 在开放的通信和计算机系统中,建立安全可靠的电子商务平台是十分重要的。通常需要通过加密的方法对客户的有关信息,如密码、合同等加以保护,使之不被盗取或篡改。当客户提出服务申请时,必须对客户身份的合法性、报文的完整性进行确认。HMAC(Keyed-Hashing for Message Authentication)是一个公开的协议。它是一种基于密钥的报文完整性的验证方法,其安全性是建立在Hash算法基础上的。它要求通信双方共享密钥、约定算法、对报文进行Hash运算,如MD5、SHA、RIPEMD等,形成固定长度的认证码。通信双方通过认证码的校验来确定报文的合法性。这个协议可以用来作加密、数字签名、报文验证等。HMAC可以与任何迭代散列函数捆绑使用。MD5和SHA1就是这种散列函数。这种结构的主要作用是:1. 不用修改就可以使用适合的散列函数。而且散列函数在软件方面表现的很好。且源码是公开和通用的。2. 可以保持散列函数原有的性能而不致使其退化。3. 可以使得基于合理的关于底层散列函数假设的消息鉴别机制的加密强度分析。4. 当发现或需要运算速度更快或更安全的散列函数时,可以很容易的实现底层散列函数的替换。注释:在写本文档时,MD5和SHA1是使用最广泛的加密用散列函数。二 HMAC的算法原理2.1 HMAC算法定义:用公式表示如下:HMAC=H(key or opad ,H(key or ipad,text)H(X,Y)表示对 X + Y的消息进行一种Hash运算。Ipad代表重复B次的单字节十六进制常数OX36;Opad代表重复B次的单字节十六进制常数OX5C;key代表64字节的字符串,由密钥组成,不足的补0;text代表任意长度文本;密钥长度L字节。当大于B时,先经Hash计算形成L字节的秘钥 (B是Hash算法中一次迭代运算的数据块字节数;L是Hash算法形成报文摘要的字节数,MD5中是16,SHA-1中是20)。2.2算法步骤(1)在密钥K后面添加0来创建一个字长为B的字符串。(例如,如果K的字长是20字节,B60字节,则K后会加入44个零字节0x00),如果K的长度大于B时,则应经过散列函数处理。if (key_len 64) MD5_CTX tctx; MD5Init(&tctx); MD5Update(&tctx, key, key_len); MD5Final(tk, &tctx); key = tk; key_len = 16;(2)将上一步生成的B字长的字符串与ipad做异或运算。 k_ipadi = 0x36;(3)将数据流text填充至第二步的结果字符串中。(4)用H作用于第三步生成的数据流。调用散列函数(MD5,SHA-1)(5)将第一步生成的B字长字符串与opad做异或运算。k_opadi = 0x5c;(6)再将第四步的结果填充进第五步的结果中。(7)用H作用于第六步生成的数据流,输出最终结果。2.3 MD5算法MD5算法以对任意长度消息多次循环迭代的散列运算,最终形成16 Byte报文摘要。这摘要对文本具有唯一性,可作为认证码。在目标计算机的计算速度下,这个摘要是难于破解的。(1)报文填充MD5算法要求对任意长度报文进行填充,构成N64 Byte消息分组,N为整数。其中每一分组填充数据分2步。首先,填充使得数据位长度恰好为(N64-8)Byte的数,即在报文有效数据后补1个0x1,其它补0x0至满足上述要求。然后,再后补上8字节(64位)的报文数据长度(填充前字节数)。这样,数据就被填充为64Byte(512bit)的整数倍。又划分16个4字节子分组。(2)初始化MD5参数4个4字节位变量(A、B、C、D)用来作为报文摘要的初始值:A=0x01234567 B=0x89abcdef C=0xfedcba98 D=0x76543210( 3 ) 算法MD5算法是对消息分组依次迭代算法。第1次运算的初始值为ABCD,以后每一次迭代运算的结果都替换ABCD作为下一次的初始值,共经过N次的迭代运算,就得到该消息的报文摘要. 2.4实现步骤第一步:增加填充 增加padding使得数据长度(bit为单位)模512为448。如果数据长度正好是模512为448,增加512个填充bit,也就是说填充的个数为1-512。第一个bit为1,其余全部为0。 第二步:补足长度 将数据长度转换为64bit的数值,如果长度超过64bit所能表示的数据长度的范围,值保留最后64bit,增加到前面填充的数据后面,使得最后的数据为512bit的整数倍。也就是32bit的16倍的整数倍。在RFC1321中,32bit称为一个word。 第三步:初始化变量 用到4个变量,分别为A、B、C、D,均为32bit长。初始化为: A: 01 23 45 67 B: 89 ab cd ef C: fe dc ba 98 D: 76 54 32 10 第四步:数据处理 首先定义4个辅助函数: F(X,Y,Z) G(X,Y,Z) H(X,Y,Z) I(X,Y,Z) 其中:X&Y表示按位与,X | Y表示按位或,not(X)表示按位取反。xor表示按位异或。 函数中的X、Y、Z均为32bit。 定义一个需要用到的数组:T(i),i取值1-64,T(i)等于abs(sin(i)的4294967296倍的整数部分,i为弧度。 假设前三步处理后的数据长度为32*16*Nbit 第五步:输出 最后得到的ABCD为输出结果,共128bit。A为低位,D为高位。三 密钥用于HMAC的密钥可以是任意长度(比B长的密钥将首先被H处理)。但当密钥长度小于L时的情况时非常令人失望的,因为这样将降低函数的安全强度。长度大于L的密钥是可以接受的,但是额外的长度并不能显著的提高函数的安全强度。(如果一个随机的密钥被认为是不可靠的,那么选择一个较长的密钥是明智的)。 密钥必须随机选取(或使用强大的基于随机种子的伪随机生成方法),并且要周期性的更新。(目前的攻击没有指出一个有效的更换密钥的频率,因为那些攻击实际上并不可行。然而,周期性更新密钥是一个对付函数和密钥所存在的潜在缺陷的基本的安全措施,并可以降低泄漏密钥带来的危害。)四 注意事项 HMAC是按底层散列函数可以不修改源码就可使用这种方式定义的。尤其是它在使用H函数时还要依赖于预定义的初始化值IV(一个定值,由每个迭代散列函数在初始化它的压缩函数时指定).然而,如果你愿意的话,可以修改H函数的源码来支持可变的初始化值Ivs.这个想法是这样的:压缩函数作用于B字长数据块(K XOR opad)和(K XOR ipad)所产生的中间结果可以在密钥刚刚生成时就预先计算好的。先将这些中间结果存储,然后在每次有消息需要验证时来生成H函数的初始化值IV。这种方法为每个要鉴别的消息保存了H 的压缩函数对于两个B字长数据块(K XOR opad)和(K XOR ipad)的应用。当鉴别短数据流,保存这样的信息是重要的。我们要强调的是:对待这些中间结果要象对待密钥一样,并且要同样的进行保密。上述的选择实现HMAC的方法是本地执行的结果,对内部操作性没有影响。 五 安全 这里将说明消息鉴别机制的安全性取决于所采用的散列函数的加密特性:1。抗冲突攻击能力(只限于初始化值是随机且秘密的,且函数的输出对攻击者来说是不可用的情况)2。当作用于单数据块时H的压缩函数的的消息鉴别属性(在HMAC中这些数据块是部分未知得,当攻击者自制内部H函数计算结果,并且攻击者是不能充分的选择得)HMAC中使用的散列函数一般都具有以上或更强的属性。实际上,如果一个散列函数不具有以上的属性那么它对于大多数的加密应用程序是不适用的,包括基于该函数的选择消息鉴别方案。(对HMAC函数原理详细阐述和完整的分析参见BCK1)只要得到关于候选散列函数的加密强度有限的信任,那么观察它用于消息鉴别的安全性及以下HMAC结构的两种属性是很重要的。1这种结构是独立于具体所使用的散列函数并且后者是可以被任何其它安全加密散列函数替代2消息鉴别相对于加密来说是一种“瞬时”影响。公开的对一种消息鉴别方案的破坏会导致该方案被替换,但是其对已鉴别过的信息却无能为力,。这就与加密形成鲜明对比。如果其加密算法被破解的话。今天加密的的数据,在未来都会受到被破解的威胁, 对HMAC已知最有力的攻击是基于散列函数的冲突频率。(“生日攻击法”PV,BCK2,但完全不适用于最小有理散列函数。
展开阅读全文