Cryptography Reference
In-Depth Information
times faster than MD2,
6
RSA Security, Inc., responded to the challenge with MD4
7
specified in RFC 1320 [4] (see Section 8.3.1). MD4 took advantage of the fact that
newer processors could do 32-bit operations, and it was therefore able to be faster
than SNEFRU. In 1991, SNEFRU and some other cryptographic hash functions
were successfully attacked
8
using differential cryptanalysis [5]. Furthermore, some
weaknesses were found in a version of MD4 with two rounds instead of three [6].
This did not officially break MD4, but it made RSA Security, Inc., sufficiently
nervous that it was decided to strengthen MD4. MD5 was designed and specified
in RFC 1320 [7] (see Section 8.3.2). MD5 is assumed to be more secure than MD4,
but it is also a little bit slower. Due to some recent results, MD4 must be considered
to be insecure [8], and MD5 must be considered to be partially broken [9].
9
In 2004,
a group of Chinese researchers found and published collisions for MD4, MD5, and
some other cryptographic hash functions.
10
Nevertheless, MD4 and MD5 are still
useful study objects for the design principles of cryptographic hash functions.
Ta b l e 8 . 1
Secure Hash Algorithms as Specified in FIPS 180-2
Algorithm
Message Size
Block Size
Word Size
Hash Value Size
<
2
64
bits
SHA-1
512 bits
32 bits
160 bits
<
2
64
bits
SHA-224
512 bits
32 bits
224 bits
<
2
64
bits
SHA-256
512 bits
32 bits
256 bits
<
2
128
bits
SHA-384
1,024 bits
64 bits
384 bits
<
2
128
bits
SHA-512
1,024 bits
64 bits
512 bits
In 1993, the U.S. NIST proposed the
Secure Hash Algorithm
(SHA), which
is similar to MD5, but even more strengthened and also a little bit slower. Probably
after discovering a never-published weakness in the orginal SHA proposal,
11
the
NIST revised it and called the revised version SHA-1. As such, SHA-1 is specified in
the Federal Information Processing Standards Publication (FIPS PUB) 180-1 [12],
12
also known as
Secure Hash Standard
(SHS). In 2002, FIPS PUB 180 was revised
6
The function was proposed in 1990 in a Xerox PARC technical report entitled
A Software One Way
Function
.
7
There was an MD3 cryptographic hash function, but it was superseded by MD4 before it was ever
published or used.
8
The attack was considered successful because it was shown how to systematically find a collision
(i.e., two messages with the same hash value).
9
One problem with MD5 is that the compression function is known to have collisions (e.g., [10]).
10
http://eprint.iacr.org/2004/199.pdf
11
At CRYPTO '98, Florent Chabaud and Antoine Joux published a weakness of SHA-0 [11]. This
weakness was fixed by SHA-1, so it is reasonable to assume that they found the original weakness.
12
SHA-1 is also specified in informational RFC 3174 [13].
