SHA#

SHA, or the Secure Hash Algorithms, are a family of cryptographic hash functions, published and standardized by the NIST.

Summary of ANSSI rules and recommendations#

Rule/recommendation

SHA-1

SHA-2

SHA-3

Recommended/obsolete

Obsolete

Recommended

Recommended

RegleHash

Not compliant: (1) digest size is 160<256 and (2) a known collision attack is estimated to require 263<2160/2 operations.

Compliant

Compliant

RecommandationHash

Not compliant

Compliant

Compliant

Overview#

A quick rundown of SHA families:

  • SHA-0, a hash function not included in this guide since it was withdrawn and replaced by SHA-1.

  • SHA-1 is a 160-bit hash function based on the Merkle-Damgård construction. Attacks on a number of rounds have been found, and in 2017, the SHAttered attack was published.

  • SHA-2 is a family of six hash functions that are also based on the Merkle–Damgård construction. These functions are called SHA-N, where N usually stands for the output size in bits.

  • SHA-3 is the latest addition, a family of four hash functions that are not based on the Merkle–Damgård construction but on a sponge construction. These functions are called SHA3-N, where N stands for the output size in bits. While the names are similar, SHA-N only refers to members of the SHA-2 family.

    • This new family is not meant to outright replace SHA-2, but to act as an alternative choice to SHA-2.

    • SHA-3 also introduced SHAKE128 and SHAKE256, two extendable-output functions (XOF). The number in the name refers to their maximum security level in bits.

The SHA-2 family#

Hash function

Output size (bits)

Collision resistance

Preimage resistance

2nd preimage resistance

Comment

SHA-224

224

112

224

224

Truncated version of SHA-256 with different initial value

SHA-256

256

128

256

256

SHA-348

384

192

384

384

Truncated version of SHA-512 with different initial value

SHA-512

512

256

512

512

SHA-512/224

224

112

224

224

Truncated version of SHA-512

SHA-512/256

256

128

256

256

Truncated version of SHA-512

The SHA-3 family#

Function name

Output size (bits)

Collision resistance

Preimage resistance

2nd preimage resistance

SHA3-224

224

112

224

224

SHA3-256

256

128

256

256

SHA3-384

384

192

384

384

SHA3-512

512

256

512

512

SHAKE128

Variable d

min(d/2,128)

min(d/2,128)

min(d/2,128)

SHAKE256

Variable d

min(d/2,256)

min(d/2,256)

min(d/2,256)

ANSSI rules and recommendations#

RegleHash

  1. The minimum size of digests produced by a hash function is 256 bits.

  2. The best known attack for finding collisions must require at least 2h/2 hashing operations, where h is the size in bits of the digests.

RecommandationHash

  1. The use of hash functions for which “partial attacks” are known is not recommended.

Hash length extension attack#

Length extension attacks are a type of attack that given a hash of an unknown message M allow to construct the hash of (M || pad || M'), where pad is the implicit padding added by the hash function and M' is an arbitrary message.

Hash functions based on the Merkle–Damgård construction are susceptible to this attack: SHA-256 and SHA-512 are vulnerable. (Older algorithms such as SHA-1 and MD5 are vulnerable too).

Truncated versions of SHA-2 algorithms should not be affected as this attack relies on the fact that the output of non-truncated versions is their internal state, so by truncating the output the attacker can no longer continue from where the previous execution ended. This includes SHA-512/224 and SHA-512/256. It also includes SHA-384 and SHA-224, but due to the smaller truncation the protection against these attacks is less than that of SHA-512/224 and SHA-512/256.

Members of the SHA-3 family were designed with these attacks in mind, so their design based on the sponge construction means that SHA-3 hash functions are not affected by this attack.

This type of attack has been exploited previously: see Flickr’s API Signature Forgery Vulnerability.

To illustrate this type of attack, an example using MD5 can be found in the following notebook: