【作者】 刘靖；

【导师】 王美琴； 王小云；

【作者基本信息】 山东大学 ， 信息安全， 2011， 硕士

【摘要】 随着信息化的迅猛发展,信息已经成为世界发展过程中不可或缺的资源,而信息安全在信息社会中扮演着至关重要的角色,它直接关系到社会生活方方面面的正常运行。特别是近些年随着电子商务的崛起,全球对信息安全方面的要求进一步提升,信息加密、认证技术及安全传输等方面变得格外重要。密码技术是实现信息安全的基本方法,杂凑函数作为基础密码算法之一广泛应用于各个领域。近年来随着对杂凑函数破解的突破性进展,杂凑函数的设计与安全性分析成为密码学领域研究的热点。而杂凑函数的发展推动了消息认证码的研究,基于杂凑函数的消息认证码的安全性分析受到更多的关注。本文主要是对基于缩减轮数的SHA-1的消息认证码(MAC)的安全性进行分析,在导师的悉心指导下,主要有以下结果：(1)基于63步(5-67)SHA-1的LPMAC的区分攻击首先在对SHA体系的碰撞攻击及王小云等关于LPMAC区分攻击思想进行学习的基础上,对乔思远等人基于63步(8-70步)SHA-1的LPMAC区分攻击进行分析,指出其中存在的问题,并通过编程搜索筛选出具有一定概率优势的差分路线,虽然扰动向量相同,但是差分路线整体进行了平移,利用王小云等提出的新的区分器构造方法,对基于63步(5-67步)SHA-1的LPMAC进行区分攻击。复杂度为2155次MAC询问,成功概率为0.70。(2)基于66步(15-80)SHA-1的LPMAC的区分攻击乔思远等人基于65步(12-76步)SHA-1的LPMAC区分攻击,避开原本不能超过40个条件的限制,使用单条路线代替两条路线进行区分器构造。同样利用该区分器构造方法,重新分析并寻找满足条件的差分路线,将LPMAC区分攻击扩展到了66步(15-80步),其复杂度为281次MAC询问,成功概率为0.51。(3)基于53步(20-72步)SHA-1-MAC的部分密钥恢复攻击结合Contini等人关于HMAC-MD5部分密钥恢复攻击技术及王小云等人关于MD5-MAC部分密钥恢复攻击的思想,搜索并筛选出符合条件的差分路线,该路线最初由Rechberger提出,在推导出路线成立的充要条件的基础上,提出53步(20-72步)的SHA-1-MAC的部分密钥恢复攻击,由于截断的SHA-1是从第二轮开始,所以对于SHA-1-MAC中的子密钥K1只看作是分为3个32比特的K1[1],K1[2]和K1[3],最终恢复K的96比特以及子密钥K0的160比特,复杂度为2106次MAC询问。更多还原

【Abstract】 With the rapid development of information, information has become an important resource for the world development. Information security plays a very important role, which is directly related to the normal operation of all respects in society life. Particu-larly, with the rise of e-commerce in recent years, requirements on global information security improves, message encryption, authentication and security transmission beco-me more and more important.The cipher technique is the basic method in the information security application, as one of its based algorithms, the hash function not only has become the theory foundation, but also has been extensively applied in many fields. Recently, with the breakthrough of the analysis of hash function, hash function design and analysis of the filed of information security has become a hot issue. Furthermore, the development of hash function promotes the research of Message Authentication Code(MAC). The security of hash-based MAC algorithms gets more attention.The thesis analyzes the security of MAC algorithms based on SHA-1, under the guidance of our tutor, the results are as follows:(1) Distinguishing attacks on LPMAC instantiated with 63-step(5-67) SHA-1Based on the in-depth analysis of collisions of SHA-System and Wang et.al’s distinguishing attacks on LPMAC, point out and correct the mistakes in Qiao et.al’s distinguishing attacks on LPMAC instantiated with 63-step(8-70) SHA-1. Then, design a program to search for and choose a suitable differential path. The disturbance vector we found is same with the one Qiao et.al used, but shifted to different position. Combined with the new distinguisher proposed by Wang et. al, we successfully apply the distinguishing attack on LPMAC instantiated with 63-step SHA-1, while the complexity is 2155 queries and success rate is 0.70.(2) Distinguishing attacks on LPMAC instantiated with 66-step(15-80) SHA-1The method,which is used on distinguishing attack on LPMAC instantiated with 65-step SHA-1 by Qiao et. al, makes use of a single differential path instead of the doubled differential path to surpass the restriction of 40 conditions. We re-construct distinguisher, search for and choose a suitable differential path.By this way, we can reach up to 66-step SHA-1, with the complexity is 281 queries and success rate is 0.51.(3) Partial key recovery attacks on 53-step(20-72) SHA-1-MACCombined with Contini et.al’s partial key recovery attacks on HMAC-MD5 and Wang et.al’s key recovery attacks on MD5-MAC, using the differential path found by program,which is first proposed by Rechberger, and deducing the necessary and sufficient conditions that the differential path holds, we give the partial key recovery attacks on 53-step(20-72) SHA-1-MAC. Because the differential path starts at the 20th step, we only consider the subkey K1 is transformed into 3 32-bit K1[1], K1[2] and K1[3].We recovery subkey K1 of 96 bits and subkey Ko of 160 bits. The complexity is 2106 MAC queries.更多还原