Cryptography

Student : Enes Hatibovid Mentor: Saida Sultanid Second reader:Almir Mutapid

Acknowledgements

My deepest appreciation goes to my mentor, Professor Saida Sultani for constant support, direction, encouragement, and good wishes without which the work could not be completed.

Dedication

To my family and friends.

The Basic Principles of Modern Cryptography .......................................................................................... 8 Private-Key Encryption and Pseudo randomness ................................................................................... 10 A -Computational Approach to Cryptography ........................................................................................ 11 The Basic Idea of Computational Security ............................................................................................... 12 Stream cipher .............................................................................................................................................. 13 Loose inspiration from the one-time pad ............................................................................................... 14 Types of stream ciphers .......................................................................................................................... 15 Synchronous stream ciphers ................................................................................................................... 15 Self-synchronizing stream ciphers........................................................................................................... 16 Linear feedback shift register-based stream ciphers (LFSR) ................................................................... 16 Non-linear combining functions .............................................................................................................. 17 Clock-controlled generators .................................................................................................................... 17 Security .................................................................................................................................................... 18 Usage ....................................................................................................................................................... 19 RC4............................................................................................................................................................... 20 History ..................................................................................................................................................... 20 Description .............................................................................................................................................. 20 The key-scheduling algorithm (KSA) ........................................................................................................ 21 The pseudo-random generation algorithm (PRGA) ................................................................................ 22 Implementation ....................................................................................................................................... 22 Security .................................................................................................................................................... 23 Roos' Biases and Key Reconstruction from Permutation ........................................................................ 23 Biased Outputs of the RC4 ...................................................................................................................... 24 Fluhrer, Mantin and Shamir attack ......................................................................................................... 24 Klein's Attack ........................................................................................................................................... 25 Combinatorial problem ........................................................................................................................... 25 SHA-1 ........................................................................................................................................................... 26 The SHA-1 hash function ......................................................................................................................... 26 Applications ............................................................................................................................................. 27 Cryptanalysis and validation.................................................................................................................... 28 SHA-0 ....................................................................................................................................................... 29 SHA-1 ....................................................................................................................................................... 29

Bibliography................................................................................................................................................. 35 APENDIX ...................................................................................................................................................... 37 Form1.cs .................................................................................................................................................. 37 Form1.Design.cs ...................................................................................................................................... 43 Program.cs ............................................................................................................................................... 53

Abstract

In this thesis the principles of cryptography and uses of cryptography are discussed. In the main part of this work the stream cypher notion is explained and methods of hashing are described. The practical part of my thesis work is an application for MD5 and SHA1 hashing coded in C#, for which the source code is provided in the appendix.

Cryptography and Modern Cryptography

In order to start writing anything relevant about cryptography it is of a high importance to define the term itself. It is a fact that there are many different definitions of the term, which are basically all the same in the essence and this research will start by providing the proper definition. According to One may assume that this definition is accurate in terms of its historical background, but it certainly cannot be applied in the modern cryptography. The first problem that appears is that the above mentioned definition focuses on the problem of secret communication. The proof for this lays in the very definition where the codes are mentioned, and where codes as such are defined as a system of pre-arranged signals, especially used to ensure secrecy in transmitting messages". Another thing worth mentioning in the provided definition is art form of cryptography. It is evidence that throughout 20th century cryptography was considered to be an art, because in order to construct good codes, break some of the ones which already existed was indeed based on ones creativity and skill. At that time one could not find much of the needed things in theory and the notion of what made a good code was not even properly defined. However, at the end of the century this situation changed. A comprehensive theory appeared and this helped the study of cryptography being defined as a science. Now, apart from including a secret communication, cryptography now included far more things such as dealing with problems of authenticity of messages, protocols for the exchange of secret keys, digital cash, authentication protocols, etc. Nowadays, it can be said that modern cryptography is concerned with problems that may occur in any sort of distributed computation that may be the victim of either internal or external attack. In the end,

it would be proper to say that cryptography is scientific study of techniques for securing digital information, transactions, and distributed computations.

One important parallel that has to be drawn is the difference between classical cryptography, namely the one before 1980s, and the modern one used today. In the past, the ones who consumed cryptography were organizations connected with army and intelligence, but today the situation is far more different. Almost any computer system has security mechanisms which rely on cryptography. Without even being aware of it users rely on cryptography each time they access a website which is secured. Methods from cryptography are used to perform access control in multi-user operating systems, as well as to secure stopping thieves from using trade secrets from the laptops which are stolen. Even though the list of the methods of software protection is long it basically employs encryption, authentication as well as some other tools used in order to prevent copying. According to the above mentioned there is a considerable path from cryptography being an art form to the science and it is slowly becoming the main topic in the circles of the computer science. [1]

The Basic Principles of Modern Cryptography

In the previous section one was able to find out some things about defining cryptography and its historical background. One was also able to assume that being art form cryptography used schemes which were designed in an ad-hoc manner, where all such schemes were broken with time. However, nowadays there is a change and cryptography now rests on firm foundations which are also scientifically oriented. After this short introduction one is going to be faced with the main principles of cryptography and the differences between modern and classical cryptography. There are three main principles that are about to be defined. The first principle implies the formulating of precise definition of security which is essential part of the solving any cryptographic problem. The second principle implies the security of a cryptographic construction which should be based on an unproven assumption and the assumption must be stated precisely. In terms of the second principle in is important to mention that the assumption should be as minimal as possible. The third principle is tightly connected with the first two ones, namely cryptographic constructions are supposed to be accompanied by a proof of security connected with the definition of the first principle, as well as relative to an assumption from the second principle. [1] Now all these principles are going to be discussed more precisely. First thing that is going to be discussed is formulation of exact definitions for the first principle. In that term it is relevant to mention that the modern cryptography contributed to the realization that formal definitions of security are highly important prerequisites for the design, usage, as well as study of cryptographic protocol. The importance of design is going to be discussed first. If one wants to construct a secure encryption scheme, one has to have firm picture of the thing that one wants to achieve. But the question that raises

here is how one can know whether he/she achieved it. And this is the moment when the exact definition helps us to successfully direct our efforts in terms of design, and not to be forgotten, to evaluate the quality of what is built. So the tip that can be given here is: first define what you need and only then start the phase of design. If this process is done opposite of the way mentioned above, one is faced with the less efficient solution. When it comes to the importance for usage then one is also faced with some questions such as: How one knows which encryption scheme to use and how one can be sure whether this particular scheme is sufficient for the application one needs. One of the tips is that we can define the security that we want in our system or we can provide the definition that we need and find the encryption scheme which satisfies this definition. And the last thing that is going to be mentioned within the first principle is the importance for study. When one is faced with two encryption schemes how can one compare them. When there is no definition of security, then efficiency is the only point of comparison, but still the efficiency is poor criteria. However, the scheme which is highly efficient is insecure. In these terms there is another point of comparison. If there are two schemes which are equally efficient, where the first one satisfies a stronger definition of security then the second one, then the first one is better. [1]

Private-Key Encryption and Pseudo randomness

This part of the research is going to deal with the notion of pseudo randomness. This term implies that thing may seem absolutely random despite the fact that they are not. One is also be able to see how this can be used to achieve secure encryption. In specific terms one is going to be able to see schemes of encryption where a short key can be used to encrypt many long messages in a secure way.

These schemes have the ability to bypass genuine limitations of perfect secrecy because of the fact that they achieve the weaker notion of computational secrecy which is sufficient. In the following one is going to be introduced with the computational approach to cryptography in general terms. This approach is going to be mentioned in the rest of the research and it is important to emphasize that it is the basis of modern cryptography. [1]

A -Computational Approach to Cryptography

Previously one has been introduced with classical cryptography. First there was a brief historical background of ciphers and the focus was on how they can be broken and what one is able to learn from these attacks. Then cryptographic schemes, that can be proven secure by means of mathematics, were presented. These types of schemes are called information theoretically secure and they are practically perfectly secure. The security of these is due to the fact that there is not enough information to succeed in its attack. It is important to say that the cipher text does not contain any information about the plain text. Of course, if we assume that the key is unknown. If one restricts to the case of private-key encryption, then modern encryption schemes have the property of being broken if enough time and computation are provided. Another thing worth mentioning is that information-theoretic security stands in contrast to a computational security. Information-security is stronger than computational security. As mentioned above perfectly-secret encryption schemes have problems with lower bounds in terms of key length. Namely, the key must be as long as the combined length of all messages ever encrypted using this key. There are also some negative results in terms of information-theoretic security. Even though

mathematical appeal is of a great importance it is necessary to compromise on perfect security in order to obtain practical cryptographic schemes. [1]

The Basic Idea of Computational Security

When it comes to the principle that cryptographic designs should be made public it is important to mention Kerckhoffs, who was the ideologist of this. Namely, he made six principles and the following one is relevant for the following discussion: A cipher must be practically, if not mathematically indecipherable. This prinvciple of Kerckhoffs says that it is not necessary to use perfectly secret encryption scheme, but that it is enough to use a B scheme that cannot be broken in a reasonable time with any reasonable probability of success. Namely, it is enough to use encryption scheme that can be broken, but it cannot be broken with the probability better than 10 to 30 in 200 years using the fastest available supercomputer. In the following part of this research one is going to be presented with a framework for making formal statements about cryptographic schemes that are in certain extent unbreakable. The computational approach has two relaxations of the notion of perfect security. First, security can only be preserved against efficient adversaries that run in a feasible amount of time. Second, adversaries can succeed with some very small probability. In order to make a meaningful theory one needs to define what has been said above. One can mention two common approaches for this action: the concrete and the asymptotic approach. When it come to the concrete approach it is important to mention that it quantifies the security of a given cryptographic scheme by bounding the maximum probability of success of any adversary running for at most some

specified amount of time. On the other hand there is asymptotic approach which views the running time of the adversary as well as its success probability as functions of some parameter rather than a concrete numbers. When the scheme is initialized then parties choose some value for the security parameter. After this is established one equates the notion of feasible strategies or efficient algorithms with probable algorithms running in time polynomial in n. It is required that honest parties run in polynomial time, and will only be concerned with achieving security against polynomial time adversaries. It should also be stressed that the adversary may be much more powerful than the honest parties. Then one should equate the notion of small probability of success with success probabilities smaller then any inverse polynomial in n. Namely, for every constant c the adversarys success probability is smaller than n-c for large values of n.

Although very clean from a theoretical point of view (since we can actually speak of a scheme being secure or not) , it is important to understand that the asymptotic approach only "guarantees security" for large enough values of n, as the following example should make clear. [1]

Stream cipher

In terms of cryptography a stream cipher is a systematic key cipher. In this context plaintext bits are combined with pseudorandom cipher bit stream, i.e. keystream by an exclusive or operation. When it

comes to a stream cipher the plaintext digits are encrypted one by one, while the transformation of successive digits changes during the encryption. The other name for this is a state cipher, since the encryption of each digit is dependent on the current state. Stream ciphers show a different approach to symmetric encryption from block ciphers. Block ciphers work on large blocks of digits with fixed transformation. This difference is not always true. There are instances in modes of operation where a block cipher primitive is used in a way that it performs in an effective way as a stream cipher. Typically, stream ciphers perform at higher speed than block ciphers and they also have lower complexity of hardware. [2]

Loose inspiration from the one-time pad

Stream ciphers can be seen as approximately showing the action of a proven cipher that is not breakable, the one-time pad (OTP) which is also known as the Vernam cipher. Digits used in a one-time pad are completely random. Cipher text is formed in a way that the keystream is combined with the plaintext digits one at the time. In 1949 Claude Shannon proved that this system is secure. One must bear in mind that the keystream must be the same length as the plain text, while generated completely at random. This makes the system pretty heavy to be implemented in practice. As a result of this onetime pad has been used only for the most critical applications.

For instance, a stream cipher makes use of a much smaller and more convenient key like 128 bits. According to this key, it produces a pseudorandom keystream which can be combined with the plaintext digits in a similar way to the one-time pad. One must be aware that this has its price since the keystream

is now pseudorandom, not completely random, the proof of security connected with one-time pad no longer is enough, and as a result a stream cipher can be completely insecure. [2]

Types of stream ciphers

A stream cipher produces successive elements of the keystream which are based on an internal state. In essential terms this state is updated in two ways. On the one hand, the cipher is classified as the synchronous stream cipher if the state changes independently of the plaintext or ciphertext messages. On the other hand, update of self-synchronizing stream ciphers is based on previous ciphertext digits. [2]

Synchronous stream ciphers

When it comes to a synchronous cipher, a stream of pseudo-random digits is produced independently of the plaintext and ciphertext messages, and only then combined with the plaintext or the ciphertext. It is important to mention a binary additive stream cipher where binary digits are used and the keystream is combined with the plaintext using the exclusive or operation.

In order for decryption to be successful the sender and receiver must be exactly in step. Synchronization is lost if the digits are added or removed from the message during transmission. In order to restore synchronization different offsets can be tried systematically to obtain the correct decryption. However, if the digit is corrupted in transmission, only a single digit in the plaintext is affected and therefore the error does not propagate to other parts of the message. When the transmission error is high this property is useful. Because of this property synchronous stream ciphers are susceptible to active attacks. If an attacker can change a digit in the ciphertext, he/she might be able to make predictable changes to the corresponding plaintext bit. [3]

Self-synchronizing stream ciphers

There is another approach where several of the previous ciphertext digits are used to compute the keystream. These schemes are known as self-synchronizing stream ciphers or chipertext autokey (CTAK). This idea of self-synchronization was launched in 1946. The advantage of self-synchronization is that the receiver will automatically synchronize with the keystream generator after receiving N ciphertext digits. In this way it is easier to recover if digits are dropped or added to the message stream. [2]

Linear feedback shift register-based stream ciphers (LFSR)

There are several reasons why binary stream ciphers are often constructed by using linear feedback shift registers. First, they can be easily implemented in hardware; second, they can be readily analyzed

mathematically. If they are used on their own then it is not sufficient for them to provide good security. There are various schemes which are proposed to increase their security. [3]

Non-linear combining functions

LFRS are inherently linear and because of the one technique for removing linearity is to feed the outputs of several parallel LFSRs into a non-linear Boolean function in order to form a combination generator. For instance, in order to avoid correlation attacks various properties of such combining function are critical in order to ensure the security of the resulting scheme.

Clock-controlled generators

LFSRs are usually stepped regularly. There is one approach of introducing non-linearity in order to have the LFSR clocked irregularly which is controlled by the output of a second LFSR. These include stop-andgo generator, the alternating step generator and the shrinking generator. An alternating step generator is composed of three linear feedback shift registers, which are called LFSR0, LFSR1 and LFSR2 for convenient reasons. The output of one of the registers determines which of the other two is to be used. The stop-and-go generator is made of two LFSRs. One LFSR is clocked if the output of a second is a "1. If this is not the case then previous output is repeated. Then this output is combined with the output of a third LFSR clocked at a regular rate.

When it comes to the shrinking generator then there is a different approach. One uses two LFSRs and both of them are clocked regularly. If the output of the first LFSR is "1", the output of the second LFSR becomes the output of the generator. If the first LFSR outputs "0", however, the output of the second is discarded, and no bit is output by the generator. However, this mechanism has its errors in terms that it suffers from timing attacks on the second generator, since the sped of the output is variable in a manner that depends on the second generators state. [2]

Security

In order for a stream cipher to be secure, its keystream must have a large period and it must be impossible to recover the ciphers key or internal state from the keystream. Cryptographers have a demand that the keystream must be free of subtle biases which could let attackers distinguish a stream from random noise, as well as free from detectable relationship between keystreams that correspond to related keys.

It is also important to mention that stream ciphers attacks can be certificational which means that they are not practical ways to break the cipher but they indicate that the cipher might have some other weaknesses.

In order to use a secure synchronous stream cipher securely it is required not to use the same keystream two times. This means that a different nonce or key must be supplied to each invocation of the cipher. Designers who do the application must recognize that most stream ciphers do not provide authenticity, but only privacy.

There is one practical concern and that is that periods for stream ciphers are short. For instance, 64-bit block ciphers can be used to produce a keystream in output feedback mode. One the other hand, when full feedback is not used the resulting stream has a period of about 232 blocks on average. It is important to mention that this period is too low for many applications. [2]

Usage

There are several reasons why stream ciphers are used. One of them is for their speed and simplicity of implementation in hardware, then in applications where plaintext comes in quantities of unknowable length, e.g. wireless connection. In order for using a block cipher in this type of application, one needs to choose whether to use transmission efficiency or implementation complexity. The reason for this is that block ciphers cannot work directly on blocks shorter than their block size. There is another advantage of stream ciphers when it comes to military cryptography. The cipher stream can be produced in a separate box that is subject to strict security measures and fed to other devices such as radio set.

RC4 is the most widely used stream cipher in software and others include: A5/1, A5/2, Chameleon, FISH, Helix, ISAAC, MUGI, Panama, Phelix, Pike, SEAL, SOBER, SOBER-128 and WAKE. [2]

RC4

History

In 1987 Ron Rivest of RSA Security designed RC4. Its official term is Rivest Cipher 4, and the RC acronym is understood to stand for Rons Code. First, RC4 was a trade secret, but in September 1994 its description was posted to the Cypherpunks mailing list anonymously. This code was soon posted to many sites on the Internet and the code was confirmed to be genuine as it is found that its output matches to a software using licenced RC4. This was no longer a secret and the name RC4 is trademarked. RC4 has become part of some commonly used encryption protocols and standards, including WEP and WPA for wireless cards and TLS. There are several factors which influenced on the success of RC4 over such a wide range of applications and those are speed, simplicity and efficient implementations in both software and hardware. [4]

Description

RC4 produces a pseudorandom stream of bits, i.e. a keystream. These can be used for encryption by combining it with plaintext using bit-wise exclusive-or. This is similar to the Vernam cipher apart from the fact that generated pseudorandom bits are used. In order to generate the keystream the cipher makes use of a secret internal state which consists of two parts. On the one hand there is a permutation of all 256 possible bytes (denoted "S" below). On the other hand there is two 8-bit index-pointers (denoted "i" and "j"). The permutation starts with a variable length key, typically between 40 and 256 bits, using the keyscheduling algorithm (KSA). When this has been completed, the stream of bits is generated using the pseudo-random generation algorithm (PRGA).

The key-scheduling algorithm (KSA)

The key-scheduling algorithm is used to start the permutation in the array "S". The number of bytes in the key is called keylenght and it can be in the range 1 keylength 256, typically between 5 and 16, corresponding to a key length of 40 128 bits. First, the array "S" is started to the identity permutation. S is then processed for 256 iterations in a similar way to the main PRGA, but also mixes in bytes of the key at the same time. for i from 0 to 255 S[i] := i endfor j := 0 for i from 0 to 255 j := (j + S[i] + key[i mod keylength]) mod 256 swap values of S[i] and S[j]

endfor

The pseudo-random generation algorithm (PRGA)

The PRGA modifies the state and outputs a byte of the keystream for as much iteration as needed. In each of them, the PRGA increments i, adds the value of S pointed to by i to j, exchanges the values of S[i] and S[j], and then outputs the element of S at the location S[i] + S[j]. Each element of S is changed with another element at least once in every 256 iterations. i := 0 j := 0 while GeneratingOutput: i := (i + 1) mod 256 j := (j + S[i]) mod 256 swap values of S[i] and S[j] K := S[(S[i] + S[j]) mod 256] output K endwhile

Implementation

Many stream ciphers are based on linear feedback shift registers which are efficient in hardware, but not in software. The very design of RC4 does not use LFSRs and therefore is perfect for software implementation and the only thing it requires is byte manipulations. It use 256 bytes of memory for state

array, S[0] through S[255], k bytes of memory for the key, key[0] through key[k-1], and integer variables, i, j, and y.

Security

RC4 does not take a separate nonce alongside the key which is not the case with a modern stream cipher. This means that if one wants to use a single long-term in order to securely encrypt multiple streams, the cryptosystem must note how to combine the nonce and the long-term key to produce the stream key for RC4. One approach for solving this is to generate a "fresh" RC4 key by hashing a long-term key with a nonce. However, many applications that use RC4 simply make a chain between key and nonce. Since RC4 is a stream cipher, it is more malleable than common block ciphers. The encryption is vulnerable to a bit-flipping attack if RC4 is not used with a strong message authentication code (MAC), then encryption is vulnerable to a bit-flipping attack.

Roos' Biases and Key Reconstruction from Permutation

In order to perform an experiment in 1995 Andrew Roos observed that the first byte of the keystream is correlated to the first three bytes of the key and the first few bytes of the permutation after the KSA are correlated to some linear combination of the key bytes. However, this was not proven until 2007, when Goutam Paul, Siddheshwar Rathi and Subhamoy Maitra proved the keystream-key correlation, while in another work Goutam Paul and Subhamoy Maitra proved the permutation-key correlations. The work of

Goutam Paul and Subhamoy Maitra proved the permutation-key correlations and it also used these correlations to make the first algorithm for complete key reconstruction from the final permutation after the KSA, without any assumption on the key or IV. As a result of this many other works have been performed on key reconstruction from RC4 internal states. [5] [6]

Biased Outputs of the RC4

The keystream generated by the RC4 is biased in varying degrees towards certain sequences. In these terms Itsik Mantin and Adi Shamir showed that the second output byte of the cipher was biased toward zero with probability 1/128 (instead of 1/256). This is due to the fact that if the third byte of the original state is zero, and the second byte is not equal to 2, then the second output byte is always zero. Such bias can be detected by observing only 256 bytes. There are also Souradyuti Paul and Bart Preneel of COSIC who showed that the first and the second bytes of the RC4 were also biased. The number of required samples to detect this bias is 225 bytes. Fluhrer and McGrew also showed such attacks which made the difference between the keystream of the RC4 and a random stream given a gigabyte of output. Riddhipratim Basu, Shirshendu Ganguly, Subhamoy Maitra, and Goutam Paul performed the complete characterization of a single step of RC4 PRGA. They did the following: took into consideration all the permutations and then proved that the output is not uniform given i and j, and as a consequence, information about j is always leaked into the output. [7]

Fluhrer, Mantin and Shamir attack

Fluhrer, Mantin and Shamir made a new discovery in 2001 over all possible RC4 keys, the statistics for the first few bytes of output keystream are strongly non-random, leaking information about the key. In these terms it is important to note that if the long-term key and nonce are simply concatenated to generate the RC4 key then the long-term key can be discovered by analysing a large number of messages encrypted with this key. This and similar effects were used to break the WEP ("wired equivalent privacy") encryption used with 802.11 wireless networks. By discarding the initial portion of the keystream cryptosystems can defend against this attack. This modified algorithm is traditionally called "RC4-drop[n]", where n is the number of initial keystream bytes that are dropped. [8]

Klein's Attack

Andreas Klein launched an analysis of the RC4 stream cipher in 2005 and with it he showed more correaltions between the RC4 keystream and the key. Erik Tews, Ralf-Philipp Weinmann, and Andrei Pychkine used this analysis in order to create aircrack-ptw, a tool which cracks 104-bit RC4 used in 128bit WEP in less than a minute. While on the other hand the Fluhrer, Mantin, and Shamir attack used around 10 million messages, aircrack-ptw can break 104-bit keys in 40,000 frames with probability of 50% or in 85,000 frames with probability of 95%. [9]

Combinatorial problem

In terms of combinatory a problem related to the number of inputs and outputs of the RC4 cipher was first launched by Itsik Mantin and Adi Shamir in 2001, whereby, of the total 256 elements in the typical

state of RC4, if x number of elements (x 256) are only known, then the maximum number of elements that can be produced is also x in the next 256 rounds. [10]

SHA-1

In order to start discussing SHA-1 it is significant to mention that it stands for secure hash algorithm and that it is a cryptographic hash function. It is designed by the National Security Agency and it is published by NIST as the U. S. Federal Information Processing Standard. There are three SHA algorithms which are structured differently and those are: SHA-0, SHA-1, and SHA-2. It is also important to mention that SHA-1 is not quite different from SHA-0, but it corrects a mistake in the original SHA hash specification and that led to important weaknesses. Therefore, SHA-0 was not adopted by many applications. However, SHA-2 differs in many ways from SHA-1 hash function. From all existing SHA hash functions SHA-1 is the most widely used and it can be found in few widelyused security applications and protocols. However, in 2005 some security flaws in terms of mathematical weakness were identified in SHA-1. This led to the conclusion that a stronger hash function should be employed. As it has been mentioned above SHA-1 is similar to SHA-2 and therefore some improved alternatives are supposed to be found despite the fact that successful attacks have not yet been reported on the SHA-2 variants. Currently, SHA-3 is under development. [11]

The SHA-1 hash function

Despite the conservative design SHA-1 produces 160-bit message digest based on the principles similar to those used by Ronald L. Rivest of MIT in the design of the MD4 and MD5 message digest algorithms. The original specification of the algorithm was published in 1993 as the Secure Hash Standard, FIPS PUB 180 by US government standards agency NIST. Today this version is referred to as SHA-0. However, it was removed shortly after its publication and it was brought back by the revised version which was published in 1995 in FIPS PUB 180-1 and it is referred to as SHA-1. SHA-1 is similar to SHA-0; the only difference is a single bitwise rotation in the message schedule of its compression function. According to NSA this was done in order to correct a flaw in the original algorithm which reduced its cryptographic security. It seems that SHA-1 provide greater resistance to attacks.

Applications

SHA-1 is a part of few widely-used security applications and protocols and those include TLS and SSL, PGP, SSH, S/MIME, etc. Some distributed revision control systems such as Git, Mercurial also use SHA-1 hashing system in order to identify revisions and to detect data corruption. This algorithm was also used on Nintendo console Wii for signature verification during boot. Certain U.S. Government applications use SHA-1 and SHA-2 and this is required by law. This includes use within other cryptographic algorithms and protocols in order to protect sensitive unclassified information. However, the U.S. National Institute of Standards and Technology says that SHA-1 should not be used for the applications that require collision resistance and SHA-2 family of hash functions should be used for those applications after 2010. [12]

Cryptanalysis and validation

There are two different criteria that are supposed to be explained. The first one is called a preimage attack which means that for a hash function of witch L is the number of bits in the message digest, finding a message that corresponds to a given message digest can always be done using a brute force search in 2L evaluations. The preimage attack may or may not be practical and this depends on L and the particular computing environment. The second one is called a birthday attack meaning that finding two different messages that make the same message digest, known as a collision, requires on average only 2L/2 evaluations. When it comes to the practical security the biggest problem about the new attacks is that they might find their way to more efficient ones. One is still not sure is this is going to be the case. There are some applications which use cryptographic hashes, i.e. password storage seem to be minimally affected by a collision attack. Making a password that works for a given account requires preimage attack and along with it an access to the hash of the original password.

All SHA functions are vulnerable to length-extension and partial-message collision attacks and this is the consequence of the block and iterative structure of the algorithms as well as the absence of additional final steps. These attacks make it possible to an attacker to forge a message, which is only signed by a keyed hash- SHA (message | | key) or SHA (key | | message) - by extending the message and recalculating the hash without knowing the key. The simplest improvement to stop these attacks is to hash two times - SHAd(message) = SHA(SHA(0b | | message)) (0b - zero block, length is equal to block size of hash function). [13]

SHA-0

Florent Chabaud and Antoine Joux, two French researchers at CRYPTO 98, presented an attack on SHA-0. They showed that collisions can be found with complexity 261, fewer than the 280 for an ideal hash function of the same size. Biham and Chen found near-collisions for SHA-0 in 2004 showing that two messages that hash to nearly the same value are equal. In their particular case it was 142 out of the 160 bits. They also found full collisions of SHA-0 reduced to 62 out of its 80 rounds. In August 2004 a collision for the full SHA-0 algorithm was announced by Joux, Carribault, Lemuet, and Jalby. Finding the collision had complexity 251 and took about 80,000 CPU hours on a supercomputer with 256 Itanium 2 processors. [11]

SHA-1

As the consequence of the results for SHA-0 some experts suggested that plans for the use of SHA-1 in new cryptosystem are supposed to be reconsidered. There were two attacks in 2005. The first one was when Rijmen and Oswald published an attack on a reduced version of SHA-153 out of 80 roundswhich finds collisions with a computational effort of fewer than 280 operations. Second attack was announced by Xiaoyun Wang, Yiqun Lisa Yin, Bayarjargal, and Hongbo Yu. The attacks can find collisions in the full version of SHA-1, requiring fewer than 269 operations.

The authors said that their analysis was built upon the original differential attack on SHA-0 [sic], the near collision attack on SHA-0, the multiblock collision techniques, as well as the message modification techniques used in the collision search attack on MD5. Breaking SHA-1 would not be possible without such analytical techniques. The paper with the full attack description was published in August 2005 at the CRYPTO conference. On 17 August 2005, an improvement on the SHA-1 attack was announced on behalf of Xiaoyun Wang, Andrew Yao and Frances Yao at the CRYPTO 2005 rump session, reducing the complexity required for finding a collision in SHA-1 to 263. On 18 December 2007 the details of this result were explained and verified by Martin Cochran. Christophe De Cannire and Christian Rechberger further improved the attack on SHA-1 in "Finding SHA1 Characteristics: General Results and Applications and this brought them the Best Paper Award at ASIACRYPT 2006. A two-block collision for 64-round SHA-1 was presented, found using methods which are not optimized with 235 compression function evaluations. As this attack requires the equivalent of about 235 evaluations, it is considered to be a significant theoretical break. Their attack was extended further to 73 rounds (of 80) in 2010 by Grechnikov. In order to find an actual collision in the full 80 rounds of the hash function, however, massive amounts of computer time are required. The effort was abandoned May 12, 2009 due to lack of progress. Christian Rechberger and Christophe De Cannire claimed to have discovered a collision attack on SHA-1 that would allow an attacker to select at least parts of the message at the Rump Session of CRYPTO 2006. [11] [14] Pseudocode for SHA1 is: Note 1: All variables are unsigned 32 bits and wrap modulo 232 when calculating

Note 2: All constants in this pseudo code are in big endian. Within each word, the most significant byte is stored in the leftmost byte position

Initialize variables: h0 = 0x67452301 h1 = 0xEFCDAB89 h2 = 0x98BADCFE h3 = 0x10325476 h4 = 0xC3D2E1F0

Pre-processing: append the bit '1' to the message append 0 k < 512 bits '0', so that the resulting message length (in bits) is congruent to 448 64 (mod 512) append length of message (before pre-processing), in bits, as 64-bit big-endian integer

Process the message in successive 512-bit chunks: break message into 512-bit chunks

for each chunk break chunk into sixteen 32-bit big-endian words w*i+, 0 i 15

Extend the sixteen 32-bit words into eighty 32-bit words: for i from 16 to 79 w[i] = (w[i-3] xor w[i-8] xor w[i-14] xor w[i-16]) leftrotate 1

Initialize hash value for this chunk: a = h0 b = h1 c = h2 d = h3 e = h4

Main loop: [30] for i from 0 to 79 if 0 i 19 then

f = (b and c) or ((not b) and d) k = 0x5A827999 else if 20 i 39 f = b xor c xor d k = 0x6ED9EBA1 else if 40 i 59 f = (b and c) or (b and d) or (c and d) k = 0x8F1BBCDC else if 60 i 79 f = b xor c xor d k = 0xCA62C1D6

temp = (a leftrotate 5) + f + e + k + w[i] e=d d=c c = b leftrotate 30 b=a a = temp

Add this chunk's hash to result so far: h0 = h0 + a h1 = h1 + b h2 = h2 + c h3 = h3 + d h4 = h4 + e

Produce the final hash value (big-endian): digest = hash = h0 append h1 append h2 append h3 append h4

Bibliography
[1] Jonathan B.Knudsen, Java Cryptography.: O'REILLY', 1998. [2] Matt J.B. Robshaw, Stream Ciphers Technical Report TR-701.: RSA Laboratories, 1995. [3] Fred Piper Thomas Beth, The Stop-and-Go Generator., 1984. [4] P. Prasithsangaree and P. Krishnamurthy, "Analysis of Energy Consumption of RC4 and AES Algorithms in Wireless LANs," University of Pittsburgh. [5] Subhamoy Maitra, Goutam Paul and Tanmoy Talukdar Riddhipratim Basu, On Some Sequences of the Secret Pseudo-random Index j in RC4 Key Scheduling.: Springer, 2009. [6] Pinar Kavak, Huseyin Demirci Mete Akgun, New Results on the Key Scheduling Algorithm of RC4.: Springer, 2008. [7] Itsik Mantin and Adi Shamir, "A Practical Attack on Broadcast RC4," 2001. [8] Itsik Mantin and Adi Shamir Scott R. Fluhrer, "Weaknesses in the Key Scheduling Algorithm of RC4," 2001. [9] A. Klein, "Attacks on the RC4 stream cipher," 2008. [10] Souradyuti Paul and Bart Preneel, "A New Weakness in the RC4 Keystream Generator and an Approach to Improve the Security of the Cipher," 2001. [11] Bruce Schneier. (2005) schneier.com. [Online]. http://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html [12] NIST. (2005, April) NIST. [Online]. http://csrc.nist.gov/groups/ST/hash/policy.html [13] Bruce Schneier, and Tadayoshi Kohno Niels Ferguson, Cryptography Engineering.: John Wiley & Sons, 2010. [14] E.A.Grechnikov, "Collisions for 72-step and 73-step SHA-1: Improvements in the Method of Characteristics," 2010. [15] Jonathan Katz and Yehuda Lindell, Introduction to Modern Cryptography. USA: Chapman & Hall/CRC, 2007. [16] debugmode. (2004) debugmode. [Online]. http://debugmo.de/2008/03/thank-you-datel/ [17] Alexander Sotirov. (2008) WIN.TUE. [Online]. http://www.win.tue.nl/hashclash/rogue-ca/

[18] (2008) Computer and Network Security/ Lectures and Handouts. [Online]. http://courses.csail.mit.edu/6.857/2008/lecture.html [19] Andrew Roos. (1995) A Class of Weak Keys in the RC4 Stream Cipher. [Online]. http://groups.google.com/group/sci.crypt.research/msg/078aa9249d76eacc?dmode=source [20] Goutam Paul and Subhamoy Maitra, Permutation after RC4 Key Scheduling Reveals the Secret Key.: SAC, 2007. [21] Eli Biham and Yaniv Carmeli, Efficient Reconstruction of RC4 Keys from Internal States.: Springer, 2008. [22] Subhamoy Maitra and Goutam Paul, New Form of Permutation Bias and Secret Key Leakage in Keystream Bytes of RC4.: Springer, 2008.

APPENDIX
Form1.cs
using System; using System.Collections.Generic; using System.ComponentModel; using System.Data; using System.Drawing; using System.Linq; using System.Text; using System.Windows.Forms; using System.IO; using System.Security.Cryptography;

namespace ENCDEC {

public partial class Form1 : Form { public static String imeFajla = ""; public static String folderFajla = "";

public Form1() { InitializeComponent(); }

private void btn_browse_Click(object sender, EventArgs e) { OpenFileDialog open = new OpenFileDialog(); open.Filter = "Text file (*.txt)|*.txt"; if (open.ShowDialog() == DialogResult.OK) { tb_putanja.Text = System.IO.Path.GetFullPath(open.FileName); imeFajla = System.IO.Path.GetFileNameWithoutExtension(open.FileName); folderFajla = System.IO.Path.GetDirectoryName(open.FileName); } }

private void btn_EncSHA1_Click(object sender, EventArgs e) { string s = System.IO.File.ReadAllText(tb_putanja.Text); TextWriter pisac = new StreamWriter(folderFajla+"\\"+imeFajla+"-SHA1.txt"); pisac.Write(EncryptToSHA1(s)); pisac.Close(); }

private String EncryptToSHA1(string input)

{ string output = ""; try {

System.Security.Cryptography.SHA1 hash = System.Security.Cryptography.SHA1.Create(); System.Text.ASCIIEncoding encoder = new System.Text.ASCIIEncoding(); byte[] combined = encoder.GetBytes(input); hash.ComputeHash(combined); output = Convert.ToBase64String(hash.Hash); } catch (Exception ex) { MessageBox.Show ("Dolo je do greke u enkripciji fajla:"+ex.Message); } return output;

public string EncryptToMD5(string tekst) { Byte[] output=null; try

Byte[] input; MD5 enc;

enc = new MD5CryptoServiceProvider(); input = ASCIIEncoding.Default.GetBytes(tekst); output = enc.ComputeHash(input); } catch (Exception ex) { MessageBox.Show ("Dolo je do greke u enkripciji fajla:"+ex.Message); }

return BitConverter.ToString(output); }

private void button1_Click(object sender, EventArgs e) { string s = System.IO.File.ReadAllText(tb_putanja.Text); TextWriter pisac = new StreamWriter(folderFajla + "\\" + imeFajla + "-MD5.txt"); pisac.Write(EncryptToMD5(s)); pisac.Close(); }

private void btn_add_Click(object sender, EventArgs e) {

if (verifyUser(tb_logUsername.Text, tb_logPassword.Text)) { if (tb_username.Text.Length==0) MessageBox.Show("Empty username field!"); else if (tb_password.Text.Length==0) MessageBox.Show("Empty password field!"); else { StreamWriter w = File.AppendText("Database.txt"); w.WriteLine(EncryptToSHA1(tb_username.Text)); w.WriteLine(EncryptToMD5(tb_password.Text)); w.Close(); MessageBox.Show("User successfully added!"); }

} else MessageBox.Show("Invalid username/password!");

} private bool verifyUser(string user, string pass)

{ bool check = false;

String line; String[] usernames = new String[50]; String[] passwords = new String[50]; int counter = 1; int cnt1 = 0; int cnt2 = 0; System.IO.StreamReader file = new System.IO.StreamReader("Database.txt"); while ((line = file.ReadLine()) != null) { if ((counter % 2).ToString().CompareTo("0")==0) { passwords[cnt1] = line; cnt1++; } else { usernames[cnt2] = line; cnt2++; } counter++;

for (int i = 0; usernames[i] != null; i++) { //MessageBox.Show(passwords[i]); if (EncryptToSHA1(user).CompareTo(usernames[i])==0 && EncryptToMD5(pass).CompareTo(passwords[i])==0) check = true; } file.Close(); return check; }

} }

Form1.Design.cs

namespace ENCDEC { partial class Form1 { /// <summary> /// Required designer variable.

/// </summary> private System.ComponentModel.IContainer components = null;

/// <summary> /// Clean up any resources being used. /// </summary> /// <param name="disposing">true if managed resources should be disposed; otherwise, false.</param> protected override void Dispose(bool disposing) { if (disposing && (components != null)) { components.Dispose(); } base.Dispose(disposing); }

#region Windows Form Designer generated code

/// <summary> /// Required method for Designer support - do not modify /// the contents of this method with the code editor. /// </summary> private void InitializeComponent() { this.tb_putanja = new System.Windows.Forms.TextBox();

this.btn_browse = new System.Windows.Forms.Button(); this.btn_EncSHA1 = new System.Windows.Forms.Button(); this.button1 = new System.Windows.Forms.Button(); this.groupBox1 = new System.Windows.Forms.GroupBox(); this.gb_addUser = new System.Windows.Forms.GroupBox(); this.btn_add = new System.Windows.Forms.Button(); this.label2 = new System.Windows.Forms.Label(); this.tb_password = new System.Windows.Forms.TextBox(); this.label1 = new System.Windows.Forms.Label(); this.tb_username = new System.Windows.Forms.TextBox(); this.label7 = new System.Windows.Forms.Label(); this.label8 = new System.Windows.Forms.Label(); this.tb_logUsername = new System.Windows.Forms.TextBox(); this.tb_logPassword = new System.Windows.Forms.TextBox(); this.groupBox1.SuspendLayout(); this.gb_addUser.SuspendLayout(); this.SuspendLayout(); // // tb_putanja // this.tb_putanja.Location = new System.Drawing.Point(6, 19); this.tb_putanja.Name = "tb_putanja"; this.tb_putanja.Size = new System.Drawing.Size(281, 20); this.tb_putanja.TabIndex = 0; // // btn_browse

// this.btn_browse.Location = new System.Drawing.Point(293, 18); this.btn_browse.Name = "btn_browse"; this.btn_browse.Size = new System.Drawing.Size(99, 23); this.btn_browse.TabIndex = 1; this.btn_browse.Text = "Browse"; this.btn_browse.UseVisualStyleBackColor = true; this.btn_browse.Click += new System.EventHandler(this.btn_browse_Click); // // btn_EncSHA1 // this.btn_EncSHA1.Location = new System.Drawing.Point(6, 46); this.btn_EncSHA1.Name = "btn_EncSHA1"; this.btn_EncSHA1.Size = new System.Drawing.Size(190, 23); this.btn_EncSHA1.TabIndex = 2; this.btn_EncSHA1.Text = "Encrypt using SHA1"; this.btn_EncSHA1.UseVisualStyleBackColor = true; this.btn_EncSHA1.Click += new System.EventHandler(this.btn_EncSHA1_Click); // // button1 // this.button1.Location = new System.Drawing.Point(202, 46);

this.button1.Name = "button1"; this.button1.Size = new System.Drawing.Size(190, 23); this.button1.TabIndex = 3; this.button1.Text = "Encrypt using MD5"; this.button1.UseVisualStyleBackColor = true; this.button1.Click += new System.EventHandler(this.button1_Click); // // groupBox1 // this.groupBox1.Controls.Add(this.tb_putanja); this.groupBox1.Controls.Add(this.button1); this.groupBox1.Controls.Add(this.btn_browse); this.groupBox1.Controls.Add(this.btn_EncSHA1); this.groupBox1.Location = new System.Drawing.Point(12, 12); this.groupBox1.Name = "groupBox1"; this.groupBox1.Size = new System.Drawing.Size(400, 86); this.groupBox1.TabIndex = 4; this.groupBox1.TabStop = false; this.groupBox1.Text = "Text file encryption"; // // gb_addUser // this.gb_addUser.Controls.Add(this.btn_add); this.gb_addUser.Controls.Add(this.label2); this.gb_addUser.Controls.Add(this.tb_password);

this.gb_addUser.Controls.Add(this.label1); this.gb_addUser.Controls.Add(this.tb_username); this.gb_addUser.Location = new System.Drawing.Point(13, 147); this.gb_addUser.Name = "gb_addUser"; this.gb_addUser.Size = new System.Drawing.Size(399, 75); this.gb_addUser.TabIndex = 6; this.gb_addUser.TabStop = false; this.gb_addUser.Text = "Add User"; // // btn_add // this.btn_add.ImageAlign = System.Drawing.ContentAlignment.MiddleLeft; this.btn_add.Location = new System.Drawing.Point(222, 17); this.btn_add.Name = "btn_add"; this.btn_add.Size = new System.Drawing.Size(169, 46); this.btn_add.TabIndex = 4; this.btn_add.Text = "Add"; this.btn_add.UseVisualStyleBackColor = true; this.btn_add.Click += new System.EventHandler(this.btn_add_Click); // // label2 // this.label2.AutoSize = true;

this.label2.Location = new System.Drawing.Point(7, 46); this.label2.Name = "label2"; this.label2.Size = new System.Drawing.Size(56, 13); this.label2.TabIndex = 3; this.label2.Text = "Password:"; // // tb_password // this.tb_password.Location = new System.Drawing.Point(71, 43); this.tb_password.Name = "tb_password"; this.tb_password.Size = new System.Drawing.Size(145, 20); this.tb_password.TabIndex = 2; // // label1 // this.label1.AutoSize = true; this.label1.Location = new System.Drawing.Point(7, 20); this.label1.Name = "label1"; this.label1.Size = new System.Drawing.Size(58, 13); this.label1.TabIndex = 1; this.label1.Text = "Username:"; // // tb_username //

this.tb_username.Location = new System.Drawing.Point(71, 17); this.tb_username.Name = "tb_username"; this.tb_username.Size = new System.Drawing.Size(145, 20); this.tb_username.TabIndex = 0; // // label7 // this.label7.AutoSize = true; this.label7.Location = new System.Drawing.Point(211, 112); this.label7.Name = "label7"; this.label7.Size = new System.Drawing.Size(56, 13); this.label7.TabIndex = 8; this.label7.Text = "Password:"; // // label8 // this.label8.AutoSize = true; this.label8.Location = new System.Drawing.Point(23, 112); this.label8.Name = "label8"; this.label8.Size = new System.Drawing.Size(58, 13); this.label8.TabIndex = 6; this.label8.Text = "Username:"; // // tb_logUsername //

this.tb_logUsername.Location = new System.Drawing.Point(87, 109); this.tb_logUsername.Name = "tb_logUsername"; this.tb_logUsername.Size = new System.Drawing.Size(111, 20); this.tb_logUsername.TabIndex = 5; // // tb_logPassword // this.tb_logPassword.Location = new System.Drawing.Point(273, 109); this.tb_logPassword.Name = "tb_logPassword"; this.tb_logPassword.Size = new System.Drawing.Size(111, 20); this.tb_logPassword.TabIndex = 9; // // Form1 // this.AutoScaleDimensions = new System.Drawing.SizeF(6F, 13F); this.AutoScaleMode = System.Windows.Forms.AutoScaleMode.Font; this.ClientSize = new System.Drawing.Size(425, 237); this.Controls.Add(this.tb_logPassword); this.Controls.Add(this.label7); this.Controls.Add(this.label8);

this.Controls.Add(this.tb_logUsername); this.Controls.Add(this.gb_addUser); this.Controls.Add(this.groupBox1); this.Name = "Form1"; this.Text = "Form1"; this.groupBox1.ResumeLayout(false); this.groupBox1.PerformLayout(); this.gb_addUser.ResumeLayout(false); this.gb_addUser.PerformLayout(); this.ResumeLayout(false); this.PerformLayout();

#endregion

private System.Windows.Forms.TextBox tb_putanja; private System.Windows.Forms.Button btn_browse; private System.Windows.Forms.Button btn_EncSHA1; private System.Windows.Forms.Button button1; private System.Windows.Forms.GroupBox groupBox1; private System.Windows.Forms.GroupBox gb_addUser; private System.Windows.Forms.Label label1; private System.Windows.Forms.TextBox tb_username; private System.Windows.Forms.Label label2; private System.Windows.Forms.TextBox tb_password;

private System.Windows.Forms.Button btn_add; private System.Windows.Forms.Label label7; private System.Windows.Forms.Label label8; private System.Windows.Forms.TextBox tb_logUsername; private System.Windows.Forms.TextBox tb_logPassword; } }

Program.cs

using System; using System.Collections.Generic; using System.Linq; using System.Windows.Forms;

namespace ENCDEC { static class Program { /// <summary> /// The main entry point for the application. /// </summary> [STAThread] static void Main()

{ Application.EnableVisualStyles(); Application.SetCompatibleTextRenderingDefault(false); Application.Run(new Form1()); } } }