Re: valgrind and openssl

Mon, 19 May 2008 04:44:48 -0700 

On Mon, May 19, 2008 at 11:47:07AM +0200, Bodo Moeller wrote:
> You are being a few orders of magnitude too optimistic here, though
> ... ;-)  A zettabyte would be 2^78 bits (less if you use the standard
> decimal version of "zetta"), but SHA-1 will only handle inputs up to
> 2^64 -1 bits.

That's true only because size of the message in bits is appended to
the end of the message to prevent the obvious extension attacks.  

(For people who are clueless about how SHA-1 is implemented, the
message is padded out with a 1 followed by enough 0 bits so the
message is congruent to 448 mod 512 bits, and then a 64-bit message
size count, in big-endian format is appended to the message, and the
message is processed in 16 byte --- 512 bit --- chunks.  Yes that
means that if the message is an exact multiple of 16 bytes, and you
know the size of the message, the last 16 bytes which is run through
the compression algorithm is known to the adversary; it will be a 1,
followed by 447 zero bits, followed by the message size as a 64-bit
big endian integer.  Whoop!  Whoop!  Danger Will Robinson!  Time to
run in circles and scream about something you know nothing about!!!
"It must be a NSA conspiracy!")

Seriously, it would be easy to change the padding scheme to accomodate
bigger messages, and in fact for a PRNG you don't need to worry about
extension attacks, since what you are really depending upon is the
crypto hash function's compression function.  With Linux's
/dev/random, we dispense with message padding completely, since it's
not necessary given how we are using the hash's compression function.

So it wouldn't be SHA-1, but with some very minor modifications to
accomodate a bigger message size count, you could run a zettabyte of
known data, followed by 256 bits of known data, and the adversary
would still be screwed.  (And if they aren't, it's time to replace
SHA-1....)

                                                        - Ted
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to