ANSI INCITS ISO IEC 10118-1-2000 Information technology - Security techniques Hash-functions Part 1 General.pdf

1、Reference numberISO/IEC 10118-1:2000(E)ISO/IEC 2000INTERNATIONALSTANDARDISO/IEC10118-1Second edition2000-06-15Information technology Securitytechniques Hash-functions Part 1:GeneralTechnologies de linformation Techniques de scurit Fonctionsde brouillage Partie 1: GnralitsAdopted by INCITS (InterNati

2、onal Committee for Information Technology Standards) as an American National Standard.Date of ANSI Approval: 11/15/00Published by American National Standards Institute,25 West 43rd Street, New York, New York 10036Copyright 2002 by Information Technology Industry Council (ITI).All rights reserved.The

3、se materials are subject to copyright claims of International Standardization Organization (ISO), InternationalElectrotechnical Commission (IEC), American National Standards Institute (ANSI), and Information Technology Industry Council(ITI). Not for resale. No part of this publication may be reprodu

4、ced in any form, including an electronic retrieval system, withoutthe prior written permission of ITI. All requests pertaining to this standard should be submitted to ITI, 1250 Eye Street NW,Washington, DC 20005.Printed in the United States of AmericaISO/IEC 10118-1:2000(E)PDF disclaimerThis PDF fil

5、e may contain embedded typefaces. In accordance with Adobes licensing policy, this file may be printed or viewed but shall notbe edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In downloading thisfile, parties accept therein the re

6、sponsibility of not infringing Adobes licensing policy. The ISO Central Secretariat accepts no liability in thisarea.Adobe is a trademark of Adobe Systems Incorporated.Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creatio

7、n parameterswere optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In the unlikely eventthat a problem relating to it is found, please inform the Central Secretariat at the address given below. ISO 2000All rights reserved. Unless othe

8、rwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronicor mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or ISOs member bodyin the country of the requester.ISO copyright o

9、fficeCase postale 56 Gb7 CH-1211 Geneva 20Tel. + 41 22 749 01 11Fax + 41 22 734 10 79E-mail copyrightiso.chWeb www.iso.chPrinted in Switzerlandii ISO/IEC 2000 All rights reservedISO/IEC 10118-1:2000(E) ISO/IEC 2000 All rights reserved iiiForewordISO (the International Organization for Standardizatio

10、n) and IEC (the International Electrotechnical Commission)form the specialized system for worldwide standardization. National bodies that are members of ISO or IECparticipate in the development of International Standards through technical committees established by therespective organization to deal

11、with particular fields of technical activity. ISO and IEC technical committeescollaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, inliaison with ISO and IEC, also take part in the work.International Standards are drafted in accordance with

12、the rules given in the ISO/IEC Directives, Part 3.In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting.Publication as an Inte

13、rnational Standard requires approval by at least 75 % of the national bodies casting a vote.Attention is drawn to the possibility that some of the elements of this part of ISO/IEC 10118 may be the subject ofpatent rights. ISO and IEC shall not be held responsible for identifying any or all such pate

14、nt rights.International Standard ISO/IEC 10118-1 was prepared by Joint Technical Committee ISO/IEC JTC 1, Informationtechnology, Subcommittee SC 27, IT Security techniques.This second edition cancels and replaces the first edition (ISO/IEC 10118-1:1994), which has been technicallyrevised to add a ge

15、neral model for hash-functions. Note, however, that implementations which comply withISO/IEC 10118-1:1994 will be compliant with this edition of ISO/IEC 10118-1.ISO/IEC 10118 consists of the following parts, under the general title Information technology Securitytechniques Hash-functions:Gbe Part 1:

16、 GeneralGbe Part 2: Hash-functions using an n-bit block cipher algorithmGbe Part 3: Dedicated hash-functionsGbe Part 4: Hash-functions using modular arithmeticAnnex A forms a normative part of this part of ISO/IEC 10118.INTERNATIONAL STANDARD ISO/IEC 10118-1:2000(E) ISO/IEC 2000 All rights reserved

17、1Information technology Security techniques Hash-functions Part 1:General1 ScopeISO/IEC 10118 specifies hash-functions and is therefore applicable to the provision of authentication, integrity andnon-repudiation services. Hash-functions map arbitrary strings of bits to a fixed-length strings of bits

18、, using aspecified algorithm. They can be used for- reducing a message to a short imprint for input to a digital signature mechanism, and- committing the user to a given string of bits without revealing this string.NOTE - The hash-functions specified in this part of ISO/IEC 10118 do not involve the

19、use of secret keys. However,these hash-functions may be used, in conjunction with secret keys, to build message authentication codes.Message Authentication Codes (MACs) provide data origin authentication as well as message integrity. For thecalculation of a MAC the user is referred to ISO/IEC 9797.T

20、his part of ISO/IEC 10118 contains definitions, symbols, abbreviations and requirements, that are common to allthe other parts of ISO/IEC 10118.2 Normative referencesISO/IEC 9797 (all parts), Information technology Security techniques Message Authentication Codes (MACs).3 Terms and definitionsFor th

21、e purposes of this part of ISO/IEC 10118, the following terms and definitions apply.3.1big-endiana method of storage of multi-byte numbers with the most significant bytes at the lowest memory addresses3.2collision-resistant hash-functiona hash-function satisfying the following property: it is comput

22、ationally infeasible to find any two distinct inputs whichmap to the same outputNOTE computational feasibility depends on the specific security requirements and environment.3.3data string (data)a string of bits which is the input to a hash-functionThe following normative documents contain provisions

23、 which, through reference in this text, constitute provisions ofthis part of ISO/IEC 10118. For dated references, subsequent amendments to, or revisions of, any of thesepublications do not apply. However, parties to agreements based on this part of ISO/IEC 10118 are encouraged toinvestigate the poss

24、ibility of applying the most recent editions of the normative documents indicated below. Forundated references, the latest edition of the normative document referred to applies. Members of ISO and IECmaintain registers of currently valid International Standards.ISO/IEC 10118-1:2000(E)2 ISO/IEC 2000

25、All rights reserved3.4hash-codethe string of bits which is the output of a hash-functionNOTE The literature on this subject contains a variety of terms that have the same or similar meaning as hash-code.Modification Detection Code, Manipulation Detection Code, digest, hash-result, hash-value and imp

26、rint are some examples.3.5hash-functiona function which maps strings of bits to fixed-length strings of bits, satisfying the following two properties:- it is computationally infeasible to find for a given output, an input which maps to this output;- it is computationally infeasible to find for a giv

27、en input, a second input which maps to the same outputNOTE Computational feasibility depends on the specific security requirements and environment.3.6hash-function identifiera byte identifying a specific hash-function3.7initializing valuea value used in defining the starting point of a hash-function

28、3.8output transformationa transformation or mapping of the output of the iteration stage to obtain the hash-code3.9paddingappending extra bits to a data string3.10round-functiona function f (.,.) that transforms two binary strings of lengths L1and L2to a binary string of length L2- it is usediterati

29、vely as part of a hash-function, where it combines a data string of length L1with the previous output of lengthL24 Symbols (and abbreviated terms)4.1 General SymbolsThroughout ISO/IEC 10118, the following symbols and abbreviations are used:Bi- A byteD - DataDi- A block derived from the data-string a

30、fter the padding processh - Hash-functionH - Hash-codeHi- A string of L2bits which is used in the hashing operation to store an intermediate resultIV - Initializing valueL1- The length (in bits) of the first of the two input strings to the round-function fISO/IEC 10118-1:2000(E) ISO/IEC 2000 All rig

31、hts reserved 3L2- The length (in bits) of the second of the two input strings to the round-function f, the output string from theround-function f, and of the IV.Lx- Length (in bits) of a string of bits Xf - round-function (phi)T An output transformation function which may be a truncation or some oth

32、er mappingXIIY - Concatenation of strings of bits X and Y in the indicated orderXY - Exclusiveor of strings of bits X and Y (where LX= LY)4.2 Symbols specific to this partFor the purpose of this part of ISO/IEC 10118, the following symbols and notations apply :q - The number of blocks in the data st

33、ring after the padding and splitting process4.3 Coding conventionsIn contexts where the terms “most significant bit/byte” and “least significant bit/byte” have a meaning, (e.g., wherestrings of bits/bytes are treated as numerical values) then the leftmost bits/bytes of a block shall be the mostsigni

34、ficant.5 RequirementsThe use of a hash-function requires that the parties involved shall operate upon precisely the same bit-string, eventhough the representation of the data may be different in each entitys environment. This may require one or moreof the entities to convert the data into an agreed

35、bit-string representation prior to applying a hash-function.Some of the hash-functions specified in ISO/IEC 10118 require padding, so that the data string is of the requiredlength. Several padding methods are presented in Annex A of this part of ISO/IEC 10118; additional paddingmethods may be specif

36、ied in each part of ISO/IEC 10118 where padding is needed.6 General Model for hash-functionsThe hash functions specified in this standard require the use of a round function f. In subsequent parts of ISO/IEC10118, several alternatives for the function f are specified.The hash functions which are spe

37、cified in subsequent parts of ISO/IEC 10118, provide hash codes of length LH,where LHis less than or equal to the value of L2for the round function f being used.6.1 Hashing OperationLet f be a round function and IV be an initializing value of length L2. For the hash functions specified in subsequent

38、parts of ISO/IEC 10118, the value of the IV shall be fixed for a given round function f. The hash code H of the dataD shall be calculated in four steps.6.1.1 Step 1 (padding)The data string D is padded in order to ensure that its length is an integer multiple of L1. See Annex A for moreinformation.N

39、OTE : Sometimes it is more efficient to have the splitting occur before the padding. The padding is then done on the last block,where Li L2.ISO/IEC 10118-1:2000(E)4 ISO/IEC 2000 All rights reserved6.1.2 Step 2 (splitting)The padded version of the data string D is split into L1bit blocks D1, D2, . .

40、. , Dq, where D1represents the first L1bits of the padded version of D, D2represents the next L1bits, and so on. The padding and splitting processes areillustrated in Figure 1.Figure 1 The padding and splitting processes6.1.3 Step 3 (iteration)Let D1, D2, . . . Dqbe the L1-bit blocks of the data aft

41、er padding and splitting. Let H0be a bit-string equal to IV. TheL2-bit strings H1, H2, . . . , Hqare calculated iteratively in the following way.for i from 1 to q:Hi= f (Di, Hi -1) ;The iteration process is illustrated in Figure 2.Figure 2 The iteration process6.1.4 Step 4 (output transformation)The

42、 hash code H is derived by performing a transformation T on Hq, the output of step 3, to obtain the LHbits of thefinal hash-code. For example, the transformation T may be a truncation operation.DqD1D2data-string D to be hashedLDpadding addedpaddingsplittingL1HiRound-function fDiHi -1ISO/IEC 10118-1:

43、2000(E) ISO/IEC 2000 All rights reserved 56.2 Use of the general modelIn subsequent parts of ISO/IEC 10118, examples of hash-functions based on the general model are specified.Specification of an individual hash-function will in each case require the following to be defined: parameters L1, L2; the p

44、adding method; the initializing value IV; the round function f; the output transformation T.Practical use of a hash-function defined using the general model will also require the choice of the parameter LH.ISO/IEC 10118-1:2000(E)6 ISO/IEC 2000 All rights reservedAnnex A(normative)Padding MethodsThe

45、calculation of a hash-code, as specified in other parts of ISO/IEC 10118, may require the selection of apadding method. The padding method will always output a padded data string whose length (in bits) is an exactinteger multiple of L1. Three methods are presented in this annex.NOTE - Hash-functions

46、 using Padding Method 1 may be subject to trivial forgery attacks, where an adversary canadd or delete a number of trailing 0 bits of the data string without changing the hash-code. This means thatPadding Method 1 shall only be used in environments where the length of the data string D is known to t

47、he partiesbeforehand, or where data strings with a different number of trailing 0 bits have the same semantics. Theoreticalresults (see, for example, 1) also indicate that, in environments not satisfying the above condition, PaddingMethod 3 may offer certain advantages over Padding Method 2.The padd

48、ing bits (if any) need not be stored or transmitted with the data. The verifier shall know whether or not thepadding bits have been stored or transmitted, and which padding method is in use.A.1 Method 1The data for which the hash-code is to be calculated are appended with as few (possibly no) 0 bits

49、 as arenecessary to obtain the required length.A.2 Method 2The data for which the hash-code is to be calculated are appended with a single 1 bit. The resulting data are thenappended with as few (possibly none) 0 bits as are necessary to obtain the required length.Note Method 2 always requires the addition of at least one padding bit.A.3 Method 3This padding method requires the selection of a parameter r (where r L1), e.g. r = 64, and a method for encodingthe bit length of the data D, i.e. LD, a