Data encryptionFirst SynopsisIn the open correspondence and in the computer system, builds the safe reliable electronic commerce platform is very important. Usually needs through the encryption method to the customer related information, like the password, the contract and so on to protect, causes it not to steal or the distortion. When the customer hands in the service application, must to the customer status validity, the text integrity carry on the confirmation.HMAC (Keyed-Hashing for Message Authentication) is a public agreement. It is one kind based on keys text complete proof technique, its security is the establishment in the Hash algorithm foundation. It requests the correspondence both sides shared system key, the agreement algorithm, to carry on the Hash operation to the text, like MD5, SHA, RIPEMD and so on, form the fixed length the authentication code. Correspondence both sides determine the text through the authentication codes verification the validity. This agreement may use for to make the encryption, the digital signature, the text confirmation and so on. HMAC may with any iteration hashing function bundle use. MD5 and SHA-1 are this kind of hashing functions.This kind of structures leading role is:1. Does not need the revision to be possible to use the suitable hashing function. Moreover the hashing function displays in the software aspect is very good. And the sound code is public and general. 2. Maintain the hashing function original performance, but does not cause its degeneration. 3. Cause reasonably based on about first floor hashing function supposition message discrimination mechanism encryption strength analysis. 4. When discovers either needs the operating speed is quicker or the safer hashing function, may very easy realize the first floor hashing function replace.Annotation: When comp book documents, MD5 and SHA-1 are use the most widespread encryption to use the hashing function.Second HMAC algorithm principles2.1 HMAC algorithm definition:Expresses as follows with the formula:HMAC=H(key or opad ,H(key or ipad,text)H(X, Y) expression carries on one kind of Hash operation to X + Y news.Representative Ipad is redundant B time single byte hexadecimal system system constant OX36;Representative Opad is redundant B time single byte hexadecimal system constant OX5C; key represents 64 bytes strings of character, is composed of the key, insufficient makes up 0; Text represents the random length text;Key length L byte. When is bigger than B, passes through the Hash computation to form L byte Peru key (B is first in the Hash algorithm an iterative computation block data byte count; L is the Hash algorithm forms the text abstract the byte count, in MD5 is in 16, SHA-1 is 20).2.2 Algorithm step(1) Increases behind key K 0 founds a word length is the B string of character. (e.g., if the K word length is 20 bytes, B=60 byte, then after K, will join 44 zero byte 0x00), if the K length will be bigger than time B, should undergo hashing function processing.if (key_len > 64) MD5_CTX tctx; MD5Init(&tctx); MD5Update(&tctx, key, key_len); MD5Final(tk, &tctx); key = tk; key_len = 16;(2) On one step will produce the B word lengths string of character and ipad make the "or else". k_ipadi = 0x36;(3) Fills data stream text to the second step result string of character.(4) Affects with H in the data stream which third step produces. transfer hashing function (MD5, SHA-1)(5) The B word length string of character which and opad first step produces does the "or else". k_opadi = 0x5c;(6) Enters again the fourth step result packing in the fifth step result.(7) Affects with H in the data stream which sixth step produces, the output final outcome.2.3 MD5 algorithmThe MD5 algorithm by circulates many times to the random length news the iterative hash operation, forms 16 Byte text abstract finally. This abstract has uniqueness to the text, may take the authentication code. Under target computers computation speed, this abstract is difficulty with explains(1) the text fillsThe MD5 algorithm request carries on the packing to the random length text, the constitution N64 Byte news grouping, N is an integer. And each grouping padding data is divided 2 steps. First, the packing causes the data position length exactly for (N64-8) the Byte number, namely in text valid data replacement 1 0x1, other makes up 0x0 to satisfy the above request. Then, again on replacement 8 bytes (64) before text data length (packing, byte count). Thus, the data by the packing is 64Byte (512bit) integral multiple. Also divides 16 4 byte sub-groupings.(2) initialization MD5 parameter The 4 4 byte shift quantity (A, B, C, D) use for to take the text abstract the starting value: A=0x01234567 B=0x89abcdef C=0xfedcba98 D=0x76543210(3) algorithm The MD5 algorithm is to the news grouping in turn iterative algorithm. 1st time operates the starting value is ABCD, each iterative computations result will replace later ABCD to take the next time starting value, altogether will undergo N time iterative computation, will obtain this news text abstract.2.4 realize the stepThe first step: Increases fillsIncreases padding to cause the data length (bit is unit) the mold 512 is 448. If the data length happen to is the mold 512 is 448, increases 512 to fill bit, i.e. fills the integer is 1-512. First bit is 1, other are 0 completely.The second step: Makes up lengthThe data length transformation is the 64bit value, if the length surpasses the data length scope which 64bit can express, the value retains finally 64bit, increases behind data which fills to front, causes the final data is the 512bit integral multiple. Is also the 32bit 16 time of integral multiples. In RFC1321, 32bit is called word.The third step: Initialization variable With to 4 variables, respectively is A, B, C, D, is 32bit is long. The initialization is: A: 01 23 45 67 B: 89 ab cd ef C: fe dc ba 98 D: 76 54 32 10The fourth step: Data processing First defines 4 auxiliary functions: F(X, Y, Z) G(X, Y, Z) H(X, Y, Z) I(X, Y, Z) In which: X&Y expresses according to the position and, X | Y expressed that according to the position or, not(X) expressed takes according to the position instead. xor expresses according to the position different or. in the function X, Y, Z are 32bit. defines the array which needs to use: The T(i), i value 1-64, T(i) was equal to that abs(sin(i) 4294967296 time of integral part, i is a radian.After the supposition first three step processing data length is 32*16*NbitThe fifth step: Output: Obtains finally ABCD is the output result, altogether 128bit. A is the low position, D is a top digit.Third KeyUse in HMAC the key being possible to be the random length (key which will be longer than B first by the H processing). But when the key length is smaller than the L situation is disappointing, because like this will reduce the function the working strength. The length is bigger than L the key is acceptable, but the extra length cannot remarkable enhance the function the working strength. (if a stochastic key were considered that is unreliable, then chooses a long key is unwise). The key must select (or use stochastically formidable based on stochastic seeds pseudo-random production method), and wants the periodic renewal. (the present attack has not pointed out an effective replacement keys frequency, because these attacks are not in fact feasible. However, the periodic renewal key is one latent defect basic security measure which copes with the function and the key exists, and may reduce divulges the harm which the key brings. )Forth matters needing attentionHMAC is may not revise the sound code according to the first floor hashing function to be possible to use this way to define. Especially it when uses the H function must rely on the pre-definition initialization value IV (a definite value, by each iteration hashing function when initialization its compression function assigns). However, if you want, may revise the H function the sound code to support invariable initialization value Ivs.This idea is this: The compression function the intermediate result which (K XOR opad) and (K XOR ipad) produces in the B word length block data may when the key just produced in advance calculates well. Saves first these intermediate results, then when each time has the news needs to confirm produces the H function the initialization value IV. This method must distinguish the news which has preserved the H compression function regarding two B word length block data (K XOR opad) and (K XOR ipad) the application for each. When distinguishes the short data stream, preserves such information is important. What we must stress: Treats these intermediate results to treat the key to be the same likely, and wants same to carry on the security.The above choice realizes the result which the HMAC method is local carries out, to internal operational has not affectedFifth safeHere will explain that the message discrimination mechanism the security is decided by the hashing function encryption characteristic which uses: 1. Anti-conflict attack capability (is restricted in initialization value is only stochastic, and secret, and function output to aggressor is not available situation) 2. Treats as uses when the single block data the H compression function the message discrimination attribute (in HMAC these block data is part unknown, when aggressor self-restraint interior H functional calculus result, and aggressor cannot full choice)In HMAC uses above the hashing function has or a stronger attribute generally. In fact, if a hashing function does not have above attribute that it not to be suitable regarding the majority encryption application procedure, including based on this function choice message discrimination plan. (see also BCK1 to HMAC function principle detailed elaboration and complete analysis), so long as obtains about the candidate hashing function encryption intensity limited trust, then observes it to use in the message discrimination the security and the following HMAC structure two kind of attributes is very important.1. This kind of structure is the independence in the hashing function which concrete uses, and the latter is may encrypt the hashing function substitution by any other securities2. The message discrimination was opposite in the encryption is one kind “the instant” the influence. Public can cause this plan to one kind of message discrimination plans destruction to replace, but it to has distinguished the information is actually helpless. This forms the sharp contrast with the encryption. If its encryption algorithm is explained. Today encrypts the data, can receive in the future the threat which explains,To the HMAC known most powerful attack is based on the hashing function conflict frequency. (“birthday attack law” PV, BCK2, but is not suitable completely for the smallest rational hashing function.數(shù) 據(jù) 加 密一 簡介 在開放的通信和計(jì)算機(jī)系統(tǒng)中，建立安全可靠的電子商務(wù)平臺(tái)是十分重要的。通常需要通過加密的方法對(duì)客戶的有關(guān)信息，如密碼、合同等加以保護(hù)，使之不被盜取或篡改。當(dāng)客戶提出服務(wù)申請時(shí)，必須對(duì)客戶身份的合法性、報(bào)文的完整性進(jìn)行確認(rèn)。HMAC（Keyed-Hashing for Message Authentication）是一個(gè)公開的協(xié)議。它是一種基于密鑰的報(bào)文完整性的驗(yàn)證方法，其安全性是建立在Hash算法基礎(chǔ)上的。它要求通信雙方共享密鑰、約定算法、對(duì)報(bào)文進(jìn)行Hash運(yùn)算，如MD5、SHA、RIPEMD等，形成固定長度的認(rèn)證碼。通信雙方通過認(rèn)證碼的校驗(yàn)來確定報(bào)文的合法性。這個(gè)協(xié)議可以用來作加密、數(shù)字簽名、報(bào)文驗(yàn)證等。HMAC可以與任何迭代散列函數(shù)捆綁使用。MD5和SHA1就是這種散列函數(shù)。這種結(jié)構(gòu)的主要作用是：1. 不用修改就可以使用適合的散列函數(shù)。而且散列函數(shù)在軟件方面表現(xiàn)的很好。且源碼是公開和通用的。2. 可以保持散列函數(shù)原有的性能而不致使其退化。3. 可以使得基于合理的關(guān)于底層散列函數(shù)假設(shè)的消息鑒別機(jī)制的加密強(qiáng)度分析。4. 當(dāng)發(fā)現(xiàn)或需要運(yùn)算速度更快或更安全的散列函數(shù)時(shí)，可以很容易的實(shí)現(xiàn)底層散列函數(shù)的替換。注釋：在寫本文檔時(shí)，MD5和SHA1是使用最廣泛的加密用散列函數(shù)。二 HMAC的算法原理2.1 HMAC算法定義：用公式表示如下：HMAC=H(key or opad ,H(key or ipad,text)H(X,Y)表示對(duì) X + Y的消息進(jìn)行一種Hash運(yùn)算。Ipad代表重復(fù)B次的單字節(jié)十六進(jìn)制常數(shù)OX36;Opad代表重復(fù)B次的單字節(jié)十六進(jìn)制常數(shù)OX5C;key代表64字節(jié)的字符串，由密鑰組成，不足的補(bǔ)0;text代表任意長度文本;密鑰長度L字節(jié)。當(dāng)大于B時(shí)，先經(jīng)Hash計(jì)算形成L字節(jié)的秘鑰 （B是Hash算法中一次迭代運(yùn)算的數(shù)據(jù)塊字節(jié)數(shù)；L是Hash算法形成報(bào)文摘要的字節(jié)數(shù),MD5中是16，SHA-1中是20）。2.2算法步驟(1)在密鑰K后面添加0來創(chuàng)建一個(gè)字長為B的字符串。(例如，如果K的字長是20字節(jié)，B60字節(jié)，則K后會(huì)加入44個(gè)零字節(jié)0x00)，如果K的長度大于B時(shí)，則應(yīng)經(jīng)過散列函數(shù)處理。if (key_len > 64) MD5_CTX tctx; MD5Init(&tctx); MD5Update(&tctx, key, key_len); MD5Final(tk, &tctx); key = tk; key_len = 16;(2)將上一步生成的B字長的字符串與ipad做異或運(yùn)算。 k_ipadi = 0x36;(3)將數(shù)據(jù)流text填充至第二步的結(jié)果字符串中。(4)用H作用于第三步生成的數(shù)據(jù)流。調(diào)用散列函數(shù)（MD5,SHA-1）(5)將第一步生成的B字長字符串與opad做異或運(yùn)算。k_opadi = 0x5c;(6)再將第四步的結(jié)果填充進(jìn)第五步的結(jié)果中。(7)用H作用于第六步生成的數(shù)據(jù)流，輸出最終結(jié)果。2.3 MD5算法MD5算法以對(duì)任意長度消息多次循環(huán)迭代的散列運(yùn)算，最終形成16 Byte報(bào)文摘要。這摘要對(duì)文本具有唯一性，可作為認(rèn)證碼。在目標(biāo)計(jì)算機(jī)的計(jì)算速度下，這個(gè)摘要是難于破解的。（1）報(bào)文填充MD5算法要求對(duì)任意長度報(bào)文進(jìn)行填充，構(gòu)成N64 Byte消息分組，N為整數(shù)。其中每一分組填充數(shù)據(jù)分2步。首先，填充使得數(shù)據(jù)位長度恰好為（N64-8）Byte的數(shù)，即在報(bào)文有效數(shù)據(jù)后補(bǔ)1個(gè)0x1，其它補(bǔ)0x0至滿足上述要求。然后，再后補(bǔ)上8字節(jié)（64位）的報(bào)文數(shù)據(jù)長度（填充前字節(jié)數(shù)）。這樣，數(shù)據(jù)就被填充為64Byte（512bit）的整數(shù)倍。又劃分16個(gè)4字節(jié)子分組。（2）初始化MD5參數(shù)4個(gè)4字節(jié)位變量（A、B、C、D）用來作為報(bào)文摘要的初始值：A=0x01234567 B=0x89abcdef C=0xfedcba98 D=0x76543210( 3 ) 算法MD5算法是對(duì)消息分組依次迭代算法。第1次運(yùn)算的初始值為ABCD，以后每一次迭代運(yùn)算的結(jié)果都替換ABCD作為下一次的初始值，共經(jīng)過N次的迭代運(yùn)算，就得到該消息的報(bào)文摘要. 2.4實(shí)現(xiàn)步驟第一步：增加填充 增加padding使得數(shù)據(jù)長度（bit為單位）模512為448。如果數(shù)據(jù)長度正好是模512為448，增加512個(gè)填充bit，也就是說填充的個(gè)數(shù)為1-512。第一個(gè)bit為1，其余全部為0。 第二步：補(bǔ)足長度 將數(shù)據(jù)長度轉(zhuǎn)換為64bit的數(shù)值，如果長度超過64bit所能表示的數(shù)據(jù)長度的范圍，值保留最后64bit，增加到前面填充的數(shù)據(jù)后面，使得最后的數(shù)據(jù)為512bit的整數(shù)倍。也就是32bit的16倍的整數(shù)倍。在RFC1321中，32bit稱為一個(gè)word。 第三步：初始化變量 用到4個(gè)變量，分別為A、B、C、D，均為32bit長。初始化為： A: 01 23 45 67 B: 89 ab cd ef C: fe dc ba 98 D: 76 54 32 10 第四步：數(shù)據(jù)處理 首先定義4個(gè)輔助函數(shù)： F(X,Y,Z) G(X,Y,Z) H(X,Y,Z) I(X,Y,Z) 其中：X&Y表示按位與，X | Y表示按位或，not(X)表示按位取反。xor表示按位異或。 函數(shù)中的X、Y、Z均為32bit。 定義一個(gè)需要用到的數(shù)組：T(i),i取值1-64,T(i)等于abs(sin(i)的4294967296倍的整數(shù)部分,i為弧度。 假設(shè)前三步處理后的數(shù)據(jù)長度為32*16*Nbit 第五步：輸出 最后得到的ABCD為輸出結(jié)果，共128bit。A為低位，D為高位。三 密鑰用于HMAC的密鑰可以是任意長度（比B長的密鑰將首先被H處理）。但當(dāng)密鑰長度小于L時(shí)的情況時(shí)非常令人失望的，因?yàn)檫@樣將降低函數(shù)的安全強(qiáng)度。長度大于L的密鑰是可以接受的，但是額外的長度并不能顯著的提高函數(shù)的安全強(qiáng)度。（如果一個(gè)隨機(jī)的密鑰被認(rèn)為是不可靠的，那么選擇一個(gè)較長的密鑰是明智的）。 密鑰必須隨機(jī)選取(或使用強(qiáng)大的基于隨機(jī)種子的偽隨機(jī)生成方法)，并且要周期性的更新。（目前的攻擊沒有指出一個(gè)有效的更換密鑰的頻率，因?yàn)槟切┕魧?shí)際上并不可行。然而，周期性更新密鑰是一個(gè)對(duì)付函數(shù)和密鑰所存在的潛在缺陷的基本的安全措施，并可以降低泄漏密鑰帶來的危害。）四 注意事項(xiàng) HMAC是按底層散列函數(shù)可以不修改源碼就可使用這種方式定義的。尤其是它在使用H函數(shù)時(shí)還要依賴于預(yù)定義的初始化值IV（一個(gè)定值，由每個(gè)迭代散列函數(shù)在初始化它的壓縮函數(shù)時(shí)指定).然而，如果你愿意的話，可以修改H函數(shù)的源碼來支持可變的初始化值Ivs.這個(gè)想法是這樣的：壓縮函數(shù)作用于B字長數(shù)據(jù)塊（K XOR opad）和(K XOR ipad)所產(chǎn)生的中間結(jié)果可以在密鑰剛剛生成時(shí)就預(yù)先計(jì)算好的。先將這些中間結(jié)果存儲(chǔ)，然后在每次有消息需要驗(yàn)證時(shí)來生成H函數(shù)的初始化值IV。這種方法為每個(gè)要鑒別的消息保存了H 的壓縮函數(shù)對(duì)于兩個(gè)B字長數(shù)據(jù)塊（K XOR opad）和(K XOR ipad)的應(yīng)用。當(dāng)鑒別短數(shù)據(jù)流，保存這樣的信息是重要的。我們要強(qiáng)調(diào)的是：對(duì)待這些中間結(jié)果要象對(duì)待密鑰一樣，并且要同樣的進(jìn)行保密。上述的選擇實(shí)現(xiàn)HMAC的方法是本地執(zhí)行的結(jié)果，對(duì)內(nèi)部操作性沒有影響。 五 安全 這里將說明消息鑒別機(jī)制的安全性取決于所采用的散列函數(shù)的加密特性:1?？箾_突攻擊能力（只限于初始化值是隨機(jī)且秘密的，且函數(shù)的輸出對(duì)攻擊者來說是不可用的情況）2。當(dāng)作用于單數(shù)據(jù)塊時(shí)H的壓縮函數(shù)的的消息鑒別屬性(在HMAC中這些數(shù)據(jù)塊是部分未知得，當(dāng)攻擊者自制內(nèi)部H函數(shù)計(jì)算結(jié)果，并且攻擊者是不能充分的選擇得)HMAC中使用的散列函數(shù)一般都具有以上或更強(qiáng)的屬性。實(shí)際上，如果一個(gè)散列函數(shù)不具有以上的屬性那么它對(duì)于大多數(shù)的加密應(yīng)用程序是不適用的，包括基于該函數(shù)的選擇消息鑒別方案。（對(duì)HMAC函數(shù)原理詳細(xì)闡述和完整的分析參見BCK1）只要得到關(guān)于候選散列函數(shù)的加密強(qiáng)度有限的信任，那么觀察它用于消息鑒別的安全性及以下HMAC結(jié)構(gòu)的兩種屬性是很重要的。1這種結(jié)構(gòu)是獨(dú)立于具體所使用的散列函數(shù)并且后者是可以被任何其它安全加密散列函數(shù)替代2消息鑒別相對(duì)于加密來說是一種“瞬時(shí)”影響。公開的對(duì)一種消息鑒別方案的破壞會(huì)導(dǎo)致該方案被替換，但是其對(duì)已鑒別過的信息卻無能為力，。這就與加密形成鮮明對(duì)比。如果其加密算法被破解的話。今天加密的的數(shù)據(jù)，在未來都會(huì)受到被破解的威脅， 對(duì)HMAC已知最有力的攻擊是基于散列函數(shù)的沖突頻率。（“生日攻擊法”PV,BCK2,但完全不適用于最小有理散列函數(shù)。