|
A cryptographic hash function is a hash function which is considered practically impossible to invert, that is, to recreate the input data from its hash value alone. These one-way hash functions have been called "the workhorses of modern cryptography". The input data is often called the ''message'', and the hash value is often called the ''message digest'' or simply the ''digest''. The ideal cryptographic hash function has four main properties: * it is easy to compute the hash value for any given message * it is infeasible to generate a message from its hash * it is infeasible to modify a message without changing the hash * it is infeasible to find two different messages with the same hash. Cryptographic hash functions have many information security applications, notably in digital signatures, message authentication codes (MACs), and other forms of authentication. They can also be used as ordinary hash functions, to index data in hash tables, for fingerprinting, to detect duplicate data or uniquely identify files, and as checksums to detect accidental data corruption. Indeed, in information security contexts, cryptographic hash values are sometimes called (''digital'') ''fingerprints'', ''checksums'', or just ''hash values'', even though all these terms stand for more general functions with rather different properties and purposes. ==Properties== Most cryptographic hash functions are designed to take a string of any length as input and produce a fixed-length hash value. A cryptographic hash function must be able to withstand all known types of cryptanalytic attack. At a minimum, it must have the following properties: * ''Pre-image resistance'' *: Given a hash value ''h'' it should be difficult to find any message ''m'' such that ''h = hash(m)''. This concept is related to that of one-way function. Functions that lack this property are vulnerable to preimage attacks. * ''Second pre-image resistance'' *: Given an input ''m''1 it should be difficult to find different input ''m''2 such that . Functions that lack this property are vulnerable to second-preimage attacks. * ''Collision resistance'' *: It should be difficult to find two different messages ''m''1 and ''m''2 such that . Such a pair is called a cryptographic hash collision. This property is sometimes referred to as ''strong collision resistance.'' It requires a hash value at least twice as long as that required for preimage-resistance; otherwise collisions may be found by a birthday attack. These properties imply that a malicious adversary cannot replace or modify the input data without changing its digest. Thus, if two strings have the same digest, one can be very confident that they are identical. A function meeting these criteria may still have undesirable properties. Currently popular cryptographic hash functions are vulnerable to ''length-extension'' attacks: given and but not ''m'', by choosing a suitable ''m'' an attacker can calculate where || denotes concatenation.〔(【引用サイトリンク】title=Flickr's API Signature Forgery Vulnerability )〕 This property can be used to break naive authentication schemes based on hash functions. The HMAC construction works around these problems. Ideally, one may wish for even stronger conditions. It should be impossible for an adversary to find two messages with substantially similar digests; or to infer any useful information about the data, given only its digest. Therefore, a cryptographic hash function should behave as much as possible like a random function while still being deterministic and efficiently computable. Checksum algorithms, such as CRC32 and other cyclic redundancy checks, are designed to meet much weaker requirements, and are generally unsuitable as cryptographic hash functions. For example, a CRC was used for message integrity in the WEP encryption standard, but an attack was readily discovered which exploited the linearity of the checksum. 抄文引用元・出典: フリー百科事典『 ウィキペディア(Wikipedia)』 ■ウィキペディアで「Cryptographic hash function」の詳細全文を読む スポンサード リンク
|