Date: Thu, 1 Oct 2015 03:01:43 +0300 From: Aleksey Cherepanov <lyosha@...nwall.com> To: john-dev@...ts.openwall.com Subject: Re: reverse of full sha1 and sha256 limb when hash and block are known On Thu, Sep 03, 2015 at 03:34:54AM +0300, Aleksey Cherepanov wrote: > tl;dr: if W and hash are known, initial state can be computed. ... PROFIT! No, it is a mistake. > Looking at sha1 round, it is obvious that each round can be computed > backwards (i.e. starting from hash and going to initial state): > consider a, b, c, d, e after round known, then there are only 2 > unknown variables: w[i] and e at the beginning of round. So knowing > w[i], it is trivial to right a formula to compute e. This way we go > reverse. > > sha256 is a bit more complex, but it has only 1 unknown variable too. > So it is possible to write reverse algo straight-forward. PoC is > attached. > > So sha1 and sha256 behave like block ciphers: you "encrypt" initial > state ("block of data") with W, that is expanded block of message > ("key"). And it is possible to "decrypt" hash to get initial state. That's true only for a part. But pre-block state is added after block, so we have f(x) + x == hash where hash is known, x is unknown and f is known but very complex. My code worked because it is for 1 block: we know x, but it won't work for 2 block when x is not known and can't be subtracted from hash.d Thanks! -- Regards, Aleksey Cherepanov
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.