Secure Hash Algorithm: differenze tra le versioni

Naviga nella cronologia in modo interattivo

← Differenza precedente

Contenuto cancellato Contenuto aggiunto

VisualeWikitesto

Versione delle 13:06, 30 apr 2008 modifica IagaBot (discussione \| contributi) 32 951 modifiche m Bot: sostituzioni standard ← Differenza precedente		Versione attuale delle 00:03, 27 lug 2025 modifica annulla FranzaGeek (discussione \| contributi) 8 modifiche m →SHA-0 e SHA-1: Correct typo Etichetta: Modifica visuale
(152 versioni intermedie di oltre 100 utenti non mostrate)
Riga 1: Con il termine '''SHA''' ([[acronimo]] dell'[[Lingua inglese\|inglese]] '''Secure Hash Algorithm''') si indica una famiglia di cinque diverse [[Funzioni crittografiche di hash\|funzioni crittografiche di ''hash'']] sviluppate a partire dal [[1993]] dalla ''[[National Security Agency]]'' (NSA) e pubblicato dal [[National Institute of Standards and Technology\|NIST]] come [[Federal Information Processing Standard\|standard federale]] dal governo degli [[Stati Uniti d'America\|USA]] ([http://csrc.nist.gov/publications/fips/fips180-4/fips-180-4.pdf FIPS PUB 180-4]). ~~[[Categoria:Algoritmi]]{{t\|lingua=inglese\|argomento=matematica}}~~ Come ogni [[algoritmo]] di ''hash'', l'SHA produce un ''message digest'', o "impronta del [[messaggio]]", di lunghezza fissa partendo da un messaggio di lunghezza variabile. La sicurezza di un [[algoritmo]] di ''hash'' risiede nel fatto che la funzione non sia invertibile (non sia cioè possibile risalire al messaggio originale conoscendo solo questo dato) e che non deve essere mai possibile creare ''intenzionalmente'' due messaggi diversi con lo stesso ''digest''. Gli algoritmi della famiglia sono denominati '''SHA-1''', '''SHA-224''', '''SHA-256''', '''SHA-384''' e '''SHA-512''': le ultime 4 varianti sono spesso indicate genericamente come '''SHA-2''', per distinguerle dal primo. Il primo produce un ''digest'' del messaggio di soli 160 [[bit]], mentre gli altri producono ''digest'' di lunghezza in bit pari al numero indicato nella loro sigla (SHA-256 produce un ''digest'' di 256 bit). L'SHA-1 è il più diffuso algoritmo della famiglia SHA ed è utilizzato in numerose applicazioni e protocolli nonostante sia ormai insicuro e verrà presto sostituito dagli altri, più moderni ed efficienti. Gli '''Algoritmi SHA''' sono cinque [[funzioni crittografiche di hash]] sviluppate dalla [[National Security Agency]] (NSA) e pubblicate dal [[National Institute of Standards and Technology\|NIST]] come un [[Federal Information Processing Standard]] degli USA. La sicurezza di SHA-1 è stata appunto compromessa dai [[crittoanalisi\|crittoanalisti]].<ref>[https://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html Crittoanalisi dell'SHA-1 (Schneier)]</ref> Sebbene non siano ancora noti attacchi alle varianti SHA-2, esse hanno un algoritmo simile a quello di SHA-1 per cui sono in atto sforzi per sviluppare algoritmi di ''hashing'' alternativi e migliorati.<ref>[https://www.schneier.com/blog/archives/2005/11/nist_hash_works_4.html Schneier on Security: NIST Hash Workshop Liveblogging (5)<!-- Titolo generato automaticamente -->]</ref><ref>[http://www.heise-security.co.uk/articles/75686/2 The H: Security news and Open source developments<!-- Titolo generato automaticamente -->]</ref> ~~SHA sta per '''Secure Hash Algorithm'''. <br/>~~ Un concorso aperto per la realizzazione di una nuova funzione '''SHA-3''' venne annunciato nel ''Federal Register'' il 2 novembre 2007<ref name=autogenerato1>[http://csrc.nist.gov/groups/ST/hash/documents/FR_Notice_Nov07.pdf Document<!-- Titolo generato automaticamente -->]</ref> dal NIST e attraverso una [[Competizione NIST per funzioni hash\|competizione pubblica]], simile a quella adottata per il processo di sviluppo dell'[[Advanced Encryption Standard\|AES]],<ref>[http://www.csrc.nist.gov/pki/HashWorkshop/index.html Bounce to index.html<!-- Titolo generato automaticamente -->] {{webarchive\|url=https://web.archive.org/web/20080205143613/http://www.csrc.nist.gov/pki/HashWorkshop/index.html \|data=5 febbraio 2008 }}</ref> ha portato in data 2 ottobre 2012 ad annunciare come vincitore l'algoritmo [[Keccak]]. Opera di un team di analisti italiani e belgi, il Keccak<ref>[http://keccak.noekeon.org/ The Keccak sponge function family<!-- Titolo generato automaticamente -->]</ref> sembra dunque destinato a venire gradualmente incluso e adottato nelle soluzioni di [[sicurezza informatica]] più variegate. ~~Un [[algoritmo di hash]] calcola una rappresentazione digitale di lunghezza fissa (nota come ''message digest'') di una sequenza di dati in ingresso (il ''messaggio'') di lunghezza qualunque. <br/>~~ ~~Un tale algoritmo è chiamato “sicuro” quando (citando lo standard),~~ ~~“è computazionalmente impraticabile:~~ ~~# trovare un messaggio che corrisponda ad un dato ''message digest'', oppure~~ ~~# trovare due messaggi distinti che producano lo stesso ''message digest''.~~ ~~Ogni cambiamento del messaggio porterà, con probabilità molto alte, ad un diverso ''message digest''.”~~ Il 23 febbraio 2017 un team di Google ha annunciato la prima tecnica pratica per generare una [[collisione hash]].<ref>{{Cita web\|https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html\|Announcing the first SHA1 collision\|17 marzo 2017\|data=23 febbraio 2017\|lingua=en}}</ref><ref>{{Cita web\|https://shattered.it\|Shattered\|17 marzo 2017\|citazione=We have broken SHA-1 in practice.\|lingua=en}}</ref> ~~I cinque algoritmi sono chiamati ''SHA-1'', ''SHA-224'', ''SHA-256'', ''SHA-384'', e ''SHA-512''. <br/>~~ ~~Le ultime quattro varianti sono talvolta chiamate tutte insieme ''SHA-2''. <br/>~~ ~~SHA-1 produce un ''message digest'' di 160 bits; il numero nel nome delle altre quattro varianti (p.e. '''SHA-''224''''') indica il numero di bit prodotti.~~ == SHA-0 e SHA-1 == SHA-1 viene impegato in diverse applicazioni e protocolli ampiamente diffusi, inclusi [[Transport Layer Security\|TLS and SSL]], [[Pretty Good Privacy\|PGP]], [[Secure Shell\|SSH]], [[S/MIME]], e [[IPsec]]. Viene considerato il successore di [[MD5]], una funzione di hash molto utilizzata in passato. [[File:SHA-1.svg\|thumb\|Un'iterazione all'interno della funzione di compressione di SHA-1. A, B, C, D ed E sono parole di stato a 32 bit; F è una funzione non lineare che varia; [[File:lll.png\|left shift]]<sub>''n''</sub> denota una rotazione del bit di sinistra di ''n'' posti; ''n'' varia per ogni operazione. [[File:Boxplus.png\|Addition]] denota l'addizione modulo 2<sup>32</sup>. K<sub>t</sub> è una costante.]] La specifica originale dell'algoritmo fu pubblicata nel 1993 come ''Secure Hash Standard'', [[Federal Information Processing Standard\|FIPS]] PUB 180, dal [[National Institute of Standards and Technology\|NIST]]. Ci si riferisce spesso a questa versione come '''SHA-0''' per distinguerla dalle successive versioni. Fu ritirata dall'[[National Security Agency\|NSA]] breve tempo dopo la pubblicazione e fu soppiantata da una versione rivista, pubblicata nel 1995 (FIPS PUB 180-1) e solitamente nota come '''SHA-1'''. L'SHA-1 differisce dall'SHA-0 unicamente per una sola rotazione di bit nel processo di preparazione del messaggio della sua funzione di compressione ad una via; ciò fu fatto, secondo l'NSA, per correggere un difetto nell'algoritmo originale, il quale riduceva la sicurezza crittografica di SHA-0. Ad ogni modo, l'NSA non fornì nessuna ulteriore spiegazione chiarificante. Sono state in seguito riportate debolezze sia nel codice dell'SHA-0 sia in quello dell'SHA-1. L'SHA-1 pare offrire maggiore resistenza agli attacchi, a supporto dell'asserzione dell'NSA che il cambiamento aumentò la sicurezza. La sicurezza di SHA-1 è stata in parte compromessa dai crittoanalisti. <ref>http://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html</ref> Sebbene non siano ancora noti attacchi alle varianti SHA-2, esse hanno un algoritmo simile a quello di SHA-1 per cui sono in atto sforzi per sviluppare algoritmi di hashing alternativi e migliorati.<ref>http://www.schneier.com/blog/archives/2005/11/nist_hash_works_4.html</ref><ref>http://www.heise-security.co.uk/articles/75686/2</ref> Un concorso aperto per la realizzazione di una nuova funzione SHA-3 è stato formalmente annunciato nel ''[[Federal Register]]'' il 2 novembre 2007.<ref>http://csrc.nist.gov/groups/ST/hash/documents/FR_Notice_Nov07.pdf</ref> "La NIST sta avviando un concorso per lo sviluppo di uno o più algoritmi di hashing aggiuntivi attraverso una competizione pubblica, come per il [[Advanced Encryption Standard process\|processo di sviluppo]] dell' [[Advanced Encryption Standard]] (AES)."<ref>http://www.csrc.nist.gov/pki/HashWorkshop/index.html</ref> Le iscrizioni si sono concluse il 31 ottobre 2008 e la proclamazione del vincitore e la pubblicazione del nuovo standard sono previste per il 2012. L'SHA-1 (così come l'SHA-0) produce un ''digest'' di 160 bit da un messaggio con una lunghezza massima di 2<sup>64</sup>-1 bit, essendo fondato sullo schema di Merkel-Damgard si basa su principi simili a quelli usati da [[Ronald Rivest\|Ronald L. Rivest]] del [[Massachusetts Institute of Technology\|MIT]] nel ''design'' degli algoritmi [[MD4]] e [[MD5]]. ~~<!--~~ ~~==SHA-0 and SHA-1==~~ ~~{{Left60}}~~ ~~{{sectexpand\|date=May 2007}}~~ ~~</div>~~ [[Immagine:SHA-1.svg\|thumbnail\|right\|300px\|One iteration within the SHA-1 compression function. A, B, C, D and E are 32-bit words of the state; ''F'' is a nonlinear function that varies; [[Image:lll.png\|left shift]]<sub>''n''</sub> denotes a left bit rotation by ''n'' places; ''n'' varies for each operation. [[Immagine:Boxplus.png\|Addition]] denotes addition modulo 2<sup>32</sup>. K<sub>t</sub> is a constant.]] === Funzionamento === The original specification of the algorithm was published in 1993 as the ''Secure Hash Standard'', [[Federal Information Processing Standard\|FIPS]] PUB 180, by US government standards agency [[NIST]] (National Institute of Standards and Technology). This version is now often referred to as ''SHA-0''. It was withdrawn by the [[NSA]] shortly after publication and was superseded by the revised version, published in 1995 in FIPS PUB 180-1 and commonly referred to as ''SHA-1''. SHA-1 differs from SHA-0 only by a single bitwise rotation in the message schedule of its [[One-way compression function\|compression function]]; this was done, according to the NSA, to correct a flaw in the original algorithm which reduced its cryptographic security. However, the NSA did not provide any further explanation or identify what flaw was corrected. Weaknesses have subsequently been reported in both SHA-0 and SHA-1. SHA-1 appears to provide greater resistance to attacks, supporting the NSA’s assertion that the change increased the security. ''Passo 1'' (Imbottitura): Al messaggio originale vengono aggiunti dei bit di "imbottitura" affinché la lunghezza finale del messaggio risulti congruente a 448 modulo 512, così facendo la lunghezza in bit di "messaggio+imbottitura" divisa per 512 darà resto 448. ''Passo 2'' (Aggiunta lunghezza): Alla sequenza di bit (messaggio+imbottitura) creata durante il passo 1 viene aggiunto un intero unsigned di 64bit contenente la lunghezza del messaggio originale. Alla fine di questi due primi passi otteniamo una sequenza di bit che è un multiplo di 512. SHA-1 (as well as SHA-0) produces a 160-bit digest from a [[message]] with a maximum length of (2<sup>64</sup> − 1) bits and is based on principles similar to those used by [[Ron Rivest\|Ronald L. Rivest]] of [[Massachusetts Institute of Technology\|MIT]] in the design of the [[MD4]] and [[MD5]] message digest algorithms. ''Passo 3'' (Inizializzazione del buffer MD): Un buffer di 160bit suddiviso in 5 registri da 32bit ciascuno viene creato per la memorizzazione di alcuni passaggi intermedi. I 5 registri verranno convenzionalmente indicati con (A,B,C,D,E) ed inizializzati con i seguenti valori esadecimali: ~~==Cryptanalysis==~~ # A = 67452301 For an ideal hash function, violating the first criterion listed above, finding a message that corresponds to a given message digest, can always be done using a brute force search in 2<sup>''L''</sup> evaluations, where ''L'' is the number of bits in the message digest. This is called a [[preimage attack]]. The second criterion, finding two different messages that produce the same message digest, known as a ''collision,'' requires only 2<sup>''L''/2</sup> evaluations using a [[birthday attack]]. For the latter reason the strength of a hash function is usually compared to a symmetric cipher of half the message digest length. Thus SHA-1 was originally considered to have 80-bit strength. # B = EFCDAB89 # C = 98BADCFE # D = 10325476 # E = C3D2E1F0 ''Passo 4'' (Elaborazione dei blocchi da 512bit): La sequenza di bit "messaggio+imbottitura+lunghezzaMessaggio" viene divisa in blocchi da 512bit, che identificheremo con B<sub>n</sub> con n che va da 0 a L. ~~Cryptographers have produced collision pairs for SHA-0 and have found algorithms that should produce SHA-1 collisions in far fewer than the intended 2<sup>80</sup> evaluations.~~ Il fulcro dell'algoritmo SHA-1 è chiamato ''compression function'' ed è formato da 4 cicli di 20 passi cadauno. I cicli hanno una struttura molto simile tra di loro se non per il fatto che utilizzano una differente funzione logica primitiva. Ogni blocco viene preso come parametro di input da tutti e 4 i cicli insieme ad una costante K e i valori dei 5 registri. Alla fine della computazione otterremo dei nuovi valori per A,B,C,D,E che useremo per la computazione del blocco successivo sino ad arrivare al blocco finale F. == L'insieme SHA-2 == In terms of practical security, a major concern about these new attacks is that they might pave the way to more efficient ones. Whether this is the case has yet to be seen, but a migration to stronger hashes is believed to be prudent. Some of the applications that use cryptographic hashes, such as password storage, are only minimally affected by a collision attack. Constructing a password that works for a given account requires a preimage attack, and access to the hash of the original password (typically in the ''shadow'' file) which may or may not be trivial. Reversing password encryption (e.g. to obtain a password to try against a user's account elsewhere) is not made possible by the attacks. [[File:SHA-2.svg\|thumb\|Una iterazione della funzione di compressione negli algoritmi della famiglia SHA-2.]] Nel [[2001]] il NIST pubblicò quattro funzioni di ''hash'' addizionali facenti parte della famiglia SHA, ognuna con un ''digest'' più lungo di quello originale, collettivamente denominate '''SHA-2''' (anche se questo termine non è mai stato ufficialmente standardizzato). Queste varianti sono note, come detto, con la lunghezza in bit del ''digest'' generato a seguire la sigla ufficiale dell<nowiki>'</nowiki>''hash'': '''SHA-224''', '''SHA-256''', '''SHA-384''' e '''SHA-512''', con, rispettivamente, ''hash'' di 224, 256, 384 e 512 bit. Da notare che gli ultimi tre algoritmi furono ufficializzati come standard nel [[2002]] mentre l'SHA-224 fu introdotto nel febbraio del [[2004]]: quest'ultimo presenta un ''hash'' di lunghezza identica a quella di 2 chiavi del [[Triple DES]]. Tutte queste varianti sono brevettate dal governo statunitense, ma pubblicate con licenza libera.<ref>{{Cita pubblicazione \|titolo=Licensing Declaration for US patent 6829355.\|url=https://datatracker.ietf.org/ipr/858/\|accesso=17 febbraio 2008}}</ref>. In the case of document signing, an attacker could not simply fake a signature from an existing document—the attacker would have to produce a pair of documents, one innocuous and one damaging, and get the private key holder to sign the innocuous document. There are practical circumstances where this is possible. Gli algoritmi SHA-256 e SHA-512 lavorano, rispettivamente, con [[word]] di 32 e 64 bit: utilizzano un numero differente di rotazioni e di costanti addizionali, ma la loro struttura è sostanzialmente identica. Gli algoritmi SHA-224 e SHA-384 sono semplicemente versioni troncate dei precedenti due, con ''hash'' calcolati con differenti valori iniziali. ~~===Cryptanalysis of SHA-0===~~ At [[CRYPTO (conference)\|CRYPTO]] 98, two French researchers, [[Florent Chabaud]] and [[Antoine Joux]], presented an attack on SHA-0 ([http://fchabaud.free.fr/English/Publications/sha.pdf Chabaud and Joux, 1998]): [[hash collision\|collisions]] can be found with complexity 2<sup>61</sup>, fewer than the 2<sup>80</sup> for an ideal hash function of the same size. Gli algoritmi SHA-2 non hanno ricevuto, a differenza dell'SHA-1, molta attenzione dalla comunità dei crittoanalisti per cui la loro sicurezza in campo crittografico non è stata del tutto provata. Gilbert e Handschuh ([[2003]]) hanno studiato queste nuove varianti e non hanno trovato vulnerabilità<ref>{{Cita pubblicazione \|titolo=Security analysis of SHA-256 and sisters \|autore=Henri Gilbert \|coautori=Helena Handschuh \|rivista=Lecture notes in computer science \|editore=Springer, Berlin \|issn=0302-9743 \|url=http://cat.inist.fr/?aModele=afficheN&cpsidt=15735289 \|accesso=30 gennaio 2008 \|urlarchivio=https://web.archive.org/web/20111018010557/http://cat.inist.fr/?aModele=afficheN&cpsidt=15735289 \|dataarchivio=18 ottobre 2011 \|urlmorto=sì }}</ref>. In 2004, [[Eli Biham\|Biham]] and Chen found near-collisions for SHA-0 — two messages that hash to nearly the same value; in this case, 142 out of the 160 bits are equal. They also found full collisions of SHA-0 reduced to 62 out of its 80 rounds. == SHA-3 == Subsequently, on [[12 August]] [[2004]], a collision for the full SHA-0 algorithm was announced by Joux, Carribault, Lemuet, and Jalby. This was done by using a generalization of the Chabaud and Joux attack. Finding the collision had complexity 2<sup>51</sup> and took about 80,000 CPU hours on a [[supercomputer]] with 256 [[Itanium 2]] processors. {{Vedi anche\|SHA-3}} La [[Competizione NIST per funzioni hash\|competizione]] che ha portato al rilascio del nuovo standard '''SHA-3''' è stata ufficialmente lanciata il 2 novembre [[2007]]<ref name=autogenerato1 />. Il 2 ottobre 2012 la [[National Institute of Standards and Technology\|NIST]] ha proclamato come vincitore l'algoritmo di [[Keccak]] [[SHA-3]]. == Comparazione delle funzioni SHA == On [[17 August]] [[2004]], at the Rump Session of CRYPTO 2004, preliminary results were announced by [[Xiaoyun Wang\|Wang]], Feng, Lai, and Yu, about an attack on [[MD5]], SHA-0 and other hash functions. The complexity of their attack on SHA-0 is 2<sup>40</sup>, significantly better than the attack by Joux ''et al.'' <ref>http://www.freedom-to-tinker.com/archives/000664.html</ref><ref>http://groups.google.com/groups?selm=fgrieu-05A994.05060218082004%40individual.net</ref> Nella tabella sottostante sono riportate le caratteristiche principali degli algoritmi della famiglia SHA (Per ''Stato interno'' si intende la somma interna dopo ogni compressione di un blocco di dati). In February 2005, an attack by Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu was announced which could find collisions in SHA-0 in 2<sup>39</sup> operations.<ref>http://www.schneier.com/blog/archives/2005/02/sha1_broken.html</ref><ref>http://www.infosec.sdu.edu.cn/paper/sha0-crypto-author-new.pdf</ref> ~~===Cryptanalysis of SHA-1===~~ In light of the results on SHA-0, some experts suggested that plans for the use of SHA-1 in new [[cryptosystem]]s should be reconsidered. After the CRYPTO 2004 results were published, NIST announced that they planned to phase out the use of SHA-1 by 2010 in favor of the SHA-2 variants.<ref>http://csrc.nist.gov/hash_standards_comments.pdf</ref> In early 2005, [[Vincent Rijmen\|Rijmen]] and [[Elisabeth Oswald\|Oswald]] published an attack on a reduced version of SHA-1 — 53 out of 80 rounds — which finds collisions with a complexity of fewer than 2<sup>80</sup> operations.<ref>http://eprint.iacr.org/2005/010</ref> In February 2005, an attack by [[Xiaoyun Wang]], [[Yiqun Lisa Yin]], and [[Hongbo Yu]] was announced.<ref>http://www.schneier.com/blog/archives/2005/02/sha1_broken.html</ref> The attacks can find collisions in the full version of SHA-1, requiring fewer than 2<sup>69</sup> operations. (A [[brute-force search]] would require 2<sup>80</sup> operations.) ~~The authors write:~~ "In particular, our analysis is built upon the original differential attack on SHA0 [''sic''], the near collision attack on SHA0, the multiblock collision techniques, as well as the message modification techniques used in the collision search attack on MD5. Breaking SHA1 would not be possible without these powerful analytical techniques."<ref>http://theory.csail.mit.edu/~yiqun/shanote.pdf</ref>. The authors have presented a collision for 58-round SHA-1, found with 2<sup>33</sup> hash operations. ~~The paper with the full attack description was published in August 2005 at the CRYPTO conference.~~ In an interview, Yin states that, "Roughly, we exploit the following two weaknesses: One is that the file preprocessing step is not complicated enough; another is that certain math operations in the first 20 rounds have unexpected security problems."<ref>http://news.zdnet.com/2100-1009_22-5598536.html</ref> On [[17 August]] [[2005]], an improvement on the SHA-1 attack was announced on behalf of Xiaoyun Wang, Andrew Yao and Frances Yao at the CRYPTO 2005 rump session, lowering the complexity required for finding a collision in SHA-1 to 2<sup>63</sup>.<ref>http://www.schneier.com/blog/archives/2005/08/new_cryptanalyt.html</ref> Christophe De Cannière and Christian Rechberger further improved the attack on SHA-1 in "Finding SHA-1 Characteristics: General Results and Applications,"<ref>http://dx.doi.org/10.1007/11935230_1</ref> receiving the Best Paper Award at [[ASIACRYPT]] [[2006]]. A two-block collision for 64-round SHA-1 was presented, found using unoptimized methods with 2<sup>35</sup> compression function evaluations. As this attack requires the equivalent of about 2<sup>35</sup> evaluations, it is considered to be a theoretical break.<ref>http://www.iaik.tugraz.at/research/krypto/collision/SHA1Collision_Description.php</ref> To find an actual collision, however, a massive distributed computing effort or very large parallel supercomputer such as those possessed by the [[NSA]] would be required. To that end, a collision search for SHA-1 using the distributed computing platform [[BOINC]] is currently being made.<ref>http://boinc.iaik.tugraz.at/sha1_coll_search/</ref> At the Rump Session of CRYPTO 2006, Christian Rechberger and Christophe De Cannière claimed to have discovered a collision attack on SHA-1 that would allow an attacker to select at least parts of the message.<ref>http://www.heise-security.co.uk/news/77244</ref><ref>http://www.iacr.org/conferences/crypto2006/rumpsched.html</ref> ~~==SHA-2==~~ ~~[[Immagine:SHA-2.svg\|thumbnail\|right\|400px\|A round of the SHA-2]]~~ NIST has published four additional hash functions in the SHA family, each with longer digests, collectively known as SHA-2. The individual variants are named after their digest lengths (in bits): SHA-224, SHA-256, SHA-384, and SHA-512. The latter three were first published in 2001 in the draft FIPS PUB 180-2, at which time review and comment were accepted. FIPS PUB 180-2, which also includes SHA-1, was released as an official standard in 2002. In February 2004, a change notice was published for FIPS PUB 180-2, specifying an additional variant, SHA-224, defined to match the key length of two-key [[Triple DES]]. These variants are patented in {{cite patent\|US\|6829355}}. SHA-256 and SHA-512 are novel hash functions computed with 32- and 64-bit words, respectively. They use different shift amounts and additive constants, but their structures are otherwise virtually identical, differing only in the number of rounds. SHA-224 and SHA-384 are simply truncated versions of the first two, computed with different initial values. These new hash functions have not received as much scrutiny by the public cryptographic community as SHA-1 has, and so their cryptographic security is not yet as well-established. Gilbert and Handschuh (2003) have studied the newer variants and found no weaknesses.{{Fact\|date=December 2007}} ~~== SHA sizes ==~~ ~~In the table below, ''internal state'' means the “internal hash sum” after each compression of a data block; see [[Merkle-Damgård hash function\|Merkle-Damgård construction]] for more details.~~ ~~{\| class="wikitable"~~ ~~!Algorithm~~ ~~!Output size (bits)~~ ~~!Internal state size (bits)~~ ~~!Block size (bits)~~ ~~!Max message size (bits)~~ ~~!Word size (bits)~~ ~~!Rounds~~ ~~!Operations~~ ~~![[Hash collision\|Collision]]~~ {\| border=1 class="wikitable" ! colspan="2" \| Algoritmo e<br />variante !Dimensione dell'output (bit) !Dimensione dello stato interno (bit) !Dimensione del blocco (bit) !Max. dimensione del messaggio (bit) !Dimensione della ''word'' (bit) !Passaggi !Operazioni !Collisioni trovate \|- align="center" \| colspan="2" \| '''SHA-0''' \|\| 160 \|\| 160 \|\| 512 \|\| 2<sup>64</sup> ~~−~~− 1 \|\| 32 \|\| 80 \|\| +,and,or,xor,~~rotfl~~ rotl \|\| ~~Yes~~Sì ~~\|- align="center"~~ ~~\| '''SHA-1''' \|\| 160 \|\| 160 \|\| 512 \|\| 2<sup>64</sup> − 1 \|\| 32 \|\| 80 \|\| +,and,or,xor,rotfl \|\| 2<sup>63</sup> attack~~ \|- align="center" \| colspan="2" \| '''SHA-1''' \|\| 160 \|\| 160 \|\| 512 \|\| 2<sup>64</sup> − 1 \|\| 32 \|\| 80 \|\| +,and,or,xor, rotl \|\| Attacco 2<sup>53</sup><ref>{{Cita web \|url=https://www.debian-administration.org/users/dkg/weblog/48 \|titolo=Weblog for dkg - HOWTO prep for migration off of SHA-1 in OpenPGP<!-- Titolo generato automaticamente --> \|accesso=4 maggio 2019 \|dataarchivio=3 maggio 2019 \|urlarchivio=https://web.archive.org/web/20190503073509/https://debian-administration.org/users/dkg/weblog/48 \|urlmorto=sì }}</ref> ~~\| '''SHA-256/224''' \|\| 256/224 \|\| 256 \|\| 512 \|\| 2<sup>64</sup> − 1 \|\| 32 \|\| 64 \|\| +,and,or,xor,shr,rotfr \|\| None yet~~ \|- align="center" \| rowspan="2" \| '''SHA-~~512/384~~2''' \|\| ~~512~~''SHA-256/~~384~~224'' \|\| ~~512~~256/224 \|\| ~~1024~~256 \|\| 512 \|\| 2<sup>~~128~~64</sup> ~~−~~− 1 \|\| 6432 \|\| 8064 \|\| +,and,or,xor,shr,~~rotfr~~ rotr \|\| ~~None yet~~Nessuna \|- align="center" \| ''SHA-512/384'' \|\| 512/384 \|\| 512 \|\| 1024 \|\| 2<sup>128</sup> − 1 \|\| 64 \|\| 80 \|\| +,and,or,xor,shr, rotr \|\| Nessuna \|} ==~~Applications~~ Applicazioni == SHA-1 è l'algoritmo più utilizzato della famiglia SHA. Costituisce la base di numerose applicazioni e protocolli, inclusi il [[Transport Layer Security\|TLS ed SSL]], il [[Pretty Good Privacy\|PGP]], l'[[Secure Shell\|SSH]], l'[[S/MIME]] e l'[[IPsec]]. L'SHA-1 è anche utilizzato in sistemi di [[controllo versione]], come il [[Git (software)\|Git]], per identificare la revisione dei software e come somma di controllo per verificare l'integrità di file di grosse dimensioni in cataloghi online. ~~{{details\|Cryptographic hash function#Applications}}~~ Gli algoritmi SHA sono anche utilizzati negli algoritmi per la [[firma digitale]] dei documenti, quali ad esempio l'[[HMAC]], e sono stati presi come base per i [[cifrario a blocchi\|cifrari a blocchi]] [[SHACAL]]. SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512 are the secure hash algorithms required by law for use in certain U. S. Government applications, including use within other cryptographic algorithms and protocols, for the protection of sensitive unclassified information. FIPS PUB 180-1 also encouraged adoption and use of SHA-1 by private and commercial organizations. == Esempi e pseudocodice == ~~A prime motivation for the publication of the Secure Hash Algorithm was the [[Digital Signature Algorithm\|Digital Signature Standard]], in which it is incorporated.~~ === Hash di esempio === Questo è un esempio di ''digest'' generato dall'SHA-1 (tutti i messaggi sono codificati in [[ASCII]]): SHA1("Cantami o diva del pelide Achille l'ira funesta") ~~The SHA hash functions have been used as the basis for the [[SHACAL]] [[block cipher]]s.~~ = 1f8a690b7366a2323e2d5b045120da7e93896f47 Anche una minima variazione nel messaggio genera, ineluttabilmente, un ''hash'' completamente differente a causa di una [[reazione a catena]] nota come ''effetto valanga''. Ad esempio, sostituendo <code>Cantami</code> con <code>Contami</code> otteniamo: ~~==Example hashes==~~ ~~{{main\|Examples of SHA digests}}~~ ~~The following is an example of SHA-1 digests. [[ASCII]] encoding is assumed for all messages.~~ SHA1("~~[[The~~C'''o'''ntami ~~quick~~o ~~brown~~diva ~~fox~~del ~~jumps~~pelide ~~over~~Achille ~~the~~l'ira ~~lazy dog]]~~funesta") = e5f08d98bf18385e2f26b904cad23c734d530ffb ~~= 2fd4e1c6 7a2d28fc ed849ee1 bb76e739 1b93eb12~~ Il ''digest'' corrispondente alla stringa vuota è: Even a small change in the message will, with overwhelming probability, result in a completely different hash due to the [[avalanche effect]]. For example, changing <code>dog</code> to <code>cog</code>: SHA1("") ~~SHA1("The quick brown fox jumps over the lazy '''c'''og")~~ = da39a3ee5e6b4b0d3255bfef95601890afd80709 ~~= de9f2c7f d25e1b3a fad3e85a 0bd17d9b 100db4b3~~ === Pseudocodice di SHA-1 === ~~Other SHA examples can be found in [[examples of SHA digests]]~~ [[Pseudocodice]] dell'algoritmo SHA-1: <span style="color: green;">''Note: All variables are unsigned 32 bits and wrap modulo 2<sup>32</sup> when calculating''</span> ~~==Official validation==~~ ~~{{main\|CMVP}}~~ Implementations of all FIPS-approved security functions can be officially validated through the [[CMVP\|CMVP program]], jointly run by the [[National Institute of Standards and Technology]] (NIST) and the [[Communications Security Establishment]] (CSE). For informal verification, a package to generate a high number of test vectors is made available for download on the NIST site; the resulting verification however does not replace in any way the formal CMVP validation, which is required by law for certain applications. [[as of 2006\|As of October 2006]], there are more than 500 validated implementations of SHA-1, with fewer than ten of them capable of handling messages with a length in bits not a multiple of eight (see [http://csrc.nist.gov/cryptval/shs/shaval.htm SHS Validation List]). It is also important to note that some implementations available on the Internet do not digest the NIST validation vectors correctly, although they may correctly process the examples listed in the SHA-1 standard. ~~==SHA-1 algorithm==~~ ~~[[Pseudocode]] for the SHA-1 algorithm follows:~~ ~~<span style="color: green;">''Note: All variables are unsigned 32 bits and wrap modulo 2<sup>32</sup> when calculating''</span>~~ <span style="color: green;">''Initialize variables:''</span> h0 = 0x67452301 Riga 145 ⟶ 100: h3 = 0x10325476 h4 = 0xC3D2E1F0 <span style="color: green;">''Pre-processing:''</span> append the bit '1' to the message append k bits '0', where k is the minimum number ≥ 0 such that the resulting message length (in ''bits'') is [[~~modular~~aritmetica ~~arithmetic~~modulare\|congruent]] to 448 (mod 512) append length of message (before pre-processing), in ''bits'', as 64-bit [[Endianness\|big-endian]] integer <span style="color: green;">''Process the message in successive 512-bit chunks:''</span> break message into 512-bit chunks '''for''' each chunk break chunk into sixteen 32-bit big-endian words w[i], 0 <= i <= 15 <span style="color: green;">''Extend the sixteen 32-bit words into eighty 32-bit words:''</span> '''for''' i '''from''' 16 to 79 w~~[~~[i~~]~~] = (w~~[~~[i-3~~]~~] '''xor''' w~~[~~[i-8~~]~~] '''xor''' w~~[~~[i-14~~]~~] '''xor''' w~~[~~[i-16~~]~~]) '''~~[[Circular shift\|~~leftrotate]]''' 1 <span style="color: green;">''Initialize hash value for this chunk:''</span> a = h0 Riga 167 ⟶ 122: d = h3 e = h4 <span style="color: green;">''Main loop:''</span> '''for''' i '''from''' 0 to 79 Riga 182 ⟶ 137: f = b '''xor''' c '''xor''' d k = 0xCA62C1D6 temp = (a '''leftrotate''' 5) + f + e + k + w[i] e = d Riga 189 ⟶ 144: b = a a = temp <span style="color: green;">''Add this chunk's hash to result so far:''</span> h0 = h0 + a h1 = h1 + b h2 = h2 + c h3 = h3 + d h4 = h4 + e <span style="color:green;">''Produce the final hash value (big-endian):''</span> digest = hash = h0 '''append''' h1 '''append''' h2 '''append''' h3 '''append''' h4 Le seguenti formule possono essere utilizzate per calcolare <code>f</code> nel ciclo principale qui sopra pubblicato al posto di quelle originali pubblicate nel documento ufficiale FIPS PUB 180-1: ~~Instead of the formulation from the original FIPS PUB 180-1 shown, the following equivalent expressions may be used to compute <code>f</code> in the main loop above:~~ (0 ≤ i ≤ 19): f = d '''xor''' (b '''and''' (c '''xor''' d)) <span style="color: green;">''(alternative 1)''</span> (0 ≤ i ≤ 19): f = (b '''and''' c) '''xor''' (('''not''' b) '''and''' d) <span style="color: green;">''(alternative 2)''</span> (0 ≤ i ≤ 19): f = (b '''and''' c) + (('''not''' b) '''and''' d) <span style="color: green;">''(alternative 3)''</span>   (40 ≤ i ≤ 59): f = (b '''and''' c) '''or''' (d '''and''' (b '''or''' c)) <span style="color: green;">''(alternative 1)''</span> Riga 210 ⟶ 166: (40 ≤ i ≤ 59): f = (b '''and''' c) '''xor''' (b '''and''' d) '''xor''' (c '''and''' d) <span style="color: green;">''(alternative 4)''</span> === Pseudocodice di SHA-256 (una variante di SHA-2) === ~~==SHA-2 algorithm==~~ [[Pseudocode]] ~~for the~~dell'algoritmo SHA-256 ~~algorithm follows~~. Notare ~~Note~~l'incremento ~~the~~nel ~~great~~mescolamento ~~increase~~dei inbit ~~mixing~~delle ~~between bits of the~~word <code>w[16..63]</code> ~~words compared to~~rispetto all'SHA-1. <span style="color: green;">''Note: All variables are unsigned 32 bits and wrap modulo 2<sup>32</sup> when calculating''</span> <span style="color:green;">''Initialize variables''</span> <span style="color:green;">(first 32 bits of the <em>fractional parts</em> of the square roots of the first 8 primes 2..19):</span> h0 := 0x6a09e667 h1 := 0xbb67ae85 Riga 225 ⟶ 181: h6 := 0x1f83d9ab h7 := 0x5be0cd19 <span style="color:green;">''Initialize table of round constants''</span> <span style="color:green;">(first 32 bits of the ~~<em>~~''fractional parts~~</em>~~'' of the cube roots of the first 64 primes 2..311):</span> k[0..63] := 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5, Riga 237 ⟶ 193: 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3, 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2 <span style="color:green;">''Pre-processing:''</span> append the bit '1' to the message append k bits '0', where k is the minimum number >= 0 such that the resulting message length (in ''bits'') is [[~~modular~~aritmetica ~~arithmetic~~modulare\|congruent]] to 448 (mod 512) append length of message (before pre-processing), in ''bits'', as 64-bit big-endian integer <span style="color:green;">''Process the message in successive 512-bit chunks:''</span> break message into 512-bit chunks '''for''' each chunk break chunk into sixteen 32-bit big-endian words w[0..15] <span style="color:green;">''Extend the sixteen 32-bit words into sixty-four 32-bit words:''</span> '''for''' i '''from''' 16 to 63 Riga 254 ⟶ 210: s1 := (w[i-2] '''rightrotate''' 17) '''xor''' (w[i-2] '''rightrotate''' 19) '''xor''' (w[i-2] '''rightshift''' 10) w[i] := w[i-16] '''+''' s0 '''+''' w[i-7] '''+''' s1 <span style="color:green;">''Initialize hash value for this chunk:''</span> a := h0 Riga 264 ⟶ 220: g := h6 h := h7 <span style="color:green;">''Main loop:''</span> '''for''' i '''from''' 0 to 63 Riga 273 ⟶ 229: ch := (e '''and''' f) '''xor''' (('''not''' e) '''and''' g) t1 := h + s1 + ch + k[i] + w[i] h := g g := f Riga 282 ⟶ 238: b := a a := t1 + t2 <span style="color:green;">''Add this chunk's hash to result so far:''</span> h0 := h0 + a h1 := h1 + b h2 := h2 + c h3 := h3 + d h4 := h4 + e h5 := h5 + f h6 := h6 + g h7 := h7 + h <span style="color:green;">''Produce the final hash value (big-endian):''</span> digest = hash = h0 '''append''' h1 '''append''' h2 '''append''' h3 '''append''' h4 '''append''' h5 '''append''' h6 '''append''' h7 ~~The~~Le funzioni <code>ch</code> ~~and~~e <code>maj</code> ~~functions can be~~possono ~~optimized~~essere ~~the~~ottimizzate ~~same~~nel ~~way~~modo asdescritto ~~described~~per ~~for~~quelle dell'SHA-1. L'SHA-224 è identico all'SHA-256 tranne che: * i valori iniziali delle variabili <code>h0</code>-<code>h7</code> sono differenti e * l'output è costruito omettendo <code>h7</code>. L'SHA-512 è identico nella struttura ma: ~~SHA-224 is identical to SHA-256, except that:~~ * tutti i numeri sono lunghi 64 bit, * the initial variable values <code>h0</code> through <code>h7</code> are different, and * sono eseguiti 80 passaggi invece di 64, * the output is constructed by omitting <code>h7</code>. * i valori iniziali e le costanti da addizionare sono estesi a 64 bit e * le quantità delle rotazioni (''rotate'') e degli spostamenti (''shift'') sono differenti. L'SHA-384 è identico all'SHA-512 tranne che: ~~SHA-512 is identical in structure, but:~~ * i valori iniziali <code>h0</code>-<code>h7</code> sono differenti e * all numbers are 64 bits long, * l'output è costruito omettendo <code>h6</code> e <code>h7</code>. * there are 80 rounds instead of 64, * the initial values and additive constants are extended to 64 bits, and * the shift and rotate amounts used are different. == Note == ~~SHA-384 is identical to SHA-512, except that:~~ <references/> * the initial values <code>h0</code> through <code>h7</code> are different, and * the output is constructed by omitting <code>h6</code> and <code>h7</code>. ==~~See~~ ~~also~~Bibliografia == * Florent Chabaud, Antoine Joux: Differential Collisions in SHA-0. [[CRYPTO]] 1998. pp56–71 * [[Digital timestamping]] * [[Eli Biham]], Rafi Chen, Near-Collisions of SHA-0, Cryptology ePrint Archive, Report 2004/146, 2004 (appeared on CRYPTO 2004) [https://eprint.iacr.org/2004/146/] * [[Hashcash]] * Joux, Carribault, Lemuet, Jalby: Collision for the full SHA-0 algorithm, CRYPTO 2004 [https://www.mail-archive.com/cryptography@metzdowd.com/msg02554.html] * [[RIPEMD-160]] * [[Xiaoyun Wang]], Hongbo Yu and Yiqun Lisa Yin, Efficient Collision Search Attacks on SHA-0, CRYPTO 2005 [https://web.archive.org/web/20070925185053/http://www.infosec.sdu.edu.cn/paper/Efficient%20Collision%20Search%20Attacks%20on%20SHA-0.pdf] * [[WHIRLPOOL]] * [[Xiaoyun Wang]], Yiqun Lisa Yin and Hongbo Yu, Finding Collisions in the Full SHA-1, CRYPTO 2005 [https://web.archive.org/web/20070925185047/http://www.infosec.sdu.edu.cn/paper/sha1-crypto-auth-new-2-yao.pdf] * [[Henri Gilbert]], [[Helena Handschuh]]: Security Analysis of SHA-256 and Sisters. [[Selected Areas in Cryptography]] 2003: pp175–193 * {{Cita pubblicazione\|titolo=Proposed Revision of Federal Information Processing Standard (FIPS) 180, Secure Hash Standard\|rivista=Federal Register\|data=11 luglio 1994\|nome=\|cognome=\|volume=59\|numero=131\|pp=35317-35318\|url=http://frwebgate1.access.gpo.gov/cgi-bin/waisgate.cgi?WAISdocID=5963452267+0+0+0&WAISaction=retrieve\|accesso=26 aprile 2007\|urlmorto=sì}} == Voci correlate == ~~==References==~~ * [[Funzione di hash]] ~~{{Reflist}}~~ * [[SHA-3]] ~~{{refbegin}}~~ * Florent Chabaud, Antoine Joux: Differential Collisions in SHA-0. [[CRYPTO]] 1998. pp56–71 * [[Eli Biham]], Rafi Chen, Near-Collisions of SHA-0, Cryptology ePrint Archive, Report 2004/146, 2004 (appeared on CRYPTO 2004) [http://eprint.iacr.org/2004/146/] * Joux, Carribault, Lemuet, Jalby: Collision for the full SHA-0 algorithm, CRYPTO 2004 [http://www.mail-archive.com/cryptography@metzdowd.com/msg02554.html] * [[Xiaoyun Wang]], Hongbo Yu and Yiqun Lisa Yin, Efficient Collision Search Attacks on SHA-0, CRYPTO 2005 [http://www.infosec.sdu.edu.cn/paper/Efficient%20Collision%20Search%20Attacks%20on%20SHA-0.pdf] * [[Xiaoyun Wang]], Yiqun Lisa Yin and Hongbo Yu, Finding Collisions in the Full SHA-1, CRYPTO 2005 [http://www.infosec.sdu.edu.cn/paper/sha1-crypto-auth-new-2-yao.pdf] * [[Henri Gilbert]], [[Helena Handschuh]]: Security Analysis of SHA-256 and Sisters. [[Selected Areas in Cryptography]] 2003: pp175–193 * {{cite journal\|title=Proposed Revision of Federal Information Processing Standard (FIPS) 180, Secure Hash Standard\|journal=Federal Register\|date=1994-07-11\|first=\|last=\|coauthors=\|volume=59\|issue=131\|pages=35317-35318\|id= \|url=http://frwebgate1.access.gpo.gov/cgi-bin/waisgate.cgi?WAISdocID=5963452267+0+0+0&WAISaction=retrieve\|format=\|accessdate=2007-04-26}} ~~{{refend}}~~ == Collegamenti esterni == ~~==External links==~~ * {{FOLDOC}} ~~<!-- We suffer from a lot of self promotion here. Please do not add a link to you own site. It will be removed, and you may be blocked without further warning. -->~~ === Siti Internet per il calcolo degli hash === * [http://www.hashemall.com Hash'em all!] ~~—~~— Hashing online di testo e files con svariati algoritmi * [https://www.web4human.it/utility/online-SHA1-encrypt Web4Human] — Hashing online con algoritmi SHA1, SHA224, SHA256 e SHA512 * http://www.johnmaguire.us/tools/hashcalc/index.php – Consente l'encoding di stringhe di lunghezza nulla * https://web.archive.org/web/20071216092901/http://www.johnmaguire.us/tools/hashcalc/index.php – Consente l'encoding di stringhe di lunghezza nulla * [https://web.archive.org/web/20090422125354/http://www.sha1-lookup.com/ SHA-1 Lookup] – Database with several millions SHA-1 hashes. Implemented as an online reverse search. * {{cita web \| 1 = http://www.hash.spugesoft.com \| 2 = Simple hash calculator \| accesso = 5 maggio 2019 \| urlarchivio = https://web.archive.org/web/20120628110601/http://www.hash.spugesoft.com/ \| dataarchivio = 28 giugno 2012 \| urlmorto = sì }} * [https://web.archive.org/web/20160804151123/http://www.sha1-file.com/ SHA-1 Text file line per line] – Allows to sha1-hash every line of a text file. ===~~Standards~~ Standard: SHA-0, SHA-1, SHA-2, SHA-3... === * [https://web.archive.org/web/20070929104512/http://www.eff.org/Privacy/Digital_signature/?f=fips_sha_shs.standard.txt Specifications for a Secure Hash Standard (SHS)] ~~–~~– Draft for proposed SHS standard (SHA-0) * [https://web.archive.org/web/20070929104954/http://www.eff.org/Privacy/Digital_signature/?f=fips_sha_shs.info.txt Secure Hash Standard (SHS)] ~~–~~– Proposed SHS standard (SHA-0) * RFC 3174, “US Secure Hash Algorithm 1 (SHA-1)” * RFC 4634, “US Secure Hash Algorithms (SHA and HMAC-SHA)” * [https://web.archive.org/web/20070113064108/http://csrc.nist.gov/CryptoToolkit/tkhash.html CSRC Cryptographic Toolkit] ~~–~~– Official [[National Institute of Standards and Technology\|NIST]] site for the Secure Hash Standard [http://csrc.nist.gov/publications/fips/fips180-2/fips180-2withchangenotice.pdf FIPS 180-2: Secure Hash Standard (SHS)] {{Webarchive\|url=https://web.archive.org/web/20120312101511/http://csrc.nist.gov/publications/fips/fips180-2/fips180-2withchangenotice.pdf \|date=12 marzo 2012 }} ([[Portable Document Format\|PDF]], 236 kB) ~~–~~– Current version of the Secure Hash Standard (SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512), 1 August 2002, amended 25 February 2004 [~~http~~https://~~www~~web.archive.org/web/20110625054822/http://csrc.nist.gov/groups/ST/~~hash~~toolkit/~~index~~secure_hashing.html NIST ~~Cryptographic~~secure ~~Hash Project~~hashing] ~~SHA-3~~Pagina ~~competition~~relativa agli algoritmi di hashing del NIST * [https://web.archive.org/web/20100505162618/http://csrc.nist.gov/groups/ST/hash/index.html NIST Cryptographic Hash Project] SHA-3 competition ===~~Cryptanalysis~~ Crittoanalisi === * [{{cita web \| 1 = http://news.zdnet.com/2100-1009_22-5598536.html ~~Interview~~\| ~~with~~2 = Intervista con Yiqun Lisa Yin ~~concerning~~sull'attacco ~~the~~all'SHA-1 ~~attack~~\| onaccesso ~~SHA~~= 30 gennaio 2008 \| urlarchivio = https://web.archive.org/web/20071216153828/http://news.zdnet.com/2100-1]1009_22-5598536.html \| dataarchivio = 16 dicembre 2007 \| urlmorto = sì }} * [{{cita web \| 1 = http://cm.bell-labs.com/who/akl/hash.pdf \| 2 = Lenstra's Summary of impact of the February 2005 cryptanalytic results] \| accesso = 30 gennaio 2008 \| urlarchivio = https://web.archive.org/web/20080228075552/http://cm.bell-labs.com/who/akl/hash.pdf \| dataarchivio = 28 febbraio 2008 \| urlmorto = sì }} * [http://www.heise-security.co.uk/articles/75686 Explanation of the successful attacks on SHA-1] (3 pages, 2006) ===~~Implementations~~ Implementazioni === * [https://web.archive.org/web/20140414075014/https://www.openssl.org/ The OpenSSL Project] – La diffusa libreria [[OpenSSL]] include [[free software\|software libero]] ed [[open source]] con implementazione dell'SHA-1, SHA-224, SHA-256, SHA-384 ed SHA-512 ~~<!-- This section should include only implementations that are commercially or algorithmically significant, such as those widely used in existing technologies and platforms -->~~ * [https://www.cryptopp.com/ Crypto++] Crypto++, libreria libera in C++ con schemi crittografici * [http://www.openssl.org/ The OpenSSL Project] – The widely used OpenSSL <code>crypto</code> library includes [[free software\|free]], [[open source\|open-source]] implementations of SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512 * [https://www.bouncycastle.org/ Bouncy Castle] La libreria Bouncy Castle è una libreria libera in Java e C# che contiene implementazioni dell'SHA-1, SHA-224, SHA-256, SHA-384 ed SHA-512, e di altri algoritmi di hash. * [http://www.cryptopp.com/ Crypto++] Crypto++ Library is a free C++ class library of cryptographic schemes. * [http://www.bouncycastle.org/ Bouncy Castle] The Bouncy Castle Library is a free Java and C# class library that contains implementations of the SHA-1, SHA-224, SHA-256, SHA-384 and SHA-512 algorithms as well as other algorithms like [[Whirlpool_%28cryptography%29\|Whirlpool]], [[Tiger_%28hash%29\|Tiger]], [[RIPEMD]], GOST-3411, [[MD2_%28cryptography%29\|MD2]], [[MD4]] and [[MD5]]. === Tutorial e codici d'esempio === ~~===Tutorials and example code===~~ * [[Wikia:Code:SHA checksum\|Comparazione della funzione SHA in differenti linguaggi]] <!-- Moved all implementations by individual programmers to this section and rearranged the entries by last name; I wish this entire section could be deleted, because, although these individuals are to be congratulated for their programming skills, including these links in the main article comes across as more of a case of people showing off their own code rather than as commercially or algorithmically significant implementations that absolutely have to be mentioned in this article --> * [http://www.packetizer.com/security/sha1/ Implementazioni in C e C++ dell'SHA-1, inclusi binari per Win32 e Linux] di Paul E. Jones (RFC Co-Author) * [[Wikia:Code:SHA checksum\|Comparison of SHA function in different languages]] * [https://web.archive.org/web/20080118135855/http://fp.gladman.plus.com/cryptography_technology/sha/index.htm Implementazione in C dell'SHA] di Brian Gladman * [http://xyssl.org/code/source/sha1/ A SHA-1 implementation in C] by Christophe Devine * [http://www.tayloredge.com/utilities/vbapps/SHA1_VBSource.txt Implementazione in Visual Basic dell'SHA-1] di John Taylor * [http://www.packetizer.com/security/sha1/ SHA-1 implementations in C and C++, including Win32 and Linux binaries] by Paul E. Jones (RFC Co-Author) * [http://www.~~ouah~~movable-type.co.~~org~~uk/~~ogay~~scripts/~~sha2~~sha1.html ~~A SHA-2 implementation~~Implementazione in CJavaScript dell'SHA-1] bydi ~~Olivier~~Chris ~~Gay~~Veness * {{cita web\|http://cryptojs.altervista.org/hash.html\|Implementazione in JavaScript delle funzioni di HASH (md4, md5, sha-1, sha-2)}} * [http://fp.gladman.plus.com/cryptography_technology/sha/index.htm A SHA implementation in C] by Brian Gladman * [http://e-cat.nm.ru/SHA256.html SHA-2 implementation in Delphi] by eCat <!-- Please note that this version gives incorrect results, as it is not SHA-256. --> <small> (Note: This version may give incorrect results for SHA-256.) </small> * [http://www.tayloredge.com/utilities/vbapps/SHA1_VBSource.txt A Visual Basic SHA-1 implementation] by John Taylor * [http://www.movable-type.co.uk/scripts/sha1.html SHA-1 implementation in JavaScript] by Chris Veness ===~~Test~~ ~~Vectors~~Vettori di test === The [[NESSIE]] project [https://www.cosic.esat.kuleuven.be/nessie/testvectors/hash/sha/index.html test vectors] for [https://www.cosic.esat.kuleuven.be/nessie/testvectors/hash/sha/Sha-1-160.test-vectors SHA-1], [https://www.cosic.esat.kuleuven.be/nessie/testvectors/hash/sha/Sha-2-256.unverified.test-vectors SHA-256], [https://www.cosic.esat.kuleuven.be/nessie/testvectors/hash/sha/Sha-2-384.unverified.test-vectors SHA-384], and [https://www.cosic.esat.kuleuven.be/nessie/testvectors/hash/sha/Sha-2-512.unverified.test-vectors SHA-512]. {{Hash e MAC}} ~~=== SHA1 reverse lookup databases ===~~ {{Portale\|crittografia\|Sicurezza informatica}} * [http://hashsearch.com HASHsearch] - decodifica gli hash MD5 e SHA1 (480 000+ stringhe) ~~-->~~ ~~{{Portale\|matematica}}~~ [[csCategoria:~~Secure~~ Hash ~~Algorithm~~crittografici]] ~~[[da:SHA]]~~ ~~[[de:Secure Hash Algorithm]]~~ ~~[[en:SHA hash functions]]~~ ~~[[es:SHA]]~~ ~~[[fi:SHA]]~~ ~~[[fr:SHA-1]]~~ ~~[[he:SHA]]~~ ~~[[hr:SHA-1]]~~ ~~[[ja:SHA]]~~ ~~[[ko:SHA]]~~ ~~[[lt:SHA]]~~ ~~[[nl:SHA-familie]]~~ ~~[[pl:SHA-1]]~~ ~~[[pt:SHA1]]~~ ~~[[ru:SHA-1]]~~ ~~[[sr:SHA]]~~ ~~[[vi:SHA]]~~ ~~[[zh:SHA 家族]]~~