将sha2/sha3截断为16个字节是否比使用crc32更糟糕,后者本身提供了16个字节的开头? [英] Is truncating sha2/sha3 to 16 bytes worse than using crc32 which itself gives 16 bytes to begin with?
问题描述
我在CBC模式下使用AES128,我需要一个16字节的密钥,因此我想知道是使用sha2还是sha3,然后将其截断为16个字节(从左边获取前16个字节)是否会使sha2/sha3比crc32弱,它给我开箱即用的16个字节.
I am using AES128 in CBC mode, and I need a 16-byte key, so I was wondering if using sha2 or sha3 and then truncating it to 16 bytes (take first 16 bytes from the left) would make sha2/sha3 weaker than crc32 which gives me 16 bytes out of the box.
推荐答案
加密安全哈希的每个位实际上都是随机的(即独立于所有其他位).非加密哈希不是这样.此属性对于安全密钥至关重要.您应该始终使用加密哈希来进行密钥推导.
Each bit of a cryptographically secure hash is effectively random (i.e. independent of all the other bits). This is not true of non-cryptographic hashes. This property is critical for a secure key. You should always use a cryptographic hash for key derivation.
截断较长的安全哈希是创建较短长度的安全哈希的一种完全可接受的方法.您还可以选择任何位子集,而不仅是最高有效位或最低有效位.如果不正确,则原始哈希本身将不安全,因为这将暗示输出中存在一些非随机性.
Truncating a long secure hash is a perfectly acceptable way to create a secure hash of shorter length. You may also select any subset of bits rather than just the most significant or least significant. If this weren't true, then the original hash would not itself be secure, because it would suggest some non-randomness in the output.
SHA-2和SHA-3旨在成为加密安全的哈希(目前,我们相信它们是).CRC甚至都不打算在密码学上是安全的.
SHA-2 and SHA-3 intend to be cryptographically secure hashes (and at this point, we believe they are). CRC does not even intend to be cryptographically secure.
如果输入的密钥材料本身不是随机的,则像SHA系列之类的快速散列可能会受到强力攻击.如果是这样,那么您需要使用键扩展以及散列,例如,使用PBKDF2.
If the input key material is not itself random, then a fast hash like the SHA series may be subject to brute force. If so, then you need to use key stretching as well as hashing, for example with PBKDF2.
但是,任何情况下都不要使用CRC.它并非旨在作为安全哈希.
But you should never use CRC for any of this. It is not intended to be a secure hash.
有关更多讨论,请参见"SHA-256"与"SHA-512的任何256位"相比,哪个更安全?
For more discussion, see Should I use the first or last bits from a SHA-256 hash? and "SHA-256" vs "any 256 bits of SHA-512", which is more secure?
这篇关于将sha2/sha3截断为16个字节是否比使用crc32更糟糕,后者本身提供了16个字节的开头?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
