C++實踐(五)C++實現認證演算法:基於SHA-512的HMAC
基於SHA-512的HMAC演算法
SHA是使用最廣泛的Hash函式。其家族有SHA-1,SHA-2(包括SHA-256/SHA-384/SHA-512)。SHA1與SHA2都使用了同樣的迭代結構和模算術與二元邏輯操作。在本實驗中,我們採用SHA-512。
SHA-512演算法
SHA-512的邏輯
演算法的輸入為長度小於128位的資訊(實際實現中我們假定輸入的資訊長度小於64位),
輸出時512位的訊息摘要。輸入資訊以1024位的小組為單位處理。過程如圖:
該過程包含如下步驟:
①附加填充位
在輸入訊息後面填充一個1,再填充若干個0使其長度模1024與896同餘。不管輸入訊息長度如何,都要進行填充。
②附加長度
在訊息後面附加一個128bit的塊表示原始訊息的長度。本實驗中假設所有輸入的訊息長度都小於2^64-1,所以我們只處理最後附加塊的低64bit。
③初始化Hash緩衝區
Hash函式的中間結果和最終結果都儲存在512bit的緩衝區中。該緩衝區可以用8個64bit的暫存器表示。初始值如下:
mState[0] = 0x6a09e667f3bcc908;
mState[1] = 0xbb67ae8584caa73b;
mState[2] = 0x3c6ef372fe94f82b;
mState[3] = 0xa54ff53a5f1d36f1;
mState[4] = 0x510e527fade682d1;
mState[5] = 0x9b05688c2b3e6c1f;
mState[6] = 0x1f83d9abfb41bd6b;
mState[7] = 0x5be0cd19137e2179;
注意這些值以高位在前的格式儲存。由於我們採用的是Intel x86系列CPU,該型CPU為小端儲存,滿足要求,所以為簡便起見這裡我們不再作任何處理。
④以1024為單位處理資訊,共有80輪,如下圖所示:
⑤輸出
所有N個1024分組處理完畢後,從緩衝區輸出512bit的訊息摘要。
SHA-512的輪函式
每一輪的過程由如下函式定義:
ROTRn(x)=對64位變數迴圈右移n位。
輪訊息Wt的產生如下圖所示:
其中SHRn(x)對64位元變數x向左移動n位,右邊填充0。
基於SHA-512的HMAC演算法
演算法描述如圖:
首先,判斷輸入的金鑰K的長度是否符合要求:若K的長度大於1024bits,則我們用SHA-512對K作一次Hash,得到的輸出長度將為512bits,作為新的金鑰;接著將金鑰的長度擴充套件到1024bits(在金鑰的左邊填入0)。
然後按照下式計算:
其中,opad[i]=0x5c,ipad[i]=0x36,opad與ipad的長度與金鑰的長度相同,即1024bits.
SHA-512測試
編寫SHA512類
該類主要有四個成員函式,其中void init()進行必要的初始化工作,即初始化靜態常量(輪常數等);void process(const unsigned char *msg, unsigned long inlen)從輸入的訊息產生訊息摘要;void hash(unsigned char *out)獲取訊息摘要;void calc()進行每輪的必要計算。
測試SHA512類
參考FIPS Publication 180-2中給出的兩個例子,比對訊息分組、每輪運算時的緩衝區的值,結果符合預期。
①測試資料message=”abc”,
hash= 0xdd, 0xaf, 0x35, 0xa1, 0x93, 0x61, 0x7a, 0xba,
0xcc, 0x41, 0x73, 0x49, 0xae, 0x20, 0x41, 0x31,
0x12, 0xe6, 0xfa, 0x4e, 0x89, 0xa9, 0x7e, 0xa2,
0x0a, 0x9e, 0xee, 0xe6, 0x4b, 0x55, 0xd3, 0x9a,
0x21, 0x92, 0x99, 0x2a, 0x27, 0x4f, 0xc1, 0xa8,
0x36, 0xba, 0x3c, 0x23, 0xa3, 0xfe, 0xeb, 0xbd,
0x45, 0x4d, 0x44, 0x23, 0x64, 0x3c, 0xe8, 0x0e,
0x2a, 0x9a, 0xc9, 0x4f, 0xa5, 0x4c, 0xa4, 0x9f
實驗結果如下:
訊息擴充套件過程中,將資料塊各字分別賦值給W0~W15:
第46、47輪時緩衝區的值如下,經比對與FIPS Publication 180-2中給出的結果一致。
最後得到訊息摘要,在main函式中我們檢查產生的訊息摘要,當該訊息摘要與預先準備的hash值一致時會輸出“true!”。
②測試資料:
message=”abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu”
hash= 0x8e, 0x95, 0x9b, 0x75, 0xda, 0xe3, 0x13, 0xda,
0x8c, 0xf4, 0xf7, 0x28, 0x14, 0xfc, 0x14, 0x3f,
0x8f, 0x77, 0x79, 0xc6, 0xeb, 0x9f, 0x7f, 0xa1,
0x72, 0x99, 0xae, 0xad, 0xb6, 0x88, 0x90, 0x18,
0x50, 0x1d, 0x28, 0x9e, 0x49, 0x00, 0xf7, 0xe4,
0x33, 0x1b, 0x99, 0xde, 0xc4, 0xb5, 0x43, 0x3a,
0xc7, 0xd3, 0x29, 0xee, 0xb6, 0xdd, 0x26, 0x54,
0x5e, 0x96, 0xe5, 0x5b, 0x87, 0x4b, 0xe9, 0x09
這個測試資料的長度剛好是896bits,非常有代表性。
測試結果如下,符合預期。
經過這兩步測試,我們的SHA512類基本正確了。
利用網站http://www.atool.org/hash.php 我們可以進一步測試SHA512類。
基於SHA-512的Hmac測試
編寫HMAC類
HMAC類繼承了SHA512類。在建構函式中我們進行初始化、對金鑰長度的處理、計算HMAC值。
建構函式:HMAC(const unsigned char *in, uint64_t len, const unsigned char *key, uint64_t keyLen, unsigned char *out);
注意:為了通用,我們傳入的是unsigned char 的指標。所以還必須傳入訊息的長度及金鑰的長度,因為輸入的訊息、金鑰都是unsigned char型別的指標,我們必須要知道該指標指向的資料塊的長度。產生訊息並使用HMAC類的物件應該知道訊息、金鑰的長度。
void keyPadding(const unsigned char *key, uint64_t keyLen)進行金鑰長度預處理。
測試
測試資料為:message=”abc”,key=”abc”。測試結果如下:
測試資料為:
message=”abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu”
key=”abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmnoijklmnopjklmno
pqklmnopqrlmnopqrsmnopqrstnopqrstu”
結果如下:
由於沒有找到HMAC-SHA-512的測試資料集,所以實驗結果是否正確還有待進一步考量。但從結果看(例子見參考文獻),金鑰預處理步驟基本正確。
sha512.h
/************************************************************************/
/*SHA512:
/*Author: chenweiliang
/*Version: 1.0
/*Note: To see detail information please uncomment macro DEBUG
/*Reference: library Tomcrypt
/************************************************************************/
#include <stdio.h>
#include <stdint.h>
#ifndef __SHA_512_H
#define __SHA_512_H
#endif // !__SHA_512_H
#ifndef DEBUG
//#define DEBUG
#endif
#define STORE64H(x, y) \
{ (y)[0] = (unsigned char)(((x) >> 56) & 255); (y)[1] = (unsigned char)(((x) >> 48) & 255); \
(y)[2] = (unsigned char)(((x) >> 40) & 255); (y)[3] = (unsigned char)(((x) >> 32) & 255); \
(y)[4] = (unsigned char)(((x) >> 24) & 255); (y)[5] = (unsigned char)(((x) >> 16) & 255); \
(y)[6] = (unsigned char)(((x) >> 8) & 255); (y)[7] = (unsigned char)((x)& 255); }
#define LOAD64H(x, y) \
{ x = (((uint64_t)((y)[0] & 255)) << 56) | (((uint64_t)((y)[1] & 255)) << 48) | \
(((uint64_t)((y)[2] & 255)) << 40) | (((uint64_t)((y)[3] & 255)) << 32) | \
(((uint64_t)((y)[4] & 255)) << 24) | (((uint64_t)((y)[5] & 255)) << 16) | \
(((uint64_t)((y)[6] & 255)) << 8) | (((uint64_t)((y)[7] & 255))); }
typedef unsigned long long uint64_t;
class SHA512{
public:
SHA512();
virtual ~SHA512();
void hash(unsigned char *out);
void process(const unsigned char *in, unsigned long inlen);
protected:
//Length of the hashcode:64bytes
static const int HASHCODE_SIZE = 64;
//Length of the block size:128bytes
static const int MSG_BLOCK_SIZE = 128;
private:
static const uint64_t const_K[80];
uint64_t mState[8];
//length of the message
uint64_t mLength;
//length of the current block
uint64_t mCurLen;
//current block of the message
unsigned char mBlock[128];
uint64_t ch(uint64_t x, uint64_t y, uint64_t z);
uint64_t maj(uint64_t x, uint64_t y, uint64_t z);
uint64_t rotr(uint64_t x, int n);
uint64_t shr(uint64_t x, int n);
uint64_t sigma0(uint64_t x);
uint64_t sigma1(uint64_t x);
uint64_t gamma0(uint64_t x);
uint64_t gamma1(uint64_t x);
void init();
void calc();
public:
void print1024(unsigned char *data);
void print64(unsigned char data[]);
};
sha512.cpp
/************************************************************************/
/*SHA512:
/*Author: chenweiliang
/*Version: 1.0
/*Note: To see detail information please uncomment macro DEBUG
/*Reference: library Tomcrypt
/************************************************************************/
#ifndef __SHA_512_H
#include "sha_512.h"
#endif // !__SHA_512_H
const uint64_t SHA512::const_K[80] =
{
0x428a2f98d728ae22, 0x7137449123ef65cd,
0xb5c0fbcfec4d3b2f, 0xe9b5dba58189dbbc,
0x3956c25bf348b538, 0x59f111f1b605d019,
0x923f82a4af194f9b, 0xab1c5ed5da6d8118,
0xd807aa98a3030242, 0x12835b0145706fbe,
0x243185be4ee4b28c, 0x550c7dc3d5ffb4e2,
0x72be5d74f27b896f, 0x80deb1fe3b1696b1,
0x9bdc06a725c71235, 0xc19bf174cf692694,
0xe49b69c19ef14ad2, 0xefbe4786384f25e3,
0x0fc19dc68b8cd5b5, 0x240ca1cc77ac9c65,
0x2de92c6f592b0275, 0x4a7484aa6ea6e483,
0x5cb0a9dcbd41fbd4, 0x76f988da831153b5,
0x983e5152ee66dfab, 0xa831c66d2db43210,
0xb00327c898fb213f, 0xbf597fc7beef0ee4,
0xc6e00bf33da88fc2, 0xd5a79147930aa725,
0x06ca6351e003826f, 0x142929670a0e6e70,
0x27b70a8546d22ffc, 0x2e1b21385c26c926,
0x4d2c6dfc5ac42aed, 0x53380d139d95b3df,
0x650a73548baf63de, 0x766a0abb3c77b2a8,
0x81c2c92e47edaee6, 0x92722c851482353b,
0xa2bfe8a14cf10364, 0xa81a664bbc423001,
0xc24b8b70d0f89791, 0xc76c51a30654be30,
0xd192e819d6ef5218, 0xd69906245565a910,
0xf40e35855771202a, 0x106aa07032bbd1b8,
0x19a4c116b8d2d0c8, 0x1e376c085141ab53,
0x2748774cdf8eeb99, 0x34b0bcb5e19b48a8,
0x391c0cb3c5c95a63, 0x4ed8aa4ae3418acb,
0x5b9cca4f7763e373, 0x682e6ff3d6b2b8a3,
0x748f82ee5defb2fc, 0x78a5636f43172f60,
0x84c87814a1f0ab72, 0x8cc702081a6439ec,
0x90befffa23631e28, 0xa4506cebde82bde9,
0xbef9a3f7b2c67915, 0xc67178f2e372532b,
0xca273eceea26619c, 0xd186b8c721c0c207,
0xeada7dd6cde0eb1e, 0xf57d4f7fee6ed178,
0x06f067aa72176fba, 0x0a637dc5a2c898a6,
0x113f9804bef90dae, 0x1b710b35131c471b,
0x28db77f523047d84, 0x32caab7b40c72493,
0x3c9ebe0a15c9bebc, 0x431d67c49c100d4c,
0x4cc5d4becb3e42b6, 0x597f299cfc657e2a,
0x5fcb6fab3ad6faec, 0x6c44198c4a475817
};
SHA512::SHA512()
{
init();
}
void SHA512::init()
{
mLength = 0;
mState[0] = 0x6a09e667f3bcc908;
mState[1] = 0xbb67ae8584caa73b;
mState[2] = 0x3c6ef372fe94f82b;
mState[3] = 0xa54ff53a5f1d36f1;
mState[4] = 0x510e527fade682d1;
mState[5] = 0x9b05688c2b3e6c1f;
mState[6] = 0x1f83d9abfb41bd6b;
mState[7] = 0x5be0cd19137e2179;
}
void SHA512::process(const unsigned char *in, unsigned long inlen)
{
init();
mCurLen = 0;
for (int j = 0; j < inlen; j++){
mBlock[mCurLen] = in[j];
mCurLen++;
mLength += 8;
if (mCurLen == 128){
mCurLen = 0;
#ifdef DEBUG
printf("Block %d\n", inlen / 128);
print1024(mBlock);
#endif // DEBUG
calc();
}
}
//append the '1' bit
mBlock[mCurLen] = 0x80;
mCurLen++;
//if the length is currently above 112 bytes we append zeros and calc()
// Then we can fall back to padding zeros and length encoding like normal
if (mCurLen > 112){
for (; mCurLen < 128; mCurLen++){
mBlock[mCurLen] = 0x00;
}
calc();
mCurLen = 0;
}
//We assume that the data length is less than 2^64
//Hence,the length of the message is 64-bit,namely 8 bytes.
while (mCurLen <= 120){
mBlock[mCurLen] = 0x00;
mCurLen++;
}
//store length
for (int i = mCurLen; i < 128; i++){
mBlock[i] = (unsigned char)(mLength >> (8 * (127 - i)));
}
#ifdef DEBUG
printf("last Block:\n");
print1024(mBlock);
#endif // DEBUG
calc();
}
void SHA512::hash(unsigned char *out)
{
for (int i = 0; i < 8; i++){
STORE64H(mState[i], out + (8 * i));
}
}
void SHA512::calc()
{
uint64_t S[8];
uint64_t W[80];
uint64_t t0, t1;
//copy state into S
for (int i = 0; i < 8; i++){
S[i] = mState[i];
}
// for (int i = 0; i < 128; i += 8)
// W[i >> 3] =
// ((uint64_t)mBlock[i + 0]) << 56 | ((uint64_t)mBlock[i + 1]) << 48 | ((uint64_t)mBlock[i + 2]) << 40 |
// ((uint64_t)mBlock[i + 3]) << 32 | ((uint64_t)mBlock[i + 4]) << 24 | ((uint64_t)mBlock[i + 5]) << 16 |
// ((uint64_t)mBlock[i + 6]) << 8 | ((uint64_t)mBlock[i + 7]);
for (int i = 0; i < 16; i++) {
LOAD64H(W[i], mBlock + (8 * i));
}
#ifdef DEBUG
unsigned char tw[128];
for (int i = 0; i < 16; i++){
STORE64H(W[i], tw + (8 * i));
}
for (int i = 0; i < 16; i++){
printf("W%d=", i);
print64(tw+i*8);
}
#endif // DEBUG
//fill W[16..79]
for (int i = 16; i < 80; i++){
W[i] = gamma1(W[i - 2]) + W[i - 7] + gamma0(W[i - 15]) + W[i - 16];
}
for (int i = 0; i < 80; i++){
t0 = S[7] + ch(S[4], S[5], S[6]) + sigma1(S[4]) + W[i] + const_K[i];
t1 = sigma0(S[0]) + maj(S[0], S[1], S[2]);
S[7] = S[6];
S[6] = S[5];
S[5] = S[4];
S[4] = S[3] + t0;
S[3] = S[2];
S[2] = S[1];
S[1] = S[0];
S[0] = t0 + t1;
unsigned char temp[64];
#ifdef DEBUG
for (int i = 0; i < 8; i++){
STORE64H(S[i], temp + (8 * i));
}
printf("--------------------------Round %d------------------------------\n",i);
printf("a:");
print64(temp);
printf("b:");
print64(temp + 8);
printf("c:");
print64(temp + 16);
printf("d:");
print64(temp + 24);
printf("e:");
print64(temp + 32);
printf("f:");
print64(temp + 40);
printf("g:");
print64(temp + 48);
printf("h:");
print64(temp + 56);
#endif // DEBUG
}
// feedback
for (int i = 0; i < 8; i++){
mState[i] += S[i];
}
}
inline uint64_t SHA512::ch(uint64_t x, uint64_t y, uint64_t z)
{
return ((x& y) ^ ((~x) & z));
}
inline uint64_t SHA512::maj(uint64_t x, uint64_t y, uint64_t z)
{
return (x&y) ^ (x&z) ^ (y&z);
}
inline uint64_t SHA512::rotr(uint64_t x, int n)
{
return ((x >> n) | (x << (64 - n)));
}
inline uint64_t SHA512::shr(uint64_t x, int n)
{
return x >> n;
}
inline uint64_t SHA512::sigma0(uint64_t x)
{
return rotr(x, 28) ^ rotr(x, 34) ^ rotr(x, 39);
}
inline uint64_t SHA512::sigma1(uint64_t x)
{
return rotr(x, 14) ^ rotr(x, 18) ^ rotr(x, 41);
}
inline uint64_t SHA512::gamma0(uint64_t x)
{
return rotr(x, 1) ^ rotr(x, 8) ^ shr(x, 7);
}
inline uint64_t SHA512::gamma1(uint64_t x)
{
return rotr(x, 19) ^ rotr(x, 61) ^ shr(x, 6);
}
SHA512::~SHA512()
{
}
void SHA512::print1024(unsigned char *data)
{
for (int i = 0; i < 128; i++){
printf("%02hhx", data[i]);
if (i % 8 == 7){
printf(" ");
}
if (i % 32 == 31){
printf("\n");
}
}
}
void SHA512::print64(unsigned char data[]){
for (int i = 0; i < 8; i++){
printf("%02hhx", data[i]);
}
printf("\n");
}
hmac.h
/************************************************************************/
/*HMAC: Use SHA512
/*Author: chenweiliang
/*Version: 1.0
/*Note: To see detail information please uncomment macro DEBUG
/*Reference: javafr_RFC_4493
/************************************************************************/
#ifndef __SHA_512_H
#include "sha_512.h"
#endif // !__SHA_512_H
#ifndef __HMAC_H
#define __HMAC_H
#endif
class HMAC : public SHA512
{
public:
HMAC();
HMAC(const unsigned char *in, uint64_t len, const unsigned char *key, uint64_t keyLen, unsigned char *out);
~HMAC();
protected:
private:
//
const static unsigned char IPAD = 0x36;
const static unsigned char OPAD = 0x5c;
//The key after padding
unsigned char mKpadded[MSG_BLOCK_SIZE];
//Length of the key in bytes
unsigned long mKeyLen;
unsigned char mSi[MSG_BLOCK_SIZE];
unsigned char mSo[MSG_BLOCK_SIZE];
void keyPadding(const unsigned char *key, uint64_t keyLen);
};
hmac.cpp
/************************************************************************/
/*HMAC: Use SHA512
/*Author: chenweiliang
/*Version: 1.0
/*Note: To see detail information please uncomment macro DEBUG
/*Reference: javafr_RFC_4493
/************************************************************************/
#ifndef __HMAC_H
#include "hmac.h"
#endif // !__HMAC_H
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
HMAC::HMAC()
{
}
HMAC::HMAC(const unsigned char *in, uint64_t len, const unsigned char *key, uint64_t keyLen, unsigned char *out)
{
//out1=H(Si||M)
unsigned char out1[64];
keyPadding(key, keyLen);
//Get Si
for (int i = 0; i < MSG_BLOCK_SIZE; i++){
mSi[i] = mKpadded[i] ^ IPAD;
}
//Get So
for (int i = 0; i < MSG_BLOCK_SIZE; i++){
mSo[i] = mKpadded[i] ^ OPAD;
}
unsigned long length1 = len + MSG_BLOCK_SIZE;
unsigned char *in1 = (unsigned char *)malloc(length1);
//in1=Si||M
for (int i = 0; i < length1; i++){
if (i < MSG_BLOCK_SIZE){
in1[i] = mKpadded[i];
}
else{
in1[i] = in[i - MSG_BLOCK_SIZE];
}
}
//out1=H(Si||M)
process(in1, length1);
free(in1);
hash(out1);
//in2=So||H(Si||M)
unsigned long length2 = MSG_BLOCK_SIZE + HASHCODE_SIZE;
unsigned char *in2 = (unsigned char *)malloc(length2);
for (int i = 0; i < length2; i++){
if (i < MSG_BLOCK_SIZE){
in2[i] = mSo[i];
}
else{
in2[i] = out1[i - MSG_BLOCK_SIZE];
}
}
//out=H( So || H(Si||M) )
process(in2, length2);
free(in2);
hash(out);
}
void HMAC::keyPadding(const unsigned char *key, uint64_t keyLen){
mKeyLen = keyLen;
//Generate a 512-bit-key
if (mKeyLen > MSG_BLOCK_SIZE){
process((unsigned char *)key, mKeyLen);
hash(mKpadded);
mKeyLen = 64;
}
//Fill the left part of the key with 0
else if (mKeyLen <= MSG_BLOCK_SIZE){
for (int i = 0; i < MSG_BLOCK_SIZE; i++){
if (i < MSG_BLOCK_SIZE - mKeyLen){
mKpadded[i] = 0x00;
}
else{
mKpadded[i] = (unsigned char)key[i - (MSG_BLOCK_SIZE - mKeyLen)];
}
}
}
printf("Key after padding:\n");
print1024(mKpadded);
}
HMAC::~HMAC()
{
}