
How SHA-2 works step-by-step (SHA-256) - lanecwagner
https://qvault.io/2020/07/08/how-sha-2-works-step-by-step-sha-256/
======
technicolorwhat
I would appreciate more if you'd say why all of the things were necessary in
the first place.

~~~
barkingcat
It's an algorithm, so you're probably looking for a higher level block diagram
or something like a pseudocode explainer?

[https://www.maximintegrated.com/en/design/technical-
document...](https://www.maximintegrated.com/en/design/technical-
documents/app-notes/7/7015.html) has a block diagram

[https://www.maximintegrated.com/content/dam/images/design/te...](https://www.maximintegrated.com/content/dam/images/design/tech-
docs/7015/7015fig02.png)

many of the decisions made in cryptographic algorithms (ie why this constant?
why this hardcoded value?) are made as a trade off for security concerns, but
also for memory size, performance during calculations, and feasibility of
hardware implementation.

A good cryptographic algorithm is a balanced trade-off between all those
factors (and more, for example, resistance to cryptanalysis attack would be
something desirable as well)

It's not that useful to ask "why" when it comes to cryptographic primitives
since sometimes the answer is "because this constant works well and gives us
the performance characteristics we were looking for"

~~~
nneonneo
In particular, the constants are very critical to the algorithm's security. If
the constants are maliciously chosen, the algorithm could be "backdoored" with
an exploitable structure. For example, if you modify just four 32-bit
constants in SHA-1, without touching any other operations, it becomes nearly
trivial to obtain collisions (current SHA-1 collisions have required enormous
amounts of compute to achieve):
[https://malicioussha1.github.io/](https://malicioussha1.github.io/)

The constants for SHA-256 are chosen to be simple mathematical constants,
reducing the number of "degrees of freedom" for an attacker to manipulate the
standard. At the same time, the constants need to be "random" enough to avoid
producing exploitable structure. It's a careful balancing act! Roots of primes
and functions or digits of transcendental numbers (e, pi, etc) make good
random-ish numbers which don't provide much room for manipulation.

~~~
pwg
> Roots of primes and functions or digits of transcendental numbers (e, pi,
> etc) make good random-ish numbers which don't provide much room for
> manipulation.

Those are termed "nothing-up-my-sleeve numbers":

[https://en.wikipedia.org/wiki/Nothing-up-my-
sleeve_number](https://en.wikipedia.org/wiki/Nothing-up-my-sleeve_number)

------
throwaway193834
[https://github.com/in3rsha/sha256-animation](https://github.com/in3rsha/sha256-animation)

~~~
russellbeattie
That's fantastic!! Great link. Thanks!

------
CalmStorm
It is helpful to know the internals of SHA-2. It helps to make sense of the
"Length Extension Attack" [1] on this kind of hash function construction.

[1]
[https://en.wikipedia.org/wiki/Length_extension_attack](https://en.wikipedia.org/wiki/Length_extension_attack)

~~~
tialaramex
It actually isn't important to know much about the internals to grasp this
attack, let's see why quickly:

Your cryptographic hash function maintains a bunch of state which is
manipulated by shoving data through it. One obvious way to get the output is
just serialise all of that state, and this is what the Merkle–Damgård hashes
like SHA-256 do.

That's how the Length Extension becomes possible. The details of how that
state is created don't matter to the attack, because the hash output itself
provides an attacker with the complete internal state and they can extend from
there. [There are some small subtleties around padding].

In SHA-3 (and all Keccak variants and similar modern hashes) there is instead
a "squeeze" mechanism that takes the internal state of the hash and outputs
some bits _derived_ from that state. The state inside SHA-3 is always 1600
bits, that'd be a real pain to write down compared to a 256 bit SHA-256, but
the "squeeze" can give you say, 256 bits like you had with SHA-256. Because
this isn't the actual internal state of the hash an adversary can't do
anything useful with it, such as the Length Extension Attack.

------
symmetricsaurus
Since the input fits in one chunk it’s hard to follow how it would work for
larger inputs.

The “chunk loop” is only executed for one iteration so it requires careful
reading to see how the state gets form one iteration to the next. (Hint: it’s
the h0-h7 hash values).

Perhaps it could be stated that h0-h7 is the state that is carried over
between iterations?

------
lanecwagner
Author here: LMK if you have ideas for improvements, nice to see some interest
in crypto(Graphy) from the community

