-1

I wrote a python program to perform the SHA-256 function. It works just fine until I try to hash longer strings.

If I hash (in HEX)

0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

at https://www.pelock.com/products/hash-calculator, I get the result

80A76A18ACF8CB64FEC3A659FFC4BAB4A87CD9A6FDE4DAB2161A8751D136C9D2

I do not get that from my own code.

When I perform the second round/iteration, I do not get the correct answer as depicted by that website.

As I understand it, the first iteration should be with the original A-H values, and the first 64 hex chars. Then the next iteration is supposed to have the input of the subsequent hex characters, but no more than 64 of them. I'm also supposed to cycle over the new A-H values from first iteration. Are the new A-H values what I add at the end of the second iteration, or do I still add the original A-H values? What other values do I have to change?

Does the first round have the length-of-the-original-string-that-is-appended of the entire original string (in this case, 384 bits/96 hex characters) or is it only the length of the part of the input we're using (being 64 hex characters/ 256 bits). What is the length that is appended in the second iteration? The original full 384 bits, or merely the length of the part of the input we're working with in the second iteration (being 32 hex characters / 128 bits)?

I do not understand how I'm supposed to re-apply the results of the first iteration to the second iteration to produce the proper result shown above.

Described simply, how are the multiple iterations/rounds of sha256 for long strings, actually applied?

Mike Edward Moras
  • 18,161
  • 12
  • 87
  • 240
Mine
  • 229
  • 2
  • 8

1 Answers1

1

Are the new A-H values what I add at the end of the second iteration, or do I still add the original A-H values?

The idea is that the state is updated by each iteration, the state being A-H.

What other values do I have to change?

None, A-H represents the state. All the other variables are temporary.

Does the first round have the length-of-the-original-string-that-is-appended of the entire original string (in this case, 384 bits/96 hex characters) or is it only the length of the part of the input we're using (being 64 hex characters/ 256 bits)?

This is probably where you're going wrong. Only the last block should contain the encoded length. If the padding & length does not fit then you'll have to pad both the last block containing the last part of the message, as well as the next block up to the length encoding - which is always at the end of the block. You need at least one byte of (bit) padding.

What is the length that is appended in the second iteration? The original full 384 bits, or merely the length of the part of the input we're working with in the second iteration (being 32 hex characters / 128 bits)?

So only the full length is encoded in the final block. So the second block only contains the length if it is the last block.

Note that SHA-2 is still vulnerable to length extension attacks although both bit padding is used as well as length encoding; you can just mimic the padding and length encoding in $M'$ and then re-apply the bit padding and a new length encoding in another final block.

Maarten Bodewes
  • 96,351
  • 14
  • 169
  • 323