NIST crowns next-gen hash algorithm Keccak as official SHA-3 A US government agency has selected cryptographic hash function Keccak as the new official SHA-3 algorithm. The National Institute of Standards and Technology's decision to pick the nippy system as the replacement for SHA-1 and SHA-2 marks the end of a six-year competitive process. Five algorithms were left in the running at …
It's a balance of terror for the spooks of all nations: of course they would love to be able to crack everyone else's comms but equally they want their own comms to remain secure, and they cannot count upon their crypto skills being a whole generation ahead of the rivals. So it would be perilous to adopt as a national standard something with a known weakness, lest some ingenious Israeli, clever-clogs Chinese, or resourceful Russian identifies it too. And as far as I know none of the US standards have been fingered as having exploitable weakness - for many years the NSA alteration to DES was thought to be such a case but in fact what they did was to strengthen it - see http://news.cnet.com/Saluting-the-data-encryption-legacy/2010-1029_3-5381232.html
Of course what does work is weakening a system that you don't use yourself - e.g. the long-standing suspicion that the NSA trojanned Crypto AG machines: widely used for diplomatic comms but apparently not by USA.
" for many years the NSA alteration to DES was thought to be such a case but in fact what they did was to strengthen it - "
Possibly.
They then proceeded to claim the 56 bit key (developed to run on 1970s technology) was *still* secure 20 yrs later until the EFF *built* hardware to demonstrate a brute force crack was viable.
I wrote the first paper within a company that used a DES variant warning this its security must be viewed as suspect.
Note that it is an *algorithm* that has been approved, not an implementation. A black box software implementation could have *any* number of trapdoors built into, just like *any* closed source piece of software.
Er, the real problem is not the hash function, it is one or both of these:
1) User choosing short simple passwords (i.e. low entropy), maybe not helped by system with dumb limits like 8 characters max.
2) Users of said hash not salting (1) with sufficient entropy so the input to the hash function is big enough that a matching rainbow table is practical to compute.
Really, going from a 256-bit hash output to 512-bits only doubles your rainbow table size, but going from 20 bits in to just 28 bits input, for example, makes the table 256 times bigger!
> from which it is hopefully impossible to recover the original information.
No, that's totally not the point of a hash function. The aim is that you cannot trivially compute a fake data payload which matches the hash. I can assure you that you cannot recover an arbitrary payload from a N-bit hash because N-bits is usually order of magnitudes smaller than the payload ...
One of the SHA-3 creators (Daemen) also worked on AES
More specifically, Joan Daemen was co-author of Rijndael, which became AES. So that's both of the two most recent major NIST crypto-algorithm contests his teams have won. Good show.
Of course his coauthors also deserve their fair share of the credit, as do the many researchers working in the field; it's not like Daemen is a lone genius inventing this stuff sui generis. You could argue that, while he does fine work, in the end he just got lucky twice - a small difference of opinion on either NIST committee could have changed the final result in either case. But it's a fine achievement nonetheless.
We can now, in situations where speed isn't important, compute both SHA-2 and SHA-3 and use both. If they are different, the combined strength of both algorithms is at least as good as the weakest. If they are similar, someone might find a way to break both at the same time.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
