New cryptographic hash function not needed, Schneier says

Cryptographer Bruce Schneier says the upcoming SHA-3 cryptographic hash algorithm is not much better than the current one

As the U.S. Department of Commerce's National Institute of Standards and Technology (NIST) prepares to announce the winner of its competition to find the next-generation cryptographic hash algorithm, renowned cryptographer Bruce Schneier doesn't think that a new hash function is needed at this time.

"It's probably too late for me to affect the final decision, but I am hoping for 'no award,'" Schneier said Monday in a blog post. "It's not that the new hash functions aren't any good, it's that we don't really need one."

Cryptographic hash functions have many applications in information security and are commonly used to verify data authenticity. Such functions convert a piece of information into a unique, fixed-length bit string, and should make it impossible for two different messages to result in the same string.

For example, user passwords are commonly stored in hashed form inside databases in order to prevent their exposure if the database is compromised. Every time a user attempts to authenticate against an application, a hash is computed for the password he supplies and is compared to the one already stored in the application's database.

NIST announced its public cryptographic hash algorithm competition in November 2007 with the goal of finding a new hash algorithm that would be standardized as a Federal Information Processing Standard (FIPS) called SHA-3 (Secure Hash Algorithm 3).

After five years and three selection rounds that reduced the number of candidates from 64 initially submitted functions to only five, NIST is expected to announce the winner sometime this year.

Schneier is part of the team of cryptographers who created Skein, a family of cryptographic hash functions that has been selected as one of the competition's five finalists.

The idea of standardizing a new hash function came in 2006, when it seemed like the SHA-2 family of functions wouldn't be secure for much longer because of new types of cryptanalysis, Schneier said.

"We didn't know how long the various SHA-2 variants would remain secure," the cryptographer said. "But it's 2012, and SHA-512 is still looking good."

Schneier also favors a "no award" decision at this time because, according to him, none of the SHA-3 final candidates is significantly better than the current standardized hash functions.

"Some are faster, but not orders of magnitude faster," Schneier said. "Some are smaller in hardware, but not orders of magnitude smaller."

"When SHA-3 is announced, I'm going to recommend that, unless the improvements are critical to their application, people stick with the tried and true SHA-512," the cryptographer said. "At least for a while."

"I'd say that the world could live without SHA-3, for SHA-1 and SHA-2 resisted cryptanalysis better than expected," said cryptographer Jean-Philippe Aumasson, who designed BLAKE, one of the other five SHA-3 finalist hash functions, Monday via email. "However, I often say that this is due to the 'denial of service attack' of SHA-3: these last years, most cryptanalysts focused on SHA-3 candidates, instead of SHA-1 or SHA-2."

Aumasson believes that SHA-3 will be more secure than SHA-2 in certain aspects and, if Skein or BLAKE will be chosen as a winner, it will also be noticeably faster on the latest desktop and server CPUs from Intel and AMD.

"All the five SHA-3 finalists are believed to satisfy the strongest theoretical security definition, unlike SHA-2," Aumasson said. "However, this does not undermine SHA-2's actual security when used properly."

The fact that the expected attacks against SHA-1 and SHA-2 never materialized is a good thing, but the cryptographic community shouldn't be complacent about it, Matthew D. Green, an assistant research professor who teaches cryptography at the Johns Hopkins Information Security Institute, said Monday via email.

"The point of this competition was not just to replace SHA2, but to develop a collection of new defensive techniques so that we can deal with attacks if they ever arrive," Green said. "And it was also intended to advance our knowledge in the area of hash function design. It's done a great job of that."

Green is concerned that if NIST doesn't select a winner this time, a future competition of this nature would not be met with the same level of enthusiasm from cryptographers.

"One place I absolutely agree with Bruce is that we should take our time transitioning from SHA2 to whichever function becomes SHA3," Green said. "But what's great about this competition is that we'll at least have something to transition to."

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts