Slashdot Log In
Now From Bruce Schneier, the Skein Hash Function
Posted by
timothy
on Fri Oct 31, 2008 09:49 AM
from the renaissance-man dept.
from the renaissance-man dept.
An anonymous reader writes "Bruce Schneier and company have created a new hash function called Skein. From his blog entry: 'NIST is holding a competition to replace the SHA family of hash functions, which have been increasingly under attack. (I wrote about an early NIST hash workshop here.) Skein is our submission (myself and seven others: Niels Ferguson, Stefan Lucks, Doug Whiting, Mihir Bellare, Tadayoshi Kohno, Jon Callas, and Jesse Walker). Here's the paper."
Related Stories
Submission: The Skein Hash Function by Anonymous Coward
[+]
Security Review Summary of NIST SHA-3 Round 1 146 comments
FormOfActionBanana writes "The security firm Fortify Software has undertaken an automated code review of the NIST SHA-3 round 1 contestants (previously Slashdotted) reference implementations. After a followup audit, the team is now reporting summary results. According to the blog entry, 'This just emphasizes what we already knew about C, even the most careful, security conscious developer messes up memory management.' Of particular interest, Professor Ron Rivest's (the "R" in RSA) MD6 team has already corrected a buffer overflow pointed out by the Fortify review. Bruce Schneier's Skein, also previously Slashdotted, came through defect-free."
[+]
Your Rights Online: Privacy In the Age of Persistence 120 comments
Bruce Schneier recently wrote another essay on privacy for the BBC concentrating on how data seems to be the "pollution of the information age" and where this seems to be leading. "We're not going to stop the march of technology, just as we cannot un-invent the automobile or the coal furnace. We spent the industrial age relying on fossil fuels that polluted our air and transformed our climate. Now we are working to address the consequences. (While still using said fossil fuels, of course.) This time around, maybe we can be a little more proactive. Just as we look back at the beginning of the previous century and shake our heads at how people could ignore the pollution they caused, future generations will look back at us — living in the early decades of the information age — and judge our solutions to the proliferation of data."
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
what kind of function is that? (Score:2, Funny)
a skin rash function? WTF?!?
Good to see Bruce back (Score:5, Funny)
Re: (Score:3, Funny)
Re: (Score:3, Funny)
So basically, this would mean a large number of the worlds finest mathematicians are working tirelessly to create something that is by definition mathematically impossible.
Yes, discounting the redefinition of impossible, it would mean that. :-)
Re:Good to see Bruce back (Score:4, Insightful)
One-way hash functions are supposed to have two properties. One, they're one way. This means that it is easy to take a message and compute the hash value, but it's impossible to take a hash value and recreate the original message. (By "impossible" I mean "can't be done in any reasonable amount of time.") Two, they're collision free. This means that it is impossible to find two messages that hash to the same hash value.
This is funny. These two properties, discounting the redefinition of impossible, are mutually exclusive. If each message hashes to a unique value, and there are no collisions, then recreating the original message from the hash is as simple as putting a million monkeys to work writing a million works of gibberish and store the hash and gibberish in a dictionary. If you instructed your monkeys to start from the smallest works of gibberish and work towards the longer works, your dictionary would be complete for any message whose length is equal to or less than the longest message in the dictionary.
Hence Schneier's explanation of the word "impossible", which was "can't be done in a reasonable amount of time". The criteria for grading pretty much all encryption is whether it costs more in resources to break the encryption than what the decrypted information would be worth. Truly "impossible" encryption is an impossibility in and of itself. All you can do is make it not worth someone's time and effort to try to break it.
So you're right, that the goal of cryptography (including hash functions) is contradictory, which means that some compromises must be made. The trick is finding how to make reasonable compromises so that you have a useable system that's still relatively secure (and Schneier is always the first to say that 'secure' is always relative).
That's why Joe Schmoe can't just make up his own encryption schemes and expect it to be secure, because it's hard work and takes a lot of understanding. That's why MD5 and SHA can't last forever. That's why they're taking proposals from smart people (excuse me, teams of people) like Schneier to come up with new hash methods, which will also have a limited lifespan as people find ways to break them.
All we can do is to come up with the best solution we can for now, and in a few years, we'll need something better.
Parent
Re:Good to see Bruce back (Score:5, Interesting)
Would you prefer that he had remained a quiet researcher for the last decade? Would the world be better off if he had?
We've all seen the Schneier-Norris jokes, and it is true that he is something of a celebrity in cryptography and computer science circles. But does becoming a celebrity through making the effort to educate the public about your field automatically cheapen your worth as a scientist or researcher? Does it reduce the worth of the message?
Celebrity has become a smear word, but smearing all celebrities reveals only our own inability to recognize true expertise and talent.
Parent
Re: (Score:3, Insightful)
Re: (Score:3, Interesting)
Bruce is the opposite of a traditional peddler in my view; he comes at problems from an obviously wide perspective and a deep understanding of his expertise; cryptography. I see most of his 'light-weight' contributions to security as those moments where he's trying to explain how cryptography, his passion, will not solve your problems.
He frequently explains how cryptography doesn't implicitly guarantee security, that security is a larger process that involves many other factors of which good cryptography i
Time to get glasses (Score:5, Funny)
Read the title as "Skin Hash Function". For a moment, wasn't sure if this was a SFW article.
Re:Time to get glasses (Score:4, Funny)
Yeah, me too. I had wondered if there was some sort of cream you could put on it.
Parent
Re:Time to get glasses (Score:5, Funny)
Of course! Or it gets the hose again.
Parent
FYI: Skein is pronounced like vein (i.e. "skane") (Score:3, Informative)
Reference: http://www.merriam-webster.com/dictionary/skein [merriam-webster.com]
Re:FYI: Skein is pronounced like vein (i.e. "skane (Score:3, Funny)
Funny, your website indicates the star trek pronunciation \'Skhaaaaaaaaan\
From the fpdf (Score:4, Informative)
http://www.schneier.com/skein.html [schneier.com]
Hax (Score:5, Interesting)
I love hearing about new functions, but the fundamental growth of the security industry has me concerned for the well-being of my cat -- HR director for a large corporation that shall remain nameless (although they dabble in web security). The growth of industry standards like SHA, typically stimulates additional growth in other market-based drives for change, and this is all pioneered by an industry that brought us the y2k bug, which was a total success. We made millions and did so in an unapologetic fashion. Keep em coming!
Summary: I want more money, so keep hacking and we'll keep thinking up ways to protect people from ourselves.
Re:Hax (Score:5, Funny)
Did you know your uid is a prime number when interpreted in base 7 or 11?
How do you sleep at night?
Parent
A likely story (Score:5, Funny)
Re:A likely story (Score:4, Informative)
For those who didn't know and can't be bothered to even skim the PDF, the first footnote says:
Of course, the copy and paste doesn't quite do it justice.
(I blame Slashcode.)
Parent
What the hell is Threefish (Score:4, Interesting)
Re:What the hell is Threefish (Score:5, Informative)
Parent
Re: (Score:2)
Re: (Score:2)
Torklingberg's point is that you shouldn't expect to find word one about threefish. It's just been published in this paper. Who could possibly be talking about it, psychics?
Re: (Score:2)
Which is pretty much what I got from reading the introduction to said paper. My question was posited to discover why there was no information on it, which was more completely answered by later replies, which stated it was just published as a part of this paper; nobody has had time to run any independent cryptanalysis on it.
Re: (Score:3, Insightful)
Threefish is the name of the block cipher part of Skein.
I thought Redfish and Bluefish came after Twofish.
Re:What the hell is Threefish (Score:5, Informative)
Parent
From the article (Score:4, Informative)
Quoted from the comments section
"Sooner or later some dumb ass is going to ask why Skein is based on Threefish, which was (apparently, according to the intertubes) broken."
Threefish can't possibly be broken yet; we only just announced it yesterday. No one knew of its existence before then.
I think your intertubes are clogged.
Posted by: Bruce Schneier at October 30, 2008 7:24 PM
Parent
Re: (Score:2)
Re:From the article (Score:4, Insightful)
I could go on, but hopefully I've made my point.
Parent
Re:What the hell is Threefish (Score:5, Funny)
Parent
the algorithm's no good (Score:3, Funny)
Quick trick function stack (Score:5, Funny)
I do not like it encrypting my stocks,
I do not like it securing my box,
I do not like it, sam-I-am.
Parent
Re:What the hell is Threefish (Score:5, Funny)
Parent
Bruce should go to Washington (Score:5, Insightful)
Bruce is the friggin' man. He ought to get some kind of advisory role in the next administration. I think his views on security in general would help straighten out a lot of FUD...assuming that anyone in Washington would actually listen to him, that is. :)
Bruce Schneier Facts (Score:5, Funny)
There are no finite state machines. There are only a series of states that Bruce Schneier allows to exist.
Bruce Schneier can tell you where to find your GPG key into the digits of PI.
Bruce Schneier owns a chicken that lays scrambled eggs. Whenever he wants a hard-boiled egg, he just unscrambles one.
SHA = "Schneier has access" SHA2 = "Schneier has access - and a spare too"
When transmitted over any socket, Bruce Schneier's public key causes libpcap to enter an infinite malloc loop.
Bruce Schneier knows Alice and Bob's shared secret.
Bruce Schneier's secure handshake is so strong, you won't be able to exchange keys with anyone else for days.
Bruce Schneier knows the state of schroedinger's cat
When Bruce Schneier observes a quantum particle, it remains in the same state until he has finished observing it.
Bruce Schneier once decrypted a box of AlphaBits.
http://geekz.co.uk/schneierfacts/ [geekz.co.uk]
Parent
Sounds good, but MD5 et al. still have a place (Score:5, Informative)
Disclaimer: I'm not a cryptographer, and I'm not a professional (anything). This post is based on my understanding, which may be wrong. Corrections accepted and welcomed.
Yes, MD5 [wikipedia.org] is broken. Given a specific dataset with a specific MD5 hash, you can create another dataset with the same hash in minimal time (a few minutes on a modern computer).
You should thus not use MD5 to authenticate documents and other data as being "not-tampered with". As a checksum algorithm, it should not be used.
However, this is not the only use for hash functions. Hash functions are also used to obscure passwords. "Wait", I hear you say, "what about rainbow tables?". Wikipedia says (from the link above)
That's right folks, if you know what you are doing, you can still use MD5.
Basically, you have to salt your passwords before storing them in the DB (in case the DB gets broken into), send the original salt, and another (random) salt along with the login page, make sure that everyone hashes in the correct order and compare. Simplified, but I'm sure you're all intelligent enough to find what I'm talking about.
VoilÃ, a safe method of using MD5. (As far as I know, there is still no way to convert an MD5 hash back into the original text, or even a possible original text without using a Rainbow table [wikipedia.org].)
-----
That said, new hashing methods are always welcome. Especially when it comes to things like checksums. (I can't believe some websites still relay on MD5...)
Re: (Score:2)
MD5 should have been scrapped years ago. There is absolutely no excuse for using it anymore.
Whirlpool, for example, is much, much better and more secure.
Re: (Score:3, Insightful)
MD5 should have been scrapped years ago. There is absolutely no excuse for using it anymore.
Well, I still use it as a replacement for cksum to make checksum files for DVDs and the like (which is not a security critical task). It runs marginally faster than cksum (and much faster than sha1sum) on my machine, and the 'md5sum -c' option lets me conveniently verify whole directory trees.
Re:Sounds good, but MD5 et al. still have a place (Score:5, Informative)
Wrong.
The MD5 attacks demonstrated are collision attacks [wikipedia.org] - attacks where you generate two datasets that hash to the same MD5 hash.
What you are describing is a Preimage attack [wikipedia.org]. Finding a dataset that has the same MD5 hash to an existing dataset is a different attack which is many orders of magnitude harder than collision attack, and AFAIK, has so far not been demonstrated yet for MD5.
Parent
Re:Sounds good, but MD5 et al. still have a place (Score:4, Interesting)
If MD5(a) == MD5(b), then MD5(a + c) == MD5(b + c), where "a", "b", and "c" are arbitrary payloads and "+" is the concatenation operator.
Thus, it's quite easy to craft preimages, if you're not really concerned with the contents of the resulting payload.
Now, if given MD5(a), it's not (yet) possible to craft a possible payload "a", but I'm sure it'll be figured out soon.
Parent
Re: (Score:2)
Re: (Score:2)
You should thus not use MD5 to authenticate documents and other data as being "not-tampered with". As a checksum algorithm, it should not be used.
If you're worried about people tampering with your data, you shouldn't use any checksum. Sign it with PGP.
If you just want to check that your download didn't corrupt, MD5 is still fine for that purpose.
Re: (Score:2, Insightful)
Re:Sounds good, but MD5 et al. still have a place (Score:5, Funny)
That isn't even remotely true. MD5 has been demonstrated to be easier to break than advertised, therefore it is wise to use better hashes. But when I say "better than advertised" I'm saying defeating a good hash is about as easy as any of us getting Angelina Jolie in the sack; but someone has discovered a trick that makes defeating MD5 about as easy as bagging Paris Hilton. For all practical purposes, none of us will achieve either, but Paris is still no Angelina Jolie...
Parent
experts (Score:3, Insightful)
Cryptography: Unique in computing in that it is a field where the so-called experts, really are experts
--modified from Jack Handy
Its a trap! (Score:2)
Bearforce Schneier? (Score:2)
Re:Bearforce Schneier? (Score:4, Funny)
Parent
Hashes collide.. (Score:2)
Skein, (Score:4, Interesting)
Oh what a Tangled Skein we weave.
When we first practice to Deceive.
A new hash has been designed
With File Security firm in mind.
With Threefish this Skein will defeat
Those who would infect and mistreat
One fish two fish red fish blue fishes :-]
Kiss my ass you scummy soap dishes.
Signed, Dr. Pseussdonym.
More submissions (Score:3, Informative)
I expect it will take a little while for NIST to compile all the submissions and put them online. In the meantime, someone has started compiling a list (which is unofficial and incomplete, but still useful):
http://131002.net/sha3lounge/ [131002.net]