Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

A Competition To Replace SHA-1

Posted by kdawson on Wed Jan 24, 2007 09:10 AM
from the securing-government-bits dept.
Encryption Security IT
SHA who? writes "In light of recent attacks on SHA-1, NIST is preparing for a competition to augment and revise the current Secure Hash Standard. The public competition will be run much like the development process for the Advance Encryption Standard, and is expected to take 3 years. As a first step, NIST is publishing draft minimum acceptability requirements, submission requirements, and evaluation criteria for candidate algorithms, and requests public comment by April 27, 2007. NIST has ordered Federal agencies to stop using SHA-1 and instead to use the SHA-2 family of hash functions."
+ -
story

Related Stories

[+] Chinese Prof Cracks SHA-1 Data Encryption Scheme 416 comments
Hades1010 writes to mention an article in the Epoch Times (a Chinese newspaper) about a brilliant Chinese professor who has cracked her fifth encryption scheme in ten years. This one's a doozy, too: she and her team have taken out the SHA-1 scheme, which includes the (highly thought of) MD5 algorithm. As a result, the U.S. government and major corporations will cease using the scheme within the next few years. From the article: " These two main algorithms are currently the crucial technology that electronic signatures and many other password securities use throughout the international community. They are widely used in banking, securities, and e-commerce. SHA-1 has been recognized as the cornerstone for modern Internet security. According to the article, in the early stages of Wang's research, there were other data encryption researchers who tried to crack it. However, none of them succeeded. This is why in 15 years Hash research had become the domain of hopeless research in many scientists' minds. "
[+] Schneier On the US Crypto Competition 58 comments
Bruce Schneier has a commentary in Wired titled An American Idol for Crypto Geeks on the US government's competition for a new cryptographic hash function to become the national standard, covered here recently. He talks about how much the competition, slated to wrap up by 2011, will advance the cryptographic state of the art. And how much fun he expects to have.
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

A Competition To Replace SHA-1 25 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • Draft location (Score:5, Informative)

    by ErGalvao (843384) on Wednesday January 24 2007, @09:20AM (#17736580) Homepage Journal
    The draft can be found (in PDF) here [nist.gov].

  • How long before we get (Score:3, Funny)

    by Anonymous Coward on Wednesday January 24 2007, @09:20AM (#17736588)
    ...the magical SHA-24M?

  • Leadtime for security: Is it too late? (Score:3, Insightful)

    by G4from128k (686170) on Wednesday January 24 2007, @09:27AM (#17736622)
    The security of a given hash/encryption would seem to be a function of how much effort has gone into breaking it. Lots of algorithms can look good on paper, but until people really tear into the math and code, it's true level of unbreakability is undecidable. A 3 year competition is not likely to bring enough IQ, theorems, malevolence, or brute CPU cycles to bear against any candidate.

    The point is that any attempt to quickly create a new algorithm is likely to create an insecure one. Shouldn't we be trying to create candidate algorithms for the year 2050 to give the algorithms time to withstand attack? Or do we plan to keep creating new algorithms as a serial security-by-obscurity strategy.

    • Re: (Score:3, Interesting)

      by bhima (46039)
      The general consensus among the experts in cryptology is that a competition is far more effective than other methods of designing algorithms. Presumably the 3 years is a function of how long the world can wait as compared to how the experts need to crack it. The thing that makes me wonder is why they waited so long to begin it.

      Characterizing this process as a "serial security-by-obscurity strategy" is completely wrong because due to the very nature of the competition the algorithm is known from the start.

    • Re:Leadtime for security: Is it too late? (Score:5, Insightful)

      by suv4x4 (956391) on Wednesday January 24 2007, @09:43AM (#17736766)
      Shouldn't we be trying to create candidate algorithms for the year 2050 to give the algorithms time to withstand attack? Or do we plan to keep creating new algorithms as a serial security-by-obscurity strategy.

      This is what a hash is by design: obscurity. For mathematical reasons alone, you can't have a unique hash for your megabyte message crammed in (say) 256 bytes. Or 512, or 1024 bytes.

      And with a public algorithm spec, it's all about whether there's a determined group to turn it inside-out and make it easy to crack.

      That said, the ability to hack SHA/MD5 given the time and tools, doesn't make hashes useless. A hash by itself can be useless, but coupled with a good procedure that incorporates it, it can raise the security level just enough so it's not reachable by 99.99999...% of the potential hackers out there that will try to break you.

      Security is just an endless race on both sides, and will always be.

    • Re: (Score:3, Informative)

      by duffbeer703 (177751) *
      Its not like everyone is starting from a blank slate on the first day of the contest. It's basically a call for the math geeks who design this stuff to polish up whatever they are working on.

    • Re:Leadtime for security: Is it too late? (Score:4, Informative)

      by Kjella (173770) on Wednesday January 24 2007, @10:47AM (#17737416) Homepage
      Let's start with the facts: SHA1 is cryptographically "broken" in the sense there's a "better than brute force" attack which takes about 2^63 operations instead of 2^80 of finding a colliding pair of two random strings.

      It's not a practical attack because 2^63 is still a huge number.
      It's not a "find a collision to a known string" attack which would be stage 2.
      It's not a "find a collision to a known string by appending to a fixed string" attack which would be stage 3.
      It is a sratch in the armor which creates doubt if there are more powerful attacks, nothing more.

      There are strong alternatives like SHA-512 and Whirlpool (AES-based) which it is possible to use today, if you're paranoid more is better. Is it urgent? Not really, even a practical stage 1 and 2 attack would just be "stuff breaks, files corrupt, migrate away". The only one with really nasty consequences is stage three with code injection attacks in software and such.

      • Re:Leadtime for security: Is it too late? (Score:4, Interesting)

        by Fahrenheit 450 (765492) on Wednesday January 24 2007, @11:35AM (#17737992)
        That's great. Except for one thing...
        Hashes are used all over the place in cryptography. That digital signature you generated? You didn't sign the message, you signed a hash of the message. That key you just exchanged? There was likely a hash involved in that process. Hashes are one of the basic building blocks of cryptographic protocols and systems, and while the recent weaknesses aren't too much to worry about yet as they aren't really practical or directly applicable, their presence is troubling.

        And far more interesting (to me at least) are the attacks like Joux's multicollisions and Kelsey and Kohno's Hash Herding/Nostradamus attacks.

  • Schneier Proposed this in 2005 (Score:5, Informative)

    by RAMMS+EIN (578166) on Wednesday January 24 2007, @09:31AM (#17736656) Homepage Journal
    Schneier proposed such a competition in March 2005: http://www.schneier.com/crypto-gram-0503.html#1 [schneier.com]

  • Good News (Score:4, Interesting)

    by Ckwop (707653) * <Simon.Johnson@gmail.com> on Wednesday January 24 2007, @09:32AM (#17736662) Homepage

    The amount of research done in to hash functions is nothing like the amount that goes in to ciphers. I'm not really sure why this is the case because hashes are much more important than ciphers. Hashes are used in MACs to protect the integrity and authenticity of a message.

    Ask yourself this, is it more important that somebody can read your SSH connection or that somebody can hijack the channel? The reasons for wanting a good hash function suddenly become very clear.

    It's true that hashes are becoming less important as a result of AEAD modes. But they have uses far beyond MACs and it's good to see a competition from NIST to stoke research in to those primitives.

    Simon.

  • Hash functions in common protocols (Score:4, Interesting)

    by Srin Tuar (147269) <zeroday26@yahoo.com> on Wednesday January 24 2007, @09:36AM (#17736702)

    Does anyone know whether or not common protocols and formats such as TLS, ssh, X.509 certs, etc are being updated to use newer hash functions?

    Its easy to change parts of a self-contained system, such as password hashes, but common protocols require interoperability and standards compliance.

    This is actually fairly interesting situation, where NIST certification and platform interoperability may actually be at odds with each other.
       

    • Re:Hash functions in common protocols (Score:4, Informative)

      by cpuh0g (839926) on Wednesday January 24 2007, @09:41AM (#17736746)
      Most modern protocols and standards are designed to be agile. Basically, this means that they don't mandate any one particular algorithm, but rather are designed such that alternatives can be used. Otherwise, many specs would be woefully out-of-date every few years as computing power and cryptographic algorithms advance. The 3 examples you give above are all considered "agile", read the specs and note that they use algorithm identifiers and allow for a wide variety of different algorithms to be used, none of the above are strictly bound to use SHA-1 or MD5.

  • How about SHA-512? (Score:4, Interesting)

    by ngunton (460215) on Wednesday January 24 2007, @09:43AM (#17736770) Homepage
    Anybody know if SHA-512 is mathematically vulnerable to the same kind of attack as SHA-1 (only presumably requiring more computing power)? Or is it really a different kind of beast?

      • Re: (Score:3, Informative)

        by tomstdenis (446163)
        No, SHA-224 is truncated SHA-256 and SHA-384 is a truncated SHA-512.

        SHA-256 and SHA-512 are different hash functions (same basic design though). On 32-bit boxes SHA-256 is faster, and on 64-bit boxes SHA-512 is faster.

        There is no point in 224 or 384, but they're there just for completeness (e.g. to comply with some specs that don't allow the arbitrary truncatage of a hash).

        Tom

  • How frustrating! (Score:3, Interesting)

    by Paul Crowley (837) on Wednesday January 24 2007, @09:45AM (#17736798) Homepage Journal
    The unfortunate thing is that in order to win this competition, the hash function submitted will have to be pretty conservative - very much like the SHA-512 family. There isn't time to analyze anything really new and have enough confidence in its security to bless it as the new standard for ever on. But if these attacks (and especially the recent attacks on the whole Merkle-Damgard structure) show us anything, it is that the old way turns out not to be the best way to build hash functions, and that more innovative ideas (eg Daemen et al's "belt and mill" proposal RADIOGATUN) should be the way forward.

    What we need is for NIST to pull the rug under everyone near the end, and say "thanks for putting huge amounts of energy and hard work into designing and attacking all these hash functions, now you can all make new proposals based on what we've all learned and we'll start over again!"

  • One Word.... (Score:5, Interesting)

    by tomstdenis (446163) <`moc.liamg' `ta' `sinedtsmot'> on Wednesday January 24 2007, @09:46AM (#17736814) Homepage
    WHIRLPOOL.

    It's a balanced design, an SPN to boot.

    The big problem with the SHA's [and their elk] is that they're all UFN [unbalanced feistel networks], in particular they're source heavy. Which means the the branch/diffusion is minimal (e.g. it's possible to make inputs collide and cancel out differences).

    SPN [substitution permutation networks] like WHIRLPOOL are balanced in their branch/diffusion.

    Best of all, WHIRLPOOL is already out there. just a sign the paper!

    Tom

  • Perfect Solution... (Score:4, Funny)

    by evilviper (135110) on Wednesday January 24 2007, @10:50AM (#17737444) Journal
    I have a perfect solution to the hashing problem, for verifying the data integrity between two points...

    You simply have to find autistic twins. The one at the source looks through the MB file, then writes a hash, explaining that it "smells like 5 green triangles". If the twin at the destination agrees, you know you have a match.

    It's nearly impossible, even to brute-force this method... I mean, you need to covertly aquire a sample of their DNA, and wait several years for the clone to mature.

    Of course, this method's weakness is that it doesn't scale-up effectively. There are only so many autistic twins out there, and human cloning technology is still quite expensive.

    • Re:Generic hashing is impractical (Score:4, Informative)

      by RAMMS+EIN (578166) on Wednesday January 24 2007, @09:35AM (#17736692) Homepage Journal
      ``Maybe secure hashing needs to store a mixture of the low level and the high level details but in a context specific way - the face picture example should also store the detailed iris pattern as well as an overall face picture, both should match to allow this person through. It might be easy to find someone who looks like me, but the specific portion cannot be modified without surgery.''

      The idea is that, in a good hash function, each input bit affects all the output bits more or less equally. This is especially true of cryptographic hashes, and for a good reason. The stronger the correlations between input and output, the weaker the hash function.

    • Re:Generic hashing is impractical (Score:5, Informative)

      by delt0r (999393) on Wednesday January 24 2007, @09:37AM (#17736716)
      You clearly don't know what a crytographic hash is about. And this is not what is ment by collisions resitant. What it means is that there is minum amount of work needed to produce a collision.

      There are a number of different type of collisions as well. Lets assume we have a 256-bit hash. There is the kind of colision where you just find *any* 2 strings that produce the same hash, which should require on avarage 2**128 "operations". A harder task is given a string and its hash find another string with the same hash. For a secure hash 256-bit hash function this will require on avarage 2**256 "operations".

      There are other properties that are important as well. Its a well established idea. Hashes are very very usefull and are used for a lot more that file verification and we know what properties they need. We are just not very good at producing very good hashes yet.

    • Re: (Score:3, Informative)

      by simm1701 (835424)
      I think that you are missing the point of a hash.

      A hash is a signature of the file, its designed to give a good confidence that a given file that you have been supplied matches the one that you think has been supplied.

      The theory being that being able to create a file that is of the same length as the orignal, is not corrupt (eg a zip file still unzips, an executable still runs, a pdf still displays) and is different from the original but still hash should be infeasable (not impossible, most cryptography doe

        • Re:Generic hashing is impractical (Score:4, Insightful)

          by simm1701 (835424) on Wednesday January 24 2007, @09:48AM (#17736836)
          No you can't very easily modify it - thats the point.

          You can exhaustively search for a collision, but the time requirement is very much non trivial.

          Feel free to prove me wrong - unless you have a huge botnet or a supercomputer available I dont give you much chance of finding a collision that way for md5 let alone SHA-1

            • Re:Generic hashing is impractical (Score:4, Informative)

              by simm1701 (835424) on Wednesday January 24 2007, @10:08AM (#17737014)
              2000 times quicker than brute force (where brute force is average time 2^159 attempts) means the algorithm is not as secure as it used to be thought.

              This has demonstrated a cryptographic weakness, there could quite well be more, look at the research over the years on weakening md5, therefore moving to different algorithm would be advisable.

              Its doesn't mean that you are going to be able to find a collision in non trivial time, but it did lower the bar. Lowering it enough that people wanting high grade protection should switch to a more secure algorithm.

              Context specific data has no place in a hash, it would only weaken it.

    • Re:Multiple Hash Functions (Score:5, Informative)

      by rbarreira (836272) on Wednesday January 24 2007, @10:05AM (#17736984) Homepage
      Doesn't work very well. Read this:

      http://www.mail-archive.com/cryptography@metzdowd. com/msg02611.html [mail-archive.com]

      • Re:Multiple Hash Functions (Score:4, Informative)

        by RAMMS+EIN (578166) on Wednesday January 24 2007, @10:37AM (#17737286) Homepage Journal
        Thanks. The post you linked to precisely answers both my questions. I'll restate the questions and copy the answers from the post for /.ers' convenience.

        1) Would multiple hash functions be harder to fool (i.e. make the system think you got the original, but it's actually a forgery) than one hash function that generated as many bits?

        No. In fact, the multiple hash functions perform worse:

        ``Joux then extended this argument to point out that attempts to increase
        the security of hash functions by concatenating the outputs of two
        independent functions don't actually increase their theoretical security.
        For example, defining H(x) = SHA1(x) || RIPEMD160(x) still gives you only
        about 160 bits of strength, not 320 as you might have hoped. The reason
        is because you can find a 2^80 multicollision in SHA1 using only 80*2^80
        work at most, by the previous paragraph. And among all of these 2^80
        values you have a good chance that two of them will collide in RIPEMD160.
        So that is the total work to find a collision in the construction.''

        2) Does using multiple hash functions protect you against the case where one of them gets broken?

        Basically, yes. Just note that your total security is no better than the security of the best hash function (as explained in point 1).

    • Re:Wrong (Score:4, Informative)

      by Fahrenheit 450 (765492) on Wednesday January 24 2007, @12:05PM (#17738410)
      Again you are wrong (and somewhat right about the incorrect title at the same time, iI suppose). The point of this workshop is to revise and amend FIPS 180-2. Now, while the SHA-2 line of hashes are laid out in FIPS 180-2, it is not the case that SHA-2 and the like will be thrown out. They meet the requirements laid out in the call, and frankly NIST would be insane to not make it one of the workshop's submissions. It may very well fall out that the SHA-2 is just fine and indeed the best candidate submission.

      As for the Chinese attacks, they haven't shown any real applicability to SHA-2 as of yet.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.