Now From Bruce Schneier, the Skein Hash Function 139
An anonymous reader writes "Bruce Schneier and company have created a new hash function called Skein. From his blog entry: 'NIST is holding a competition to replace the SHA family of hash functions, which have been increasingly under attack. (I wrote about an early NIST hash workshop here.) Skein is our submission (myself and seven others: Niels Ferguson, Stefan Lucks, Doug Whiting, Mihir Bellare, Tadayoshi Kohno, Jon Callas, and Jesse Walker). Here's the paper."
what kind of function is that? (Score:2, Funny)
a skin rash function? WTF?!?
Re: (Score:2)
It's the formal name for a party at a Leper Colony [youtube.com].
Comment removed (Score:5, Funny)
Re: (Score:3, Funny)
Re: (Score:3, Funny)
So basically, this would mean a large number of the worlds finest mathematicians are working tirelessly to create something that is by definition mathematically impossible.
Yes, discounting the redefinition of impossible, it would mean that. :-)
Re: (Score:2)
Bruce Facts:
Bruce has done the impossible. Twice.
Re: (Score:2)
This is a poor definition of the second property. In any function that has a fixed length output, a collision is *guaranteed*. a 2^160 output is still finite!
The collision avoidance is that it is computationally infeasible to find, a-priori, two different inputs that will resolve to the same hash value.
Re: (Score:2)
Re-read the definition of impossible that was given. It wasn't a one-shot definition.
Re:Good to see Bruce back (Score:4, Insightful)
One-way hash functions are supposed to have two properties. One, they're one way. This means that it is easy to take a message and compute the hash value, but it's impossible to take a hash value and recreate the original message. (By "impossible" I mean "can't be done in any reasonable amount of time.") Two, they're collision free. This means that it is impossible to find two messages that hash to the same hash value.
This is funny. These two properties, discounting the redefinition of impossible, are mutually exclusive. If each message hashes to a unique value, and there are no collisions, then recreating the original message from the hash is as simple as putting a million monkeys to work writing a million works of gibberish and store the hash and gibberish in a dictionary. If you instructed your monkeys to start from the smallest works of gibberish and work towards the longer works, your dictionary would be complete for any message whose length is equal to or less than the longest message in the dictionary.
Hence Schneier's explanation of the word "impossible", which was "can't be done in a reasonable amount of time". The criteria for grading pretty much all encryption is whether it costs more in resources to break the encryption than what the decrypted information would be worth. Truly "impossible" encryption is an impossibility in and of itself. All you can do is make it not worth someone's time and effort to try to break it.
So you're right, that the goal of cryptography (including hash functions) is contradictory, which means that some compromises must be made. The trick is finding how to make reasonable compromises so that you have a useable system that's still relatively secure (and Schneier is always the first to say that 'secure' is always relative).
That's why Joe Schmoe can't just make up his own encryption schemes and expect it to be secure, because it's hard work and takes a lot of understanding. That's why MD5 and SHA can't last forever. That's why they're taking proposals from smart people (excuse me, teams of people) like Schneier to come up with new hash methods, which will also have a limited lifespan as people find ways to break them.
All we can do is to come up with the best solution we can for now, and in a few years, we'll need something better.
I dunno. (Score:2)
Re: (Score:2)
And even with quantum crypto, I doubt it will be the magic bullet it's hyped to be. I'm sure applications will be limited, and we'll all still keep trying to stay one step ahead of the attackers.
Re: (Score:2)
Quantum crypto is breakable, the only benefit is that you can tell what packets are sniffed. So, if you only use unsniffed packets, you're guaranteed nobody else has those - at least at that time. You can't guarantee it for later on, at least to the same degree of certainty, but you can produce a reasonable level of trust. An A1-class OS with tamper-resistant hardware and strong authentication should put the cost of getting to the key above most infiltrators. Not all, and the greatest vulnerability is still
Re: (Score:2)
Re:Good to see Bruce back (Score:5, Interesting)
Would you prefer that he had remained a quiet researcher for the last decade? Would the world be better off if he had?
We've all seen the Schneier-Norris jokes, and it is true that he is something of a celebrity in cryptography and computer science circles. But does becoming a celebrity through making the effort to educate the public about your field automatically cheapen your worth as a scientist or researcher? Does it reduce the worth of the message?
Celebrity has become a smear word, but smearing all celebrities reveals only our own inability to recognize true expertise and talent.
Re: (Score:2)
When one has used ones celebrity status primarily to advance ones political beliefs and to lend unwarranted weight to claims in fields where one has no expertise - yes, it re
Re: (Score:2)
You may call pointing out that the Emperor has no clothes a political belief, but when the facts show that the Emperor is in fact naked, that's too bloody bad for you. Reality does not bend to your preferences.
And you're one to talk. Your beliefs about SCO and the bullshit you asserted in that case have become legendary.
Mart
Re: (Score:3, Insightful)
Re: (Score:3, Interesting)
Bruce is the opposite of a traditional peddler in my view; he comes at problems from an obviously wide perspective and a deep understanding of his expertise; cryptography. I see most of his 'light-weight' contributions to security as those moments where he's trying to explain how cryptography, his passion, will not solve your problems.
He frequently explains how cryptography doesn't implicitly guarantee security, that security is a larger process that involves many other factors of which good cryptography i
Time to get glasses (Score:5, Funny)
Read the title as "Skin Hash Function". For a moment, wasn't sure if this was a SFW article.
Re:Time to get glasses (Score:4, Funny)
Yeah, me too. I had wondered if there was some sort of cream you could put on it.
Re:Time to get glasses (Score:5, Funny)
Of course! Or it gets the hose again.
Re: (Score:2)
FYI: Skein is pronounced like vein (i.e. "skane") (Score:3, Informative)
Reference: http://www.merriam-webster.com/dictionary/skein [merriam-webster.com]
Re:FYI: Skein is pronounced like vein (i.e. "skane (Score:3, Funny)
Funny, your website indicates the star trek pronunciation \'Skhaaaaaaaaan\
Re: (Score:2)
Funny, your website indicates the star trek pronunciation \'Skhaaaaaaaaan\
It might in IPA, but Merriam-Webster's English-to-English dictionaries do not use IPA. Instead, they use a traditional English phonetic alphabet, where a-bar represents the "a" in "ace" or the "ey" in "they", spelled in X-SAMPA as [eI].
It's too bad Slashdot's character whitelist doesn't include anything with a macron; otherwise, this post would have been easier both to write and to read.
From the fpdf (Score:4, Informative)
http://www.schneier.com/skein.html [schneier.com]
Re: (Score:2)
fpdf -> (fsoftware) -> fhtml
Hence, *from* the fpdf.
Hax (Score:5, Interesting)
I love hearing about new functions, but the fundamental growth of the security industry has me concerned for the well-being of my cat -- HR director for a large corporation that shall remain nameless (although they dabble in web security). The growth of industry standards like SHA, typically stimulates additional growth in other market-based drives for change, and this is all pioneered by an industry that brought us the y2k bug, which was a total success. We made millions and did so in an unapologetic fashion. Keep em coming!
Summary: I want more money, so keep hacking and we'll keep thinking up ways to protect people from ourselves.
Re:Hax (Score:5, Funny)
Did you know your uid is a prime number when interpreted in base 7 or 11?
How do you sleep at night?
Re: (Score:2)
Did you know your uid is a prime number when interpreted in base 7 or 11? How do you sleep at night?
If he tells anyone about it, chances are the answer is "lonely".
Answer to Life, the Universe, and Everything (Score:2, Funny)
It's also the Answer to Life, the Universe, and Everything (once you adjust for inflation, from 42).
Re: (Score:2)
Did you know your uid is a prime number when interpreted in base 7 or 11?
Must... resist...
I can't take it anymore. I hoped someone else would point out that his UID has a 7 in it so it can't be a base-7 number.
Gah, you all suck. I'm going to go throw rocks at inanimate objects until I feel less geeky.
Re: (Score:2)
There's no 7 in 56... Or am I missing something?
Re: (Score:2)
Crud. Slashdot's Discussion2 system made that show up under a different parent. Never mind.
Re: (Score:2)
Caution, this guy's UID has the following prime factors:
2 2 2 419
That means he's a scammer that's in to computers... be careful around him. He could easily not be "Just Some Guy" but actually be "Zero Cool" in disguise.
You can trust what I say, my UID is prime.
A likely story (Score:5, Funny)
Re:A likely story (Score:4, Informative)
For those who didn't know and can't be bothered to even skim the PDF, the first footnote says:
Of course, the copy and paste doesn't quite do it justice.
(I blame Slashcode.)
What the hell is Threefish (Score:4, Interesting)
Re:What the hell is Threefish (Score:5, Informative)
Re: (Score:2)
Re: (Score:2)
Torklingberg's point is that you shouldn't expect to find word one about threefish. It's just been published in this paper. Who could possibly be talking about it, psychics?
Re: (Score:2)
Which is pretty much what I got from reading the introduction to said paper. My question was posited to discover why there was no information on it, which was more completely answered by later replies, which stated it was just published as a part of this paper; nobody has had time to run any independent cryptanalysis on it.
Re: (Score:3, Insightful)
Threefish is the name of the block cipher part of Skein.
I thought Redfish and Bluefish came after Twofish.
Re:What the hell is Threefish (Score:5, Informative)
From the article (Score:4, Informative)
Quoted from the comments section
"Sooner or later some dumb ass is going to ask why Skein is based on Threefish, which was (apparently, according to the intertubes) broken."
Threefish can't possibly be broken yet; we only just announced it yesterday. No one knew of its existence before then.
I think your intertubes are clogged.
Posted by: Bruce Schneier at October 30, 2008 7:24 PM
Re: (Score:2)
Re: (Score:2)
Yay.
Re:From the article (Score:4, Insightful)
I could go on, but hopefully I've made my point.
Re: (Score:2)
I don't think you understand the point - 'His' in the case above refers to Bruce Schneier one of the authors of the paper.
The paper was announced in his (Bruce Schneier's) blog.
That particular blog can hardly then be referred to as a 'random' blog. It is more specifically the exact blog that announced the paper that you read.
Re: (Score:2)
Re:What the hell is Threefish (Score:5, Funny)
the algorithm's no good (Score:3, Funny)
Quick trick function stack (Score:5, Funny)
I do not like it encrypting my stocks,
I do not like it securing my box,
I do not like it, sam-I-am.
Re: (Score:2)
Re:What the hell is Threefish (Score:5, Funny)
Re: (Score:2)
The Cat in the Hat fed 'em to Thing 1 and Thing 2 for breakfast.
Re: (Score:2)
Re: (Score:2, Funny)
If you take the redfish, you can go back to your previous life...
Hey, leave me alone!
Re: (Score:2)
Bruce should go to Washington (Score:5, Insightful)
Bruce is the friggin' man. He ought to get some kind of advisory role in the next administration. I think his views on security in general would help straighten out a lot of FUD...assuming that anyone in Washington would actually listen to him, that is. :)
Bruce Schneier Facts (Score:5, Funny)
There are no finite state machines. There are only a series of states that Bruce Schneier allows to exist.
Bruce Schneier can tell you where to find your GPG key into the digits of PI.
Bruce Schneier owns a chicken that lays scrambled eggs. Whenever he wants a hard-boiled egg, he just unscrambles one.
SHA = "Schneier has access" SHA2 = "Schneier has access - and a spare too"
When transmitted over any socket, Bruce Schneier's public key causes libpcap to enter an infinite malloc loop.
Bruce Schneier knows Alice and Bob's shared secret.
Bruce Schneier's secure handshake is so strong, you won't be able to exchange keys with anyone else for days.
Bruce Schneier knows the state of schroedinger's cat
When Bruce Schneier observes a quantum particle, it remains in the same state until he has finished observing it.
Bruce Schneier once decrypted a box of AlphaBits.
http://geekz.co.uk/schneierfacts/ [geekz.co.uk]
Re: (Score:2)
politicians => ~honest
|Politicians|Honest|Result|
| f | f | t |
| f | t | t |
| t | f | t |
| t | t | f |
Honest politicians is a logical incoherence.
Sounds good, but MD5 et al. still have a place (Score:5, Informative)
Disclaimer: I'm not a cryptographer, and I'm not a professional (anything). This post is based on my understanding, which may be wrong. Corrections accepted and welcomed.
Yes, MD5 [wikipedia.org] is broken. Given a specific dataset with a specific MD5 hash, you can create another dataset with the same hash in minimal time (a few minutes on a modern computer).
You should thus not use MD5 to authenticate documents and other data as being "not-tampered with". As a checksum algorithm, it should not be used.
However, this is not the only use for hash functions. Hash functions are also used to obscure passwords. "Wait", I hear you say, "what about rainbow tables?". Wikipedia says (from the link above)
That's right folks, if you know what you are doing, you can still use MD5.
Basically, you have to salt your passwords before storing them in the DB (in case the DB gets broken into), send the original salt, and another (random) salt along with the login page, make sure that everyone hashes in the correct order and compare. Simplified, but I'm sure you're all intelligent enough to find what I'm talking about.
VoilÃ, a safe method of using MD5. (As far as I know, there is still no way to convert an MD5 hash back into the original text, or even a possible original text without using a Rainbow table [wikipedia.org].)
-----
That said, new hashing methods are always welcome. Especially when it comes to things like checksums. (I can't believe some websites still relay on MD5...)
Re: (Score:2)
MD5 should have been scrapped years ago. There is absolutely no excuse for using it anymore.
Whirlpool, for example, is much, much better and more secure.
Re: (Score:3, Insightful)
MD5 should have been scrapped years ago. There is absolutely no excuse for using it anymore.
Well, I still use it as a replacement for cksum to make checksum files for DVDs and the like (which is not a security critical task). It runs marginally faster than cksum (and much faster than sha1sum) on my machine, and the 'md5sum -c' option lets me conveniently verify whole directory trees.
Re: (Score:2)
CHAP relies on MD5 (or whatever is being used) being one-way function.
With rainbow tables it is arguable how one-way MD5 is. That is, how much information of the secret key MD5 exposes. Clearly this is unnecessarily high.
Re:Sounds good, but MD5 et al. still have a place (Score:5, Informative)
Wrong.
The MD5 attacks demonstrated are collision attacks [wikipedia.org] - attacks where you generate two datasets that hash to the same MD5 hash.
What you are describing is a Preimage attack [wikipedia.org]. Finding a dataset that has the same MD5 hash to an existing dataset is a different attack which is many orders of magnitude harder than collision attack, and AFAIK, has so far not been demonstrated yet for MD5.
Re:Sounds good, but MD5 et al. still have a place (Score:4, Interesting)
If MD5(a) == MD5(b), then MD5(a + c) == MD5(b + c), where "a", "b", and "c" are arbitrary payloads and "+" is the concatenation operator.
Thus, it's quite easy to craft preimages, if you're not really concerned with the contents of the resulting payload.
Now, if given MD5(a), it's not (yet) possible to craft a possible payload "a", but I'm sure it'll be figured out soon.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
If MD5(a) == MD5(b), then MD5(a + c) == MD5(b + c), where "a", "b", and "c" are arbitrary payloads and "+" is the concatenation operator.
The difference between a collision and a preimage attack is that in a collision, "a", "b", and "c" are all of your own design, while in a pre-image attack, "a" is a pre-existing document and you want to create a second document "b", that results in the same hash.
It's much easier to find two arbitrary payloads which collide than it is to start with a fixed payload and then
Re: (Score:2)
Re: (Score:2)
Correct.
Incorrect. The GP described a second preimage attack. Three main types of attacks exist against hash function. In order of increasing complexity:
Re: (Score:2)
You should thus not use MD5 to authenticate documents and other data as being "not-tampered with". As a checksum algorithm, it should not be used.
If you're worried about people tampering with your data, you shouldn't use any checksum. Sign it with PGP.
If you just want to check that your download didn't corrupt, MD5 is still fine for that purpose.
Re: (Score:2, Insightful)
Re: (Score:2)
To create a valid PGP signature, the attacker needs your private key. To create a valid checksum, all they have to do is run their bad data through the checksum algorithm and replace the checksum.txt file or whatever. Clearly one is much more secure than the other.
But in a strictly pedantic sense, you are correct. I should have said, "don't use checksums only".
Re: (Score:2)
PGP may do that, but note that a hash is a convenience, used because it's much smaller than the original document, so encrypting/decrypting the signature uses fewer computational resources. A "real" hash is not however required to sign a document: just provide the original docum
Re: (Score:2)
Well, not quite. The block size for RSA is equ
Re: (Score:2)
Mostly secure isn't good enough. There is no reason to continue using MD5; it's not like there aren't better alternatives, and it's not like it's growing more secure with time.
Re: (Score:2)
Well, thank God or that. First, MD5 is not broken the way you say it is. Yes, it is broken, but you can't just create a string that will have a wanted hash. Maybe you'll can at the near future, but you can't do that now.
Second, salt won't save a broken hash. Salting will protect you when you use a (unbroken) hash function against a big set of data. Without salting there is a big chance of any random value being on your set of hashes. A colateral effect of salting is that it will ma
Re: (Score:2)
> You should thus not use MD5 to authenticate documents and other data as being
> "not-tampered with". As a checksum algorithm, it should not be used.
As a security checksum algorithm, it should not be used. There are other uses for checksums.
Re:Sounds good, but MD5 et al. still have a place (Score:5, Funny)
That isn't even remotely true. MD5 has been demonstrated to be easier to break than advertised, therefore it is wise to use better hashes. But when I say "better than advertised" I'm saying defeating a good hash is about as easy as any of us getting Angelina Jolie in the sack; but someone has discovered a trick that makes defeating MD5 about as easy as bagging Paris Hilton. For all practical purposes, none of us will achieve either, but Paris is still no Angelina Jolie...
experts (Score:3, Insightful)
Cryptography: Unique in computing in that it is a field where the so-called experts, really are experts
--modified from Jack Handy
Re: (Score:2)
Cryptography: Unique in computing in that it is a field where the so-called experts, really are experts
--modified from Jack Handy
We tend to scoff at the beliefs of the security experts. But we can't scoff at them personally, to their faces, and this is what annoys me.
Its a trap! (Score:2)
Bearforce Schneier? (Score:2)
Re:Bearforce Schneier? (Score:4, Funny)
Re: (Score:2)
Hashes collide.. (Score:2)
Skein, (Score:4, Interesting)
Oh what a Tangled Skein we weave.
When we first practice to Deceive.
A new hash has been designed
With File Security firm in mind.
With Threefish this Skein will defeat
Those who would infect and mistreat
One fish two fish red fish blue fishes :-]
Kiss my ass you scummy soap dishes.
Signed, Dr. Pseussdonym.
More submissions (Score:3, Informative)
I expect it will take a little while for NIST to compile all the submissions and put them online. In the meantime, someone has started compiling a list (which is unofficial and incomplete, but still useful):
http://131002.net/sha3lounge/ [131002.net]
PHP extension for the Skein hash is available (Score:2, Interesting)
A PHP extension for the Skein hash is now available.
You can download it from:
http://download.pureftpd.org/php-skein-hash/ [pureftpd.org]
From Bruce Schneier?! (Score:2)
I hate it when people ignore many names for a single bigger name.
Re: (Score:2)
They're the mythical Norse heroes from his epic passpoem.
Export Control (Score:2)
From Schneier:
Skein is defined for three different internal state sizesâ"256 bits, 512 bits, and 1024 bits [...]. A completely optional and extendable argument system makes Skein an efficient tool to use for a very large number of functions: [...] a stream cipher
So it does symmetric crypto with big keys [I assume the key size is either one internal state, or user-chosen].
Are there still crypto export laws in place? Would this impact Skein? Or will lawyers argue that encryption isn't it's primary purpose? Or...
Personally I hope... (Score:2)
Personally I hope they just settle on Whirlpool [wikipedia.org]. "The hash has been recommended by the NESSIE project. It has also been adopted by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) as part of the joint ISO/IEC 10118-3 international standard." It's based on AES, patent-free wtih reference implementation in public domain and has been analyzed up and down already. But in all honesty, whatever's good enough for the NSA is probably good enough for m
Re: (Score:2)
I seem to recall that Whirlpool was also the ONLY hash submitted to the NESSIE project, so that's not saying all THAT much.
Also, I'd imagine any standard chosen by NIST would be patent free and public domain.
"Optional Arguments", not just for skein? (Score:2)
For the crypto geeks, and those interested: look at the paper, section 2.5 "Optional arguments"
A Skein computation consists of processing these options in order, using UBI. Each input has a
different "type" value for the tweak, ensuring that inputs are not interchangeable.
Q: Couldn't you get the same effect for any other hash function?
A: Yes, I think. If there's extra data you want to tie to the message, come up with a type-length-value encoding scheme;
To tie a randomized hash value to the public key used to verify the signature, simply do H("nonce:64:" || the_nonce || "pubkey:1024:" || the_pubkey || "message:$length:" || the_message).
Or use numbers instead of names to identify ty
Can't we use AES? (Score:2)
Any block cipher can be used as a hash function in feedback mode.
(Also as a stream chiper - there's nothing they can't do!)