Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security Encryption Science

Now From Bruce Schneier, the Skein Hash Function 139

An anonymous reader writes "Bruce Schneier and company have created a new hash function called Skein. From his blog entry: 'NIST is holding a competition to replace the SHA family of hash functions, which have been increasingly under attack. (I wrote about an early NIST hash workshop here.) Skein is our submission (myself and seven others: Niels Ferguson, Stefan Lucks, Doug Whiting, Mihir Bellare, Tadayoshi Kohno, Jon Callas, and Jesse Walker). Here's the paper."
This discussion has been archived. No new comments can be posted.

Now From Bruce Schneier, the Skein Hash Function

Comments Filter:
  • by Anonymous Coward

    a skin rash function? WTF?!?

  • by account_deleted ( 4530225 ) on Friday October 31, 2008 @09:52AM (#25583411)
    Comment removed based on user account deletion
    • Re: (Score:3, Funny)

      by melikamp ( 631205 )
      Actually, you got it all wrong. As anyone concerned with personal security, Bruce Schneier has a decoy [wikipedia.org].
    • Would you prefer that he had remained a quiet researcher for the last decade? Would the world be better off if he had?

      We've all seen the Schneier-Norris jokes, and it is true that he is something of a celebrity in cryptography and computer science circles. But does becoming a celebrity through making the effort to educate the public about your field automatically cheapen your worth as a scientist or researcher? Does it reduce the worth of the message?

      Celebrity has become a smear word, but smearing all celebrities reveals only our own inability to recognize true expertise and talent.

      • We've all seen the Schneier-Norris jokes, and it is true that he is something of a celebrity in cryptography and computer science circles. But does becoming a celebrity through making the effort to educate the public about your field automatically cheapen your worth as a scientist or researcher? Does it reduce the worth of the message?

        When one has used ones celebrity status primarily to advance ones political beliefs and to lend unwarranted weight to claims in fields where one has no expertise - yes, it re

        • by mvdwege ( 243851 )

          You may call pointing out that the Emperor has no clothes a political belief, but when the facts show that the Emperor is in fact naked, that's too bloody bad for you. Reality does not bend to your preferences.

          And you're one to talk. Your beliefs about SCO and the bullshit you asserted in that case have become legendary.

          Mart

    • Re: (Score:3, Insightful)

      by bigredradio ( 631970 )
      For more info about bruce: http://geekz.co.uk/lovesraymond/archive/bruce-schneier-facts [geekz.co.uk]
    • Re: (Score:3, Interesting)

      by MikeBabcock ( 65886 )

      Bruce is the opposite of a traditional peddler in my view; he comes at problems from an obviously wide perspective and a deep understanding of his expertise; cryptography. I see most of his 'light-weight' contributions to security as those moments where he's trying to explain how cryptography, his passion, will not solve your problems.

      He frequently explains how cryptography doesn't implicitly guarantee security, that security is a larger process that involves many other factors of which good cryptography i

  • by smooth wombat ( 796938 ) on Friday October 31, 2008 @09:56AM (#25583483) Journal

    Read the title as "Skin Hash Function". For a moment, wasn't sure if this was a SFW article.

  • by Anonymous Coward on Friday October 31, 2008 @09:57AM (#25583517)

    Reference: http://www.merriam-webster.com/dictionary/skein [merriam-webster.com]

    • by Anonymous Coward

      Funny, your website indicates the star trek pronunciation \'Skhaaaaaaaaan\

      • by tepples ( 727027 )

        Funny, your website indicates the star trek pronunciation \'Skhaaaaaaaaan\

        It might in IPA, but Merriam-Webster's English-to-English dictionaries do not use IPA. Instead, they use a traditional English phonetic alphabet, where a-bar represents the "a" in "ace" or the "ey" in "they", spelled in X-SAMPA as [eI].

        It's too bad Slashdot's character whitelist doesn't include anything with a macron; otherwise, this post would have been easier both to write and to read.

  • From the fpdf (Score:4, Informative)

    by Bonker ( 243350 ) on Friday October 31, 2008 @09:58AM (#25583535)
  • Hax (Score:5, Interesting)

    by mfh ( 56 ) on Friday October 31, 2008 @09:58AM (#25583537) Homepage Journal

    I love hearing about new functions, but the fundamental growth of the security industry has me concerned for the well-being of my cat -- HR director for a large corporation that shall remain nameless (although they dabble in web security). The growth of industry standards like SHA, typically stimulates additional growth in other market-based drives for change, and this is all pioneered by an industry that brought us the y2k bug, which was a total success. We made millions and did so in an unapologetic fashion. Keep em coming!

    Summary: I want more money, so keep hacking and we'll keep thinking up ways to protect people from ourselves.

    • Re:Hax (Score:5, Funny)

      by The Clockwork Troll ( 655321 ) on Friday October 31, 2008 @10:46AM (#25584397) Journal

      Did you know your uid is a prime number when interpreted in base 7 or 11?

      How do you sleep at night?

      • Did you know your uid is a prime number when interpreted in base 7 or 11? How do you sleep at night?

        If he tells anyone about it, chances are the answer is "lonely".

      • Did you know your uid is a prime number when interpreted in base 7 or 11?

        It's also the Answer to Life, the Universe, and Everything (once you adjust for inflation, from 42).

      • Did you know your uid is a prime number when interpreted in base 7 or 11?

        Must... resist...

        I can't take it anymore. I hoped someone else would point out that his UID has a 7 in it so it can't be a base-7 number.

        Gah, you all suck. I'm going to go throw rocks at inanimate objects until I feel less geeky.

        • by Mozk ( 844858 )

          There's no 7 in 56... Or am I missing something?

        • by SnowZero ( 92219 )

          Caution, this guy's UID has the following prime factors:
              2 2 2 419
          That means he's a scammer that's in to computers... be careful around him. He could easily not be "Just Some Guy" but actually be "Zero Cool" in disguise.

          You can trust what I say, my UID is prime.

  • by Anonymous Coward on Friday October 31, 2008 @10:02AM (#25583603)
    How do we know he's not just spinning a good yarn here?
  • by ciroknight ( 601098 ) on Friday October 31, 2008 @10:03AM (#25583619)
    Certainly it's related to Blowfish and Twofish, but I cannot find a word one on Threefish outside of this document. Anyone care to explain for some good karma?
    • by TorKlingberg ( 599697 ) on Friday October 31, 2008 @10:12AM (#25583803)
      Threefish is the name of the block cipher part of Skein.
      • Your powers of deduction are amazing Holmes.
        • by oni ( 41625 )

          Torklingberg's point is that you shouldn't expect to find word one about threefish. It's just been published in this paper. Who could possibly be talking about it, psychics?

          • No, his point was in its entirety: "Threefish is the name of the block cipher part of Skein."

            Which is pretty much what I got from reading the introduction to said paper. My question was posited to discover why there was no information on it, which was more completely answered by later replies, which stated it was just published as a part of this paper; nobody has had time to run any independent cryptanalysis on it.
      • Re: (Score:3, Insightful)

        by Legion_SB ( 1300215 )

        Threefish is the name of the block cipher part of Skein.

        I thought Redfish and Bluefish came after Twofish.

    • by dnwq ( 910646 ) on Friday October 31, 2008 @10:25AM (#25584019)
      Schneier, responding to 'shadowfirebird's comment on his blog:

      "Sooner or later some dumb ass is going to ask why Skein is based on Threefish, which was (apparently, according to the intertubes) broken." Threefish can't possibly be broken yet; we only just announced it yesterday. No one knew of its existence before then. I think your intertubes are clogged.

    • From the article (Score:4, Informative)

      by joeflies ( 529536 ) on Friday October 31, 2008 @10:25AM (#25584029)
      you're asking a recursive question - it was announced in the paper. The following is a blog post from the comments section.

      Quoted from the comments section

      "Sooner or later some dumb ass is going to ask why Skein is based on Threefish, which was (apparently, according to the intertubes) broken."

      Threefish can't possibly be broken yet; we only just announced it yesterday. No one knew of its existence before then.

      I think your intertubes are clogged.

      Posted by: Bruce Schneier at October 30, 2008 7:24 PM

      • I normally don't read comments on random blogs, so I missed this piece of (important) trivia. Thanks.
        • by gnud ( 934243 )
          You don't read random blogs, but comment on stories about papers published in said blog.
          Yay.
          • by ciroknight ( 601098 ) on Friday October 31, 2008 @11:54AM (#25585539)
            Slashdot is more of a general forum for discussion, whereas blogs typically are not. Slashdot has a better set of regular contributors and more even opinions on topics than most blogs do (due to intellectual and geographic and other biases). There are a lot of advantages to discussing things on Slashdot, like having comments prefiltered and screened for content worth reading and adjustable filters to keep the noise floor low.

            I could go on, but hopefully I've made my point.
            • by babyrat ( 314371 )

              I don't think you understand the point - 'His' in the case above refers to Bruce Schneier one of the authors of the paper.

              The paper was announced in his (Bruce Schneier's) blog.

              That particular blog can hardly then be referred to as a 'random' blog. It is more specifically the exact blog that announced the paper that you read.

              • by fbjon ( 692006 )
                That information property of the blog is cancelled out by it being TFA, which no-one can read.
    • by andrewd18 ( 989408 ) on Friday October 31, 2008 @10:42AM (#25584313)
      Personally, I'm waiting for the cypher built on Onefish, Twofish, Redfish, and Bluefish.
    • by Mister Whirly ( 964219 ) on Friday October 31, 2008 @11:01AM (#25584639) Homepage
      or what about Redfish and Bluefish?
    • Threefish is to Twofish as Dreadfish is to Blowfish.
  • by multiOSfreak ( 551711 ) <culturejam.gmail@com> on Friday October 31, 2008 @10:05AM (#25583659) Homepage Journal

    Bruce is the friggin' man. He ought to get some kind of advisory role in the next administration. I think his views on security in general would help straighten out a lot of FUD...assuming that anyone in Washington would actually listen to him, that is. :)

    • by brunes69 ( 86786 ) <slashdot@nOSpam.keirstead.org> on Friday October 31, 2008 @11:29AM (#25585065)

      There are no finite state machines. There are only a series of states that Bruce Schneier allows to exist.

      Bruce Schneier can tell you where to find your GPG key into the digits of PI.

      Bruce Schneier owns a chicken that lays scrambled eggs. Whenever he wants a hard-boiled egg, he just unscrambles one.

      SHA = "Schneier has access" SHA2 = "Schneier has access - and a spare too"

      When transmitted over any socket, Bruce Schneier's public key causes libpcap to enter an infinite malloc loop.

      Bruce Schneier knows Alice and Bob's shared secret.

      Bruce Schneier's secure handshake is so strong, you won't be able to exchange keys with anyone else for days.

      Bruce Schneier knows the state of schroedinger's cat

      When Bruce Schneier observes a quantum particle, it remains in the same state until he has finished observing it.

      Bruce Schneier once decrypted a box of AlphaBits.

      http://geekz.co.uk/schneierfacts/ [geekz.co.uk]

  • by apathy maybe ( 922212 ) on Friday October 31, 2008 @10:16AM (#25583879) Homepage Journal

    Disclaimer: I'm not a cryptographer, and I'm not a professional (anything). This post is based on my understanding, which may be wrong. Corrections accepted and welcomed.

    Yes, MD5 [wikipedia.org] is broken. Given a specific dataset with a specific MD5 hash, you can create another dataset with the same hash in minimal time (a few minutes on a modern computer).

    You should thus not use MD5 to authenticate documents and other data as being "not-tampered with". As a checksum algorithm, it should not be used.

    However, this is not the only use for hash functions. Hash functions are also used to obscure passwords. "Wait", I hear you say, "what about rainbow tables?". Wikipedia says (from the link above)

    Recently, a number of projects have created MD5 "rainbow tables" which are easily accessible online, and can be used to reverse many MD5 hashes into strings that collide with the original input, usually for the purposes of password cracking. However, if passwords are combined with a salt before the MD5 digest is generated, rainbow tables become much less useful.

    That's right folks, if you know what you are doing, you can still use MD5.

    Basically, you have to salt your passwords before storing them in the DB (in case the DB gets broken into), send the original salt, and another (random) salt along with the login page, make sure that everyone hashes in the correct order and compare. Simplified, but I'm sure you're all intelligent enough to find what I'm talking about.

    VoilÃ, a safe method of using MD5. (As far as I know, there is still no way to convert an MD5 hash back into the original text, or even a possible original text without using a Rainbow table [wikipedia.org].)

    -----

    That said, new hashing methods are always welcome. Especially when it comes to things like checksums. (I can't believe some websites still relay on MD5...)

    • by jhol13 ( 1087781 )

      MD5 should have been scrapped years ago. There is absolutely no excuse for using it anymore.

      Whirlpool, for example, is much, much better and more secure.

      • Re: (Score:3, Insightful)

        by Waffle Iron ( 339739 )

        MD5 should have been scrapped years ago. There is absolutely no excuse for using it anymore.

        Well, I still use it as a replacement for cksum to make checksum files for DVDs and the like (which is not a security critical task). It runs marginally faster than cksum (and much faster than sha1sum) on my machine, and the 'md5sum -c' option lets me conveniently verify whole directory trees.

    • by tangent3 ( 449222 ) on Friday October 31, 2008 @10:32AM (#25584143)

      Yes, MD5 [wikipedia.org] is broken. Given a specific dataset with a specific MD5 hash, you can create another dataset with the same hash in minimal time (a few minutes on a modern computer).

      Wrong.
      The MD5 attacks demonstrated are collision attacks [wikipedia.org] - attacks where you generate two datasets that hash to the same MD5 hash.

      What you are describing is a Preimage attack [wikipedia.org]. Finding a dataset that has the same MD5 hash to an existing dataset is a different attack which is many orders of magnitude harder than collision attack, and AFAIK, has so far not been demonstrated yet for MD5.

      • by MostAwesomeDude ( 980382 ) on Friday October 31, 2008 @10:40AM (#25584285) Homepage

        If MD5(a) == MD5(b), then MD5(a + c) == MD5(b + c), where "a", "b", and "c" are arbitrary payloads and "+" is the concatenation operator.

        Thus, it's quite easy to craft preimages, if you're not really concerned with the contents of the resulting payload.

        Now, if given MD5(a), it's not (yet) possible to craft a possible payload "a", but I'm sure it'll be figured out soon.

        • by gnud ( 934243 )
          All payloads x with md5(x) = md5(a) are possibly = a. A computer really can't do much better than that.
          • by et764 ( 837202 )
            Given that there are only 2^128 possible values for md5(a), and effectively infinite possible values for x (since it can be any length), I'd say if you happen to find an x with md5(x) equal to md5(a), it's almost certain that x != a.
        • by evanbd ( 210358 )
          That's still just a collision, not a preimage. The definition of a preimage attack is the ability to go from MD5(x1) to x2 such that MD5(x2) == MD5(x1). The fact that you can generate additional collisions once you've found the first has no (direct) bearing on your ability to work backwards. In order for your concatenation process to be useful, you somehow have to generate a and b such that one of them is the same as the start of your message text -- the current collision attacks give you very little con
        • If MD5(a) == MD5(b), then MD5(a + c) == MD5(b + c), where "a", "b", and "c" are arbitrary payloads and "+" is the concatenation operator.

          The difference between a collision and a preimage attack is that in a collision, "a", "b", and "c" are all of your own design, while in a pre-image attack, "a" is a pre-existing document and you want to create a second document "b", that results in the same hash.

          It's much easier to find two arbitrary payloads which collide than it is to start with a fixed payload and then

      • by afidel ( 530433 )
        Correct, and getting a Preimage attack that generates a useful binary that collides with the original and has the same size would still be extremely difficult even if a more broad preimage attack was known.
      • The MD5 attacks demonstrated are collision attacks

        Correct.

        What you are describing is a Preimage attack.

        Incorrect. The GP described a second preimage attack. Three main types of attacks exist against hash function. In order of increasing complexity:

        • Collision attack. (You are correct in that so far only this type of attack has been demonstrated against MD5.)
        • Second preimage attack.
        • Preimage attack.
    • by Hatta ( 162192 )

      You should thus not use MD5 to authenticate documents and other data as being "not-tampered with". As a checksum algorithm, it should not be used.

      If you're worried about people tampering with your data, you shouldn't use any checksum. Sign it with PGP.

      If you just want to check that your download didn't corrupt, MD5 is still fine for that purpose.

      • Re: (Score:2, Insightful)

        by theapeman ( 1068448 )
        And how do you think PGP signs something? It takes a checksum of it (hopefully avoiding md5) and passes that through the signature algorithm (RSA or something similar). So you can't avoid the checksum (hash function) by using PGP.
        • by Hatta ( 162192 )

          To create a valid PGP signature, the attacker needs your private key. To create a valid checksum, all they have to do is run their bad data through the checksum algorithm and replace the checksum.txt file or whatever. Clearly one is much more secure than the other.

          But in a strictly pedantic sense, you are correct. I should have said, "don't use checksums only".

        • And how do you think PGP signs something? It takes a checksum of it (hopefully avoiding md5) and passes that through the signature algorithm (RSA or something similar). So you can't avoid the checksum (hash function) by using PGP.

          PGP may do that, but note that a hash is a convenience, used because it's much smaller than the original document, so encrypting/decrypting the signature uses fewer computational resources. A "real" hash is not however required to sign a document: just provide the original docum
    • Mostly secure isn't good enough. There is no reason to continue using MD5; it's not like there aren't better alternatives, and it's not like it's growing more secure with time.

    • "I'm not a cryptographer"

      Well, thank God or that. First, MD5 is not broken the way you say it is. Yes, it is broken, but you can't just create a string that will have a wanted hash. Maybe you'll can at the near future, but you can't do that now.

      Second, salt won't save a broken hash. Salting will protect you when you use a (unbroken) hash function against a big set of data. Without salting there is a big chance of any random value being on your set of hashes. A colateral effect of salting is that it will ma

    • > You should thus not use MD5 to authenticate documents and other data as being
      > "not-tampered with". As a checksum algorithm, it should not be used.

      As a security checksum algorithm, it should not be used. There are other uses for checksums.

    • by Lord Ender ( 156273 ) on Friday October 31, 2008 @12:09PM (#25585839) Homepage

      Given a specific dataset with a specific MD5 hash, you can create another dataset with the same hash in minimal time (a few minutes on a modern computer).

      That isn't even remotely true. MD5 has been demonstrated to be easier to break than advertised, therefore it is wise to use better hashes. But when I say "better than advertised" I'm saying defeating a good hash is about as easy as any of us getting Angelina Jolie in the sack; but someone has discovered a trick that makes defeating MD5 about as easy as bagging Paris Hilton. For all practical purposes, none of us will achieve either, but Paris is still no Angelina Jolie...

  • experts (Score:3, Insightful)

    by flynt ( 248848 ) on Friday October 31, 2008 @10:26AM (#25584065)

    Cryptography: Unique in computing in that it is a field where the so-called experts, really are experts

    --modified from Jack Handy

    • Cryptography: Unique in computing in that it is a field where the so-called experts, really are experts

      --modified from Jack Handy

      We tend to scoff at the beliefs of the security experts. But we can't scoff at them personally, to their faces, and this is what annoys me.

  • first line of the pdf.... Niels Ferguson Microsoft Corp., niels@microsoft.com
  • Am I the only one that looks at Bruce [schneier.com] and thinks Bearforce1? [bearforce1.nl]
  • ..when they swerve to avoid Bruce Schneier!
  • Skein, (Score:4, Interesting)

    by popeye44 ( 929152 ) on Friday October 31, 2008 @11:28AM (#25585037)

    Oh what a Tangled Skein we weave.
    When we first practice to Deceive.

    A new hash has been designed
    With File Security firm in mind.

    With Threefish this Skein will defeat
    Those who would infect and mistreat

    One fish two fish red fish blue fishes
    Kiss my ass you scummy soap dishes. :-]
    Signed, Dr. Pseussdonym.

     

  • More submissions (Score:3, Informative)

    by LargeMythicalReptile ( 531143 ) on Friday October 31, 2008 @12:15PM (#25585923)

    I expect it will take a little while for NIST to compile all the submissions and put them online. In the meantime, someone has started compiling a list (which is unofficial and incomplete, but still useful):

    http://131002.net/sha3lounge/ [131002.net]

  • A PHP extension for the Skein hash is now available.

    You can download it from:
    http://download.pureftpd.org/php-skein-hash/ [pureftpd.org]

  • From Bruce Schneier? So what are those seven others?!
    I hate it when people ignore many names for a single bigger name.
    • From Bruce Schneier? So what are those seven others?!

      They're the mythical Norse heroes from his epic passpoem.

  • From Schneier:

    Skein is defined for three different internal state sizesâ"256 bits, 512 bits, and 1024 bits [...]. A completely optional and extendable argument system makes Skein an efficient tool to use for a very large number of functions: [...] a stream cipher

    So it does symmetric crypto with big keys [I assume the key size is either one internal state, or user-chosen].

    Are there still crypto export laws in place? Would this impact Skein? Or will lawyers argue that encryption isn't it's primary purpose? Or...

  • Personally I hope they just settle on Whirlpool [wikipedia.org]. "The hash has been recommended by the NESSIE project. It has also been adopted by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) as part of the joint ISO/IEC 10118-3 international standard." It's based on AES, patent-free wtih reference implementation in public domain and has been analyzed up and down already. But in all honesty, whatever's good enough for the NSA is probably good enough for m

    • by Goaway ( 82658 )

      I seem to recall that Whirlpool was also the ONLY hash submitted to the NESSIE project, so that's not saying all THAT much.

      Also, I'd imagine any standard chosen by NIST would be patent free and public domain.

  • For the crypto geeks, and those interested: look at the paper, section 2.5 "Optional arguments"

    A Skein computation consists of processing these options in order, using UBI. Each input has a
    different "type" value for the tweak, ensuring that inputs are not interchangeable.

    Q: Couldn't you get the same effect for any other hash function?

    A: Yes, I think. If there's extra data you want to tie to the message, come up with a type-length-value encoding scheme;

    To tie a randomized hash value to the public key used to verify the signature, simply do H("nonce:64:" || the_nonce || "pubkey:1024:" || the_pubkey || "message:$length:" || the_message).

    Or use numbers instead of names to identify ty

  • Any block cipher can be used as a hash function in feedback mode.

    (Also as a stream chiper - there's nothing they can't do!)

We are Microsoft. Unix is irrelevant. Openness is futile. Prepare to be assimilated.

Working...