A five-year search to find the next-generation cryptographic hash algorithm came to an end on Oct. 2, 2012, when...
the National Institute of Standards and Technology (NIST) announced Keccak as the winner of its Cryptographic Hash Algorithm Competition. The Keccak (pronounced "catch-ack") algorithm will be known as "SHA-3" and will complement the SHA-1 and SHA-2 algorithms specified in FIPS 180-4, Secure Hash Standard.
SHA-3 isn't necessarily more secure than SHA-2, but it provides insurance against the unlikely event that SHA-2 is broken.
Though the competition was prompted by successful attacks on MD5 and SHA-0, and the emergence of theoretical attacks on SHA-1, NIST has said that SHA-2 is still "secure and suitable for general use." If SHA-2 is still safe for use, what are the ramifications of the SHA-3 hash algorithm for enterprise security now, and when should preparations be made for implementation? Let's discuss.
Given the vital role encryption plays in modern IT systems and communications, enterprise IT teams need to be aware of this new algorithm. No significant attack on SHA-2 has been demonstrated, though, so there is no need to rush transitioning applications to SHA-3. With a design that is completely different from SHA-2, what Keccak offers now is an alternate, dissimilar cryptographic hash to existing hashes.
Cryptographic hash functions are used in many aspects of security, including digital signatures and data integrity checks. They take an electronic file, message or block of data, and generate a short digital fingerprint of the content called a "message digest" or "hash value." The key properties of a secure cryptographic hash function include the following:
- Small output length compared to input;
- Fast and efficient computation for any input;
- Any change to input affects lots of output bits;
- One-way value (the input cannot be determined from the output); and
- Strong collision resistance (two different inputs can't create the same output)
The ciphers in hash functions are built for hashing: They use large keys and blocks, can efficiently change keys every block, and have been designed and vetted for resistance to related key attacks. General-purpose ciphers used for encryption tend to have different design goals. For example, the block cipher AES could also be used for generating hash values, but its key and block sizes make it nontrivial and inefficient.
Considering that the hash value must be small compared to the length of the input, hashing is essentially a type of compression function. Two cryptographists, Ralph Merkle and Ivan Damgård, independently proved that if the one-way compression function used in a hash function is collision-resistant, then the hash function is collision-resistant too. The term "Merkle-Damgård construction" refers to cryptographic hash functions designed using a collision-resistant, one-way compression function. This construction is used in the design of many well-known algorithms, including MD5, SHA-1 and SHA-2.
From the editors: More on navigating NIST guidance
Learn how to integrate major changes to NIST's Incident Handling Guide into a security and compliance program.
Understand the latest developments in the process to establish NIST cloud security guidelines.
Unfortunately, the Merkle-Damgård construction has certain inherent flaws, such as the length extension problem (once an attacker discovers one collision, more can be found easily) and multicollision attacks (many messages with the same hash can be found with only a little more work than collisions). One reason Keccak was chosen for the SHA-3 algorithm is that it uses a cryptographic sponge construction, which differs greatly from the Merkle-Damgård construction. Instead of utilizing a compression function, this method is based on a mixing function, which distributes bits throughout the sponge. Keccak is also hardware-friendly and efficient because most of the mixing is based on simple bitwise operations, not complex processor-intensive operations, such as integer addition. Its relatively compact size is also well-suited for small embedded devices, such as sensors, that are not full-blown computers.
Due to its different architecture, cracking SHA-3 requires a completely different approach from cracking SHA-2, so attacks against SHA-2 can't be leveraged or built on to crack SHA-3. SHA-3 isn't necessarily more secure than SHA-2, but it provides insurance against the unlikely event that SHA-2 is broken. It may be many years before Keccak enters common use, as per NIST's Policy on Hash Functions. When it does begin to appear, the SHA-3 algorithm is likely to be introduced gradually, in a similar fashion to how TLS superseded SSL. New devices and software will support both SHA-2 and SHA-3, making the transition fairly seamless and allowing legacy devices and applications to continue using SHA-2. For now, enterprises should continue concentrating on protecting their networks and users from malware attacks and giving their employees security awareness training, and not be distracted or concerned about how to accommodate this new algorithm.
About the author
Michael Cobb, CISSP-ISSAP, is a renowned security author with more than 15 years of experience in the IT industry and another 16 years of experience in finance. He is founder and managing director of Cobweb Applications Ltd., a consultancy that helps companies secure their networks and websites, and also helps them achieve ISO 27001 certification. He co-authored the book IIS Securityand has written numerous technical articles for leading IT publications. Michael is also a Microsoft Certified Database Administrator and a Microsoft Certified Professional.