The National Institute of Standards and Technology published the final version of its "Secure Hash Algorithm-3"...
standard in August 2015 and has released it to the public, calling it a "next-generation tool for securing the integrity of electronic information."
But is it?
This tip takes a look at Secure Hash Algorithm-3 or SHA-3, how it differs from its predecessors, the additional security it offers, and how enterprises should plan for its arrival.
Exploring the need for SHA-3
Cryptographic hash functions are widely used in many aspects of security -- such as digital signatures and data integrity checks -- but play a somewhat different role than other cryptographic algorithms. They take an electronic file, message or block of data, and generate a short digital fingerprint of the content called a message digest or hash value. The ciphers in hash functions are built for hashing; they use large keys and blocks, can efficiently change keys every block, and have been designed and vetted for resistance to key-related attacks.
General-purpose ciphers used for encryption tend to have different design goals. For example, the symmetric-key block cipher AES can be used for generating hash values, but its key and block sizes make it nontrivial and inefficient.
The key properties of a secure cryptographic hash function are:
- Output length is small compared to input
- Computation is fast and efficient for any input
- Any change to input affects lots of output bits
- One-way value: The input cannot be determined from the output
- Strong collision resistance: Two different inputs can't create the same output
In 2012, NIST announced Keccak (pronounced "catch-ack") as the winner of its Cryptographic Hash Algorithm Competition, which was held to select a next-generation cryptographic secure hash algorithm; the competition launched in 2007 and received 64 submissions. The highly popular AES algorithm was selected using a similar process to ensure a thorough and transparent analysis of each submission. The new standard -- Federal Information Processing Standard (FIPS) 202, SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions -- is available for download from NIST's website and does not differ markedly from the draft version that was released for public comment in May 2014.
NIST said that while SHA-2 -- specified in FIPS 180-4, Secure Hash Standard -- is still "secure and suitable for general use," SHA-3 will complement it and provide much-needed diversity. MD5 and SHA-1 were once widely used hash algorithms, but are now considered weak and are being replaced by SHA-2. Microsoft, for example, announced in 2005 that it was banning developers from using DES, MD4, MD5 and, in some cases, SHA-1 encryption algorithms in any functions. Although no attacks have yet been reported on SHA-2, it's algorithmically similar to SHA-1, hence the need for SHA-3, which is very different from SHA-2 in design. If attacks against SHA-2 suddenly become feasible, the industry has a replacement ready.
What SHA-3 has to offer
The SHA-3 family consists of four cryptographic hash functions based on an instance of the Keccak algorithm -- SHA3-224, SHA3-256, SHA3-384 and SHA3-512 -- and two extendable-output functions -- SHAKE128 and SHAKE256.
Extendable-output functions are different from hash functions because the output can be extended to any desired length, making them ideal for full domain hashing, randomized hashing, stream encryption and generating message authentication codes. In hardware implementations, Keccak was notably faster than all other finalists, and some of the SHA-3 functions can be implemented on a chip without requiring much additional circuitry.
Getting ready for SHA-3
Realistically, widespread adoption of Secure Hash Algorithm-3 is probably five years away. A far greater priority for most enterprises is migrating from SHA-1 to SHA-2. Web masters must request new SHA-2 certificates to replace any that use SHA-1 and expire after Jan. 1, 2017, otherwise they will not be trusted by Windows-based devices. SHA-1 code signing certificates without time stamps won't be accepted by Windows after Jan. 1, 2016.
Legacy systems that make SSL connections, as well as software and hardware -- such as games consoles, phones and embedded devices -- that rely on hard-coded certificates all need to be migrated to SHA-2 certificates. This may also mean having to update software if it is unable to support SHA-2 encryption.
Early adopters looking to add SHA-3 compliant capabilities into either hardware or software products can use Synopsys' DesignWare SHA-3 Look Aside Core or PMSF IT Consulting's SHA3 library. The latest version of the Keccak Code Package is in line with the SHA-3 standard and provides a number of standalone implementations.
Finally, to stay abreast of the Secure Hash Algorithm developments and the latest encryption best practices, be sure to follow the news and recommendations from standards bodies such as the National Institute of Standards and Technology.
About the author:
Michael Cobb, CISSP-ISSAP, is a renowned security author with over 20 years of experience in the IT industry. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. He was also formerly a Microsoft Certified Database Manager and a registered consultant with the CESG Listed Advisor Scheme (CLAS). Cobb has a passion for making IT security best practices easier to understand and achievable. His website offers free security posters to raise employee awareness of the importance of safeguarding company and client data and of following good practices.
Get help transitioning from SHA-1 to SHA-2