Feeds

US kicks off secure hash competition

Gentlemen, choose your algorithms

Protecting against web application threats using SSL

Dozens of amateur and professional cryptographers signed up last week for the United States' first open competition to create a secure algorithm for generating hashes - the digital fingerprints widely used in a variety of security functions.

The contest, run by the National Institute of Standards and Technology (NIST), seeks to find a strong replacement for the current family of hash functions, some of which have been shown to be cryptographically weaker than originally thought. The agency expected at least 40 proposals to be submitted by the Friday 31 October deadline.

Hash algorithms are very important functions in computer security. The algorithms can reduce a large data file - such as a Word document or e-mail message - to a simple, if sometimes long, number that can be used to identify the data, in the same way that fingerprints are used to identify humans. A good hash function gives a completely different result if the original file is changed even slightly. A variety of encryption and security functions use hashes, from integrity checks to digital signatures.

"They are probably the most widely used and least talked about operations in cryptography," said William Burr, manager of the security technology group for NIST. "We expect it to be an interesting and useful exercise, and we hope to find out a lot more about hash functions."

There are a number of hash functions in current use. Two early algorithms - MD4 and MD5 - are the basis for the current family of government-certified hashing algorithms, known as the secure hashing algorithms (SHA), and including SHA-0, SHA-1, and SHA-2, the latter which actually consists of four functions depending on the number of bits desired in the resulting hash.

Yet researchers have found practical attacks against MD4 and SHA-0, demonstrating the ability to generate "collisions," ways of creating two data files that result in the same hash. By forcing a collision, an attacker could, for example, create a modified version of a contract that appears to match - according to the hash - the original digitally-signed document. While SHA-1 can still not be practically attacked, the length of time it takes to find a collision has theoretically shrunk considerably. Cryptographers originally thought that a computer that could perform an attack calculation one million times every second would find a SHA-1 collision only once in 38 billion years, but in 2005, researchers found a way to produce a collision once every 19 million years and then shortened that to once every 300,000 years.

While no significant attacks have been found against SHA-2, NIST is not waiting. A year ago, the agency called for submissions for a proposed new hashing standard, SHA-3. By Friday, the deadline for entries, the agency expected to see nearly 40 proposals - many from teams of professional cryptographers. The submissions will be judged by NIST for mathematical soundness, the perceived randomness of the hash values, the computational and memory efficiency of the hash calculation and the flexibility of the algorithm.

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
China hacked US Army transport orgs TWENTY TIMES in ONE YEAR
FBI et al knew of nine hacks - but didn't tell TRANSCOM
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.