The next Secure Hash Algorithm had better be a good one
New standard, expected to be named in 2012, will likely serve for 20 years
SAN FRANCISCO — The next Secure Hash Algorithm will be in service for at least 20 years, so the National Institute of Standards and Technology had better get it right, security experts said at the RSA Security Conference.
NIST is in the middle of a multi-year competition to select the next algortihm, which will become SHA-3, and is expected to finish in 2012. The algortithm will be used to protect government files.
Obeservers say SHA-3 will have to stand up to everything increasingly sophisticated hackers can throw at it for two decades. Because of the complexity and manpower required for the competitions, “it is unlikely there will be another competition (for SHA-4) before 2030,” said Prof. Bart Preneel of the Katholieke Unversiteit Leuven in Belgium.
Related: Cryptographic showdown, Round 2: NIST picks 14 hash algorithms
The job of selecting an algorithm robust enough to last that long is complicated by the length of time it takes to select it. “The winner in 2012 will reflect the state of the art in October 2012,” the deadline for submitting candidates, said Preneel, speaking at the conference.
Some observers say the selection process might be moving too quickly. Brian Snow, former National Security Agency technology director for information assurance, speaking on a cryptogrophy panel, said he would like to see the process slowed down.
“I support extending the SHA-3 process,” he said. The existing SHA-2 standard will last long enough to allow that. “I think they should pick three winners, not one, and spend several years studying them.”
Snow and Preneel expressed concerns that some good algorithms have been rejected in the initial weeding-out process, and that remaining candidates might not get a thorough shakedown before a final selection is made.
A hashing algorithm is a cryptographic formula for generating a unique, fixed-length numerical digest — or hash — of a message. A hash can be used to securely confirm that a document has not been altered because the contents of the message cannot be derived from the hash and the hash is, to a high degree of probability, unique for each message. Hashes can also be used to effectively sign an electronic document and link the signature to the contents.
SHA-3 will augment and eventually replace the algorithms now specified in Federal Information Processing Standard 180-2. The standard now uses SHA-1, which will be retired this year, and SHA-2, which is composed of SHA-224, SHA- 256, SHA-384 and SHA-512. Officials decided to open a competition for SHA-3 in 2007 after weaknesses were discovered in the existing algorithms.
Fifty-one algorithms were originally submitted, and they were winnowed to 14 in the first round of competition. Researchers now have begun looking for flaws in those candidates in Round 2. A final five will be selected late this year for the final round of competition.
The basic requirements for SHA-3 candidates are that they be publicly disclosed and available without royalties, work on a wide range of hardware and software platforms and support 224-, 256- and 512-bit encryption. They also must operate as quickly as the current SHA-2, but Preneel called that a “moving target,” because implementations of SHA-2 keep getting faster.
“I don’t think SHA-3 will be as blazingly fast” as earlier algorithms MD-4 and MD-5, which the original SHA resembled, he said.
Making a good hashing algorithm that is both secure and works fast is not a simple job. Once implemented, flaws and limitations have quickly appeared, Preneel said. As a result, “they are not as flexible and they are not as useful as we think they are.”
“Making a hash code is much harder than making a code book,” Snow said.