Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Now From Bruce Schneier, the Skein Hash Function

timothy posted more than 5 years ago | from the renaissance-man dept.

Security 139

An anonymous reader writes "Bruce Schneier and company have created a new hash function called Skein. From his blog entry: 'NIST is holding a competition to replace the SHA family of hash functions, which have been increasingly under attack. (I wrote about an early NIST hash workshop here.) Skein is our submission (myself and seven others: Niels Ferguson, Stefan Lucks, Doug Whiting, Mihir Bellare, Tadayoshi Kohno, Jon Callas, and Jesse Walker). Here's the paper."

Sorry! There are no comments related to the filter you selected.

what kind of function is that? (2, Funny)

Anonymous Coward | more than 5 years ago | (#25583381)

a skin rash function? WTF?!?

Good to see Bruce back (5, Funny)

CRCulver (715279) | more than 5 years ago | (#25583411)

I had long feared that the skilled cryptographer Bruce Schneier, author of Applied Cryptography [amazon.com] , had been utterly replaced by Bruce Schneier the security consultant who peddles his wares in all of his recent lightweight publications. It's nice to see the cryptographer return.

Re:Good to see Bruce back (2, Funny)

melikamp (631205) | more than 5 years ago | (#25583705)

Actually, you got it all wrong. As anyone concerned with personal security, Bruce Schneier has a decoy [wikipedia.org] .

Re:Good to see Bruce back (0, Troll)

ShieldW0lf (601553) | more than 5 years ago | (#25585203)

From the article:

One-way hash functions are supposed to have two properties. One, they're one way. This means that it is easy to take a message and compute the hash value, but it's impossible to take a hash value and recreate the original message. (By "impossible" I mean "can't be done in any reasonable amount of time.") Two, they're collision free. This means that it is impossible to find two messages that hash to the same hash value.

This is funny. These two properties, discounting the redefinition of impossible, are mutually exclusive. If each message hashes to a unique value, and there are no collisions, then recreating the original message from the hash is as simple as putting a million monkeys to work writing a million works of gibberish and store the hash and gibberish in a dictionary. If you instructed your monkeys to start from the smallest works of gibberish and work towards the longer works, your dictionary would be complete for any message whose length is equal to or less than the longest message in the dictionary.

So basically, this would mean a large number of the worlds finest mathematicians are working tirelessly to create something that is by definition mathematically impossible.

Re:Good to see Bruce back (2, Funny)

FrangoAssado (561740) | more than 5 years ago | (#25585449)

So basically, this would mean a large number of the worlds finest mathematicians are working tirelessly to create something that is by definition mathematically impossible.

Yes, discounting the redefinition of impossible, it would mean that. :-)

Re:Good to see Bruce back (1)

droopycom (470921) | more than 5 years ago | (#25587647)

Bruce Facts:

Bruce has done the impossible. Twice.

Re:Good to see Bruce back (1)

hal9000(jr) (316943) | more than 5 years ago | (#25585593)

Two, they're collision free. This means that it is impossible to find two messages that hash to the same hash value.

This is a poor definition of the second property. In any function that has a fixed length output, a collision is *guaranteed*. a 2^160 output is still finite!

The collision avoidance is that it is computationally infeasible to find, a-priori, two different inputs that will resolve to the same hash value.

Re:Good to see Bruce back (1)

jonaskoelker (922170) | more than 5 years ago | (#25588255)

Re-read the definition of impossible that was given. It wasn't a one-shot definition.

Re:Good to see Bruce back (3, Insightful)

norminator (784674) | more than 5 years ago | (#25586863)

One-way hash functions are supposed to have two properties. One, they're one way. This means that it is easy to take a message and compute the hash value, but it's impossible to take a hash value and recreate the original message. (By "impossible" I mean "can't be done in any reasonable amount of time.") Two, they're collision free. This means that it is impossible to find two messages that hash to the same hash value.

This is funny. These two properties, discounting the redefinition of impossible, are mutually exclusive. If each message hashes to a unique value, and there are no collisions, then recreating the original message from the hash is as simple as putting a million monkeys to work writing a million works of gibberish and store the hash and gibberish in a dictionary. If you instructed your monkeys to start from the smallest works of gibberish and work towards the longer works, your dictionary would be complete for any message whose length is equal to or less than the longest message in the dictionary.

Hence Schneier's explanation of the word "impossible", which was "can't be done in a reasonable amount of time". The criteria for grading pretty much all encryption is whether it costs more in resources to break the encryption than what the decrypted information would be worth. Truly "impossible" encryption is an impossibility in and of itself. All you can do is make it not worth someone's time and effort to try to break it.

So you're right, that the goal of cryptography (including hash functions) is contradictory, which means that some compromises must be made. The trick is finding how to make reasonable compromises so that you have a useable system that's still relatively secure (and Schneier is always the first to say that 'secure' is always relative).

That's why Joe Schmoe can't just make up his own encryption schemes and expect it to be secure, because it's hard work and takes a lot of understanding. That's why MD5 and SHA can't last forever. That's why they're taking proposals from smart people (excuse me, teams of people) like Schneier to come up with new hash methods, which will also have a limited lifespan as people find ways to break them.

All we can do is to come up with the best solution we can for now, and in a few years, we'll need something better.

Re:Good to see Bruce back (0)

Anonymous Coward | more than 5 years ago | (#25587233)

Hashes can be brute-forced, what a surprise..

Take a 1024-bit hash. How many values do you think you are going to have to bruteforce; how long do you think it is going to take?

Go learn something about computational complexity and cryptography.

Re:Good to see Bruce back (1)

pizza_milkshake (580452) | more than 5 years ago | (#25587807)

Yup, all you need to violate the second property over N slots is N+1 data per the Pigeonhole principle [wikipedia.org] . So the trick to temporarily satisfying the first property is making reversal of the algorithm just complex enough to be computationally infeasible by everyone except the NSA and the store the result in just enough slots to make it practically unlikely that a set of meaningful existing documents/data will collide.

Re:Good to see Bruce back (5, Interesting)

ObsessiveMathsFreak (773371) | more than 5 years ago | (#25585145)

Would you prefer that he had remained a quiet researcher for the last decade? Would the world be better off if he had?

We've all seen the Schneier-Norris jokes, and it is true that he is something of a celebrity in cryptography and computer science circles. But does becoming a celebrity through making the effort to educate the public about your field automatically cheapen your worth as a scientist or researcher? Does it reduce the worth of the message?

Celebrity has become a smear word, but smearing all celebrities reveals only our own inability to recognize true expertise and talent.

Re:Good to see Bruce back (1)

DerekLyons (302214) | more than 5 years ago | (#25587593)

We've all seen the Schneier-Norris jokes, and it is true that he is something of a celebrity in cryptography and computer science circles. But does becoming a celebrity through making the effort to educate the public about your field automatically cheapen your worth as a scientist or researcher? Does it reduce the worth of the message?

When one has used ones celebrity status primarily to advance ones political beliefs and to lend unwarranted weight to claims in fields where one has no expertise - yes, it reduces the worth of the message because it calls into question the motives behind the message.

Time to get glasses (4, Funny)

smooth wombat (796938) | more than 5 years ago | (#25583483)

Read the title as "Skin Hash Function". For a moment, wasn't sure if this was a SFW article.

Re:Time to get glasses (3, Funny)

Phreakiture (547094) | more than 5 years ago | (#25583887)

Yeah, me too. I had wondered if there was some sort of cream you could put on it.

Re:Time to get glasses (4, Funny)

gardyloo (512791) | more than 5 years ago | (#25584335)

Of course! Or it gets the hose again.

Re:Time to get glasses (1)

Tmack (593755) | more than 5 years ago | (#25588117)

The Music Video [youtube.com] .... ot, but worth it. (scene in it might be nsfw, otherwise just creepy).

FYI: Skein is pronounced like vein (i.e. "skane") (3, Informative)

Anonymous Coward | more than 5 years ago | (#25583517)

Reference: http://www.merriam-webster.com/dictionary/skein [merriam-webster.com]

Re:FYI: Skein is pronounced like vein (i.e. "skane (3, Funny)

Anonymous Coward | more than 5 years ago | (#25583885)

Funny, your website indicates the star trek pronunciation \'Skhaaaaaaaaan\

Re:FYI: Skein is pronounced like vein (i.e. "skane (1)

tepples (727027) | more than 5 years ago | (#25585035)

Funny, your website indicates the star trek pronunciation \'Skhaaaaaaaaan\

It might in IPA, but Merriam-Webster's English-to-English dictionaries do not use IPA. Instead, they use a traditional English phonetic alphabet, where a-bar represents the "a" in "ace" or the "ey" in "they", spelled in X-SAMPA as [eI].

It's too bad Slashdot's character whitelist doesn't include anything with a macron; otherwise, this post would have been easier both to write and to read.

From the fpdf (4, Informative)

Bonker (243350) | more than 5 years ago | (#25583535)

Re:From the fpdf (0, Flamebait)

MrNaz (730548) | more than 5 years ago | (#25584869)

FPDF? That looks more like a FHTML file to me. I think that, if Bruce was really pro-community, he'd publish his writing in the FODF format.

On a side note, perhaps Slashdot could apply to the ISO to have its family of F* file formats registered.

Re:From the fpdf (1)

SpaceLifeForm (228190) | more than 5 years ago | (#25587723)

fpdf -> (fsoftware) -> fhtml

Hence, *from* the fpdf.

Hax (5, Interesting)

mfh (56) | more than 5 years ago | (#25583537)

I love hearing about new functions, but the fundamental growth of the security industry has me concerned for the well-being of my cat -- HR director for a large corporation that shall remain nameless (although they dabble in web security). The growth of industry standards like SHA, typically stimulates additional growth in other market-based drives for change, and this is all pioneered by an industry that brought us the y2k bug, which was a total success. We made millions and did so in an unapologetic fashion. Keep em coming!

Summary: I want more money, so keep hacking and we'll keep thinking up ways to protect people from ourselves.

Re:Hax (5, Funny)

The Clockwork Troll (655321) | more than 5 years ago | (#25584397)

Did you know your uid is a prime number when interpreted in base 7 or 11?

How do you sleep at night?

Re:Hax (1)

w_mute (40724) | more than 5 years ago | (#25586043)

> How do you sleep at night?

Do you really need to ask that of a no good 56er?

Re:Hax (0)

Anonymous Coward | more than 5 years ago | (#25588235)

You forgot base 1!

Re:Hax (1)

jonaskoelker (922170) | more than 5 years ago | (#25588301)

Did you know your uid is a prime number when interpreted in base 7 or 11? How do you sleep at night?

If he tells anyone about it, chances are the answer is "lonely".

Answer to Life, the Universe, and Everything (2, Funny)

mfh (56) | more than 5 years ago | (#25588579)

Did you know your uid is a prime number when interpreted in base 7 or 11?

It's also the Answer to Life, the Universe, and Everything (once you adjust for inflation, from 42).

A likely story (5, Funny)

Anonymous Coward | more than 5 years ago | (#25583603)

How do we know he's not just spinning a good yarn here?

Re:A likely story (4, Informative)

apathy maybe (922212) | more than 5 years ago | (#25584131)

For those who didn't know and can't be bothered to even skim the PDF, the first footnote says:

A âoeskeinââ"pronounced \sk Ìn\ and rhymes with âoerainââ"is a loosely coiled length of yarn or thread wound on reel.

Of course, the copy and paste doesn't quite do it justice.

(I blame Slashcode.)

What the hell is Threefish (3, Interesting)

ciroknight (601098) | more than 5 years ago | (#25583619)

Certainly it's related to Blowfish and Twofish, but I cannot find a word one on Threefish outside of this document. Anyone care to explain for some good karma?

Re:What the hell is Threefish (5, Informative)

TorKlingberg (599697) | more than 5 years ago | (#25583803)

Threefish is the name of the block cipher part of Skein.

Re:What the hell is Threefish (1)

ciroknight (601098) | more than 5 years ago | (#25583843)

Your powers of deduction are amazing Holmes.

Re:What the hell is Threefish (1)

oni (41625) | more than 5 years ago | (#25584769)

Torklingberg's point is that you shouldn't expect to find word one about threefish. It's just been published in this paper. Who could possibly be talking about it, psychics?

Re:What the hell is Threefish (1)

ciroknight (601098) | more than 5 years ago | (#25584857)

No, his point was in its entirety: "Threefish is the name of the block cipher part of Skein."

Which is pretty much what I got from reading the introduction to said paper. My question was posited to discover why there was no information on it, which was more completely answered by later replies, which stated it was just published as a part of this paper; nobody has had time to run any independent cryptanalysis on it.

Re:What the hell is Threefish (3, Insightful)

Legion_SB (1300215) | more than 5 years ago | (#25585229)

Threefish is the name of the block cipher part of Skein.

I thought Redfish and Bluefish came after Twofish.

Re:What the hell is Threefish (1, Funny)

Anonymous Coward | more than 5 years ago | (#25583943)

What the hell is Threefish

A 50% improvement over Twofish?

Re:What the hell is Threefish (5, Informative)

dnwq (910646) | more than 5 years ago | (#25584019)

Schneier, responding to 'shadowfirebird's comment on his blog:

"Sooner or later some dumb ass is going to ask why Skein is based on Threefish, which was (apparently, according to the intertubes) broken." Threefish can't possibly be broken yet; we only just announced it yesterday. No one knew of its existence before then. I think your intertubes are clogged.

From the article (3, Informative)

joeflies (529536) | more than 5 years ago | (#25584029)

you're asking a recursive question - it was announced in the paper. The following is a blog post from the comments section.

Quoted from the comments section

"Sooner or later some dumb ass is going to ask why Skein is based on Threefish, which was (apparently, according to the intertubes) broken."

Threefish can't possibly be broken yet; we only just announced it yesterday. No one knew of its existence before then.

I think your intertubes are clogged.

Posted by: Bruce Schneier at October 30, 2008 7:24 PM

Re:From the article (1)

ciroknight (601098) | more than 5 years ago | (#25584271)

I normally don't read comments on random blogs, so I missed this piece of (important) trivia. Thanks.

Re:From the article (1)

gnud (934243) | more than 5 years ago | (#25585073)

You don't read random blogs, but comment on stories about papers published in said blog.
Yay.

Re:From the article (3, Insightful)

ciroknight (601098) | more than 5 years ago | (#25585539)

Slashdot is more of a general forum for discussion, whereas blogs typically are not. Slashdot has a better set of regular contributors and more even opinions on topics than most blogs do (due to intellectual and geographic and other biases). There are a lot of advantages to discussing things on Slashdot, like having comments prefiltered and screened for content worth reading and adjustable filters to keep the noise floor low.

I could go on, but hopefully I've made my point.

Re:From the article (1)

babyrat (314371) | more than 5 years ago | (#25587211)

I don't think you understand the point - 'His' in the case above refers to Bruce Schneier one of the authors of the paper.

The paper was announced in his (Bruce Schneier's) blog.

That particular blog can hardly then be referred to as a 'random' blog. It is more specifically the exact blog that announced the paper that you read.

Re:What the hell is Threefish (4, Funny)

andrewd18 (989408) | more than 5 years ago | (#25584313)

Personally, I'm waiting for the cypher built on Onefish, Twofish, Redfish, and Bluefish.

the algorithm's no good (2, Funny)

BitterAndDrunk (799378) | more than 5 years ago | (#25584573)

Not enough rhyming collisions

Quick trick function stack (5, Funny)

TiggertheMad (556308) | more than 5 years ago | (#25585051)

Personally, I'm waiting for the cypher built on Onefish, Twofish, Redfish, and Bluefish.

I do not like it encrypting my stocks,
I do not like it securing my box,
I do not like it, sam-I-am.

Re:What the hell is Threefish (4, Funny)

Mister Whirly (964219) | more than 5 years ago | (#25584639)

or what about Redfish and Bluefish?

Re:What the hell is Threefish (1)

hesaigo999ca (786966) | more than 5 years ago | (#25585707)

If you take the redfish, you can go back to your previous life,
but if you take the bluefish you ......

Re:What the hell is Threefish (2, Funny)

redF1sh (1055032) | more than 5 years ago | (#25585845)

If you take the redfish, you can go back to your previous life...

Hey, leave me alone!

Re:What the hell is Threefish (1)

steelfood (895457) | more than 5 years ago | (#25588363)

The Cat in the Hat fed 'em to Thing 1 and Thing 2 for breakfast.

Re:What the hell is Threefish (1)

STrinity (723872) | more than 5 years ago | (#25586653)

Threefish is to Twofish as Dreadfish is to Blowfish.

Bruce should go to Washington (4, Insightful)

multiOSfreak (551711) | more than 5 years ago | (#25583659)

Bruce is the friggin' man. He ought to get some kind of advisory role in the next administration. I think his views on security in general would help straighten out a lot of FUD...assuming that anyone in Washington would actually listen to him, that is. :)

Re:Bruce should go to Washington (1, Interesting)

Anonymous Coward | more than 5 years ago | (#25584521)

Didn't Bruce leave the NSA because he saw that the NSA was irreformably dedicated to violation of privacy for political gain, regardless of the pressure honest politicians put on it to stick to legitimate national security concerns?

Re:Bruce should go to Washington (1)

daem0n1x (748565) | more than 5 years ago | (#25586641)

politicians => ~honest

|Politicians|Honest|Result|
| f | f | t |
| f | t | t |
| t | f | t |
| t | t | f |

Honest politicians is a logical incoherence.

Bruce shouldN'T go to Washington (1)

widman (1107617) | more than 5 years ago | (#25584887)

BS made a good starters book, but with many errors. BS is not taken seriously on cryptography circles. I appreciate his work on pushing freedom for cryptography exports on US, but all his other work is irrelevant and gets publicity from his gestalt of self promotion.

Bruce Schneier Facts (4, Funny)

brunes69 (86786) | more than 5 years ago | (#25585065)

There are no finite state machines. There are only a series of states that Bruce Schneier allows to exist.

Bruce Schneier can tell you where to find your GPG key into the digits of PI.

Bruce Schneier owns a chicken that lays scrambled eggs. Whenever he wants a hard-boiled egg, he just unscrambles one.

SHA = "Schneier has access" SHA2 = "Schneier has access - and a spare too"

When transmitted over any socket, Bruce Schneier's public key causes libpcap to enter an infinite malloc loop.

Bruce Schneier knows Alice and Bob's shared secret.

Bruce Schneier's secure handshake is so strong, you won't be able to exchange keys with anyone else for days.

Bruce Schneier knows the state of schroedinger's cat

When Bruce Schneier observes a quantum particle, it remains in the same state until he has finished observing it.

Bruce Schneier once decrypted a box of AlphaBits.

http://geekz.co.uk/schneierfacts/ [geekz.co.uk]

Re:Bruce should go to Washington (1)

viridari (1138635) | more than 5 years ago | (#25585451)

Bruce is the friggin' man. He ought to get some kind of advisory role in the next administration.

I'll talk to Bob [bobbarr2008.com] and see what we can do for Bruce.

Sounds good, but MD5 et al. still have a place (5, Informative)

apathy maybe (922212) | more than 5 years ago | (#25583879)

Disclaimer: I'm not a cryptographer, and I'm not a professional (anything). This post is based on my understanding, which may be wrong. Corrections accepted and welcomed.

Yes, MD5 [wikipedia.org] is broken. Given a specific dataset with a specific MD5 hash, you can create another dataset with the same hash in minimal time (a few minutes on a modern computer).

You should thus not use MD5 to authenticate documents and other data as being "not-tampered with". As a checksum algorithm, it should not be used.

However, this is not the only use for hash functions. Hash functions are also used to obscure passwords. "Wait", I hear you say, "what about rainbow tables?". Wikipedia says (from the link above)

Recently, a number of projects have created MD5 "rainbow tables" which are easily accessible online, and can be used to reverse many MD5 hashes into strings that collide with the original input, usually for the purposes of password cracking. However, if passwords are combined with a salt before the MD5 digest is generated, rainbow tables become much less useful.

That's right folks, if you know what you are doing, you can still use MD5.

Basically, you have to salt your passwords before storing them in the DB (in case the DB gets broken into), send the original salt, and another (random) salt along with the login page, make sure that everyone hashes in the correct order and compare. Simplified, but I'm sure you're all intelligent enough to find what I'm talking about.

VoilÃ, a safe method of using MD5. (As far as I know, there is still no way to convert an MD5 hash back into the original text, or even a possible original text without using a Rainbow table [wikipedia.org] .)

-----

That said, new hashing methods are always welcome. Especially when it comes to things like checksums. (I can't believe some websites still relay on MD5...)

Re:Sounds good, but MD5 et al. still have a place (1)

jhol13 (1087781) | more than 5 years ago | (#25584059)

MD5 should have been scrapped years ago. There is absolutely no excuse for using it anymore.

Whirlpool, for example, is much, much better and more secure.

Re:Sounds good, but MD5 et al. still have a place (1)

apathy maybe (922212) | more than 5 years ago | (#25584263)

Umm, do you know of a free (pref. BSD-style without ad. clause licensed) JavaScript implementation of Whirlpool? Because I know of one for MD5. Namely Paul Johnston's JavaScript MD5 [pajhome.org.uk] .

From that site:

The use of MD5 or SHA-1 for most JavaScript purposes (e.g. challenge-response login) does not rely on the collision resistance property. These weaknesses do not create any vulnerability in such web sites and there is no need to panic. If these weaknesses do concern you, there are alternative algorithms available:

Wait, that's what I said!

(Oh, and while on the subject, Building a CHAP Login System [devarticles.com] .)

Re:Sounds good, but MD5 et al. still have a place (2, Insightful)

Waffle Iron (339739) | more than 5 years ago | (#25584539)

MD5 should have been scrapped years ago. There is absolutely no excuse for using it anymore.

Well, I still use it as a replacement for cksum to make checksum files for DVDs and the like (which is not a security critical task). It runs marginally faster than cksum (and much faster than sha1sum) on my machine, and the 'md5sum -c' option lets me conveniently verify whole directory trees.

Re:Sounds good, but MD5 et al. still have a place (5, Informative)

tangent3 (449222) | more than 5 years ago | (#25584143)

Yes, MD5 [wikipedia.org] is broken. Given a specific dataset with a specific MD5 hash, you can create another dataset with the same hash in minimal time (a few minutes on a modern computer).

Wrong.
The MD5 attacks demonstrated are collision attacks [wikipedia.org] - attacks where you generate two datasets that hash to the same MD5 hash.

What you are describing is a Preimage attack [wikipedia.org] . Finding a dataset that has the same MD5 hash to an existing dataset is a different attack which is many orders of magnitude harder than collision attack, and AFAIK, has so far not been demonstrated yet for MD5.

Re:Sounds good, but MD5 et al. still have a place (3, Interesting)

MostAwesomeDude (980382) | more than 5 years ago | (#25584285)

If MD5(a) == MD5(b), then MD5(a + c) == MD5(b + c), where "a", "b", and "c" are arbitrary payloads and "+" is the concatenation operator.

Thus, it's quite easy to craft preimages, if you're not really concerned with the contents of the resulting payload.

Now, if given MD5(a), it's not (yet) possible to craft a possible payload "a", but I'm sure it'll be figured out soon.

Re:Sounds good, but MD5 et al. still have a place (1)

gnud (934243) | more than 5 years ago | (#25585173)

All payloads x with md5(x) = md5(a) are possibly = a. A computer really can't do much better than that.

Re:Sounds good, but MD5 et al. still have a place (1)

evanbd (210358) | more than 5 years ago | (#25586421)

That's still just a collision, not a preimage. The definition of a preimage attack is the ability to go from MD5(x1) to x2 such that MD5(x2) == MD5(x1). The fact that you can generate additional collisions once you've found the first has no (direct) bearing on your ability to work backwards. In order for your concatenation process to be useful, you somehow have to generate a and b such that one of them is the same as the start of your message text -- the current collision attacks give you very little control over either a or b, they simply produce a pair that's useful.

Re:Sounds good, but MD5 et al. still have a place (1)

Chris Burke (6130) | more than 5 years ago | (#25587213)

If MD5(a) == MD5(b), then MD5(a + c) == MD5(b + c), where "a", "b", and "c" are arbitrary payloads and "+" is the concatenation operator.

The difference between a collision and a preimage attack is that in a collision, "a", "b", and "c" are all of your own design, while in a pre-image attack, "a" is a pre-existing document and you want to create a second document "b", that results in the same hash.

It's much easier to find two arbitrary payloads which collide than it is to start with a fixed payload and then find another payload which collides with it.

Re:Sounds good, but MD5 et al. still have a place (1)

afidel (530433) | more than 5 years ago | (#25584333)

Correct, and getting a Preimage attack that generates a useful binary that collides with the original and has the same size would still be extremely difficult even if a more broad preimage attack was known.

Re:Sounds good, but MD5 et al. still have a place (1)

apathy maybe (922212) | more than 5 years ago | (#25584387)

Oooh... Umm... Err...

My mistake? Give the person a cookie for picking up on it.

(I must have misremembered my reading.)

So, do any of the commonly used hash functions have a preimage attack demonstrated for them?

Re:Sounds good, but MD5 et al. still have a place (1)

alabandit (1024941) | more than 5 years ago | (#25584451)

but if they get your password, they most likely have your salt, and then "a few minuets later on a modern computer" we back at the drawing broad ;) haven't read his method but if you serious about security leave md5 alone.

Re:Sounds good, but MD5 et al. still have a place (1)

Hatta (162192) | more than 5 years ago | (#25584549)

You should thus not use MD5 to authenticate documents and other data as being "not-tampered with". As a checksum algorithm, it should not be used.

If you're worried about people tampering with your data, you shouldn't use any checksum. Sign it with PGP.

If you just want to check that your download didn't corrupt, MD5 is still fine for that purpose.

Re:Sounds good, but MD5 et al. still have a place (2, Insightful)

theapeman (1068448) | more than 5 years ago | (#25584991)

And how do you think PGP signs something? It takes a checksum of it (hopefully avoiding md5) and passes that through the signature algorithm (RSA or something similar). So you can't avoid the checksum (hash function) by using PGP.

Re:Sounds good, but MD5 et al. still have a place (1)

Hatta (162192) | more than 5 years ago | (#25585283)

To create a valid PGP signature, the attacker needs your private key. To create a valid checksum, all they have to do is run their bad data through the checksum algorithm and replace the checksum.txt file or whatever. Clearly one is much more secure than the other.

But in a strictly pedantic sense, you are correct. I should have said, "don't use checksums only".

Re:Sounds good, but MD5 et al. still have a place (0)

Anonymous Coward | more than 5 years ago | (#25586295)

Man, I hope you don't try to implement "secure solutions" for anyone.

Everyone else on this thread is talking about attacks on hash algorithms to fool people into accepting bogus data that will pass the hash test. This works against PGP signatures just as well, if the attack is available for the hash algorithm used in the signature. The signature helps convey the hash value to the user securely, over insecure channels, but does not make the hash value more effective at screening for corrupt data.

Nobody else is talking about attacks on hash verification where you substitute a different hash value in the distribution channel and fool the user into believing it is valid. This is of course trivial with EVERY hash algorithm that will ever exist.

Re:Sounds good, but MD5 et al. still have a place (0)

Anonymous Coward | more than 5 years ago | (#25587507)

But that doesn't gain anything, as they will just attack at the weak link: make a new payload with a hash collision so the hash is the same, and then use your signed hash (which is also the correct hash for the new payload, per definition of "hash collision") with their payload.

You just gained nothing vs. the attack discussed.

Of course, if you don't use private-key signing, they can pull a MITM attack by replacing the data and the hash with an arbitrary payload and its hash, but that wasn't under discussion. (And is obvious.)

Re:Sounds good, but MD5 et al. still have a place (1)

m50d (797211) | more than 5 years ago | (#25584589)

VoilÃ[sic, thanks slashdot], a safe method of using MD5. (As far as I know, there is still no way to convert an MD5 hash back into the original text, or even a possible original text without using a Rainbow table.)

Safe for now, sure. But for how long? MD5 is crumbling, yes it's crumbling slowly, but once an algorithm has been shown to have flaws it usually collapses entirely not that long after. Worse, in the academic world the difference between "perfect" and "imperfect" matters a lot more than the difference between "partially broken" and "fully broken" - so now that it's been shown to have serious flaws, the people most interested will not be the academics but the criminals and the spies. Paranoid though it may seem, it's not at all unreasonable to believe that the NSA et al. or even your favourite organized crime syndicate have broken MD5 more thoroughly than has been done in published papers.

That MD5 hasn't been completely broken only means there's no need to panic-drop existing systems. For any new system being written today, MD5 shouldn't even be under consideration.

Re:Sounds good, but MD5 et al. still have a place (0)

Just Some Guy (3352) | more than 5 years ago | (#25584605)

salt

No amount of salt makes a broken algorithm un-broken. Imagine the trivial case where the output of a hash function is the unmodified input. The salt wouldn't do a lot, would it?

Well, MD5 is broken [wikipedia.org] . Given that their are freely available alternatives not known to be broken, it's utterly irresponsible to endorse MD5.

Re:Sounds good, but MD5 et al. still have a place (1)

SatanicPuppy (611928) | more than 5 years ago | (#25585157)

Mostly secure isn't good enough. There is no reason to continue using MD5; it's not like there aren't better alternatives, and it's not like it's growing more secure with time.

Re:Sounds good, but MD5 et al. still have a place (1)

marcosdumay (620877) | more than 5 years ago | (#25585501)

"I'm not a cryptographer"

Well, thank God or that. First, MD5 is not broken the way you say it is. Yes, it is broken, but you can't just create a string that will have a wanted hash. Maybe you'll can at the near future, but you can't do that now.

Second, salt won't save a broken hash. Salting will protect you when you use a (unbroken) hash function against a big set of data. Without salting there is a big chance of any random value being on your set of hashes. A colateral effect of salting is that it will make dictionary attacks a bit slower (avoiding the use of a rainball table), but that is not very important, since it is only a proportional speedup.

Finally, MD5 is quite ok for checksums. It will make sure your download is not corrupt and, being as fast as it is, will not be a burden to your system. That new Skein algorith does look better, but there is no hush to replace MD5 here.

Now, I'm not a cryptographer either. But I do know a thing or two.

Re:Sounds good, but MD5 et al. still have a place (1)

John Hasler (414242) | more than 5 years ago | (#25585797)

> You should thus not use MD5 to authenticate documents and other data as being
> "not-tampered with". As a checksum algorithm, it should not be used.

As a security checksum algorithm, it should not be used. There are other uses for checksums.

Re:Sounds good, but MD5 et al. still have a place (4, Funny)

Lord Ender (156273) | more than 5 years ago | (#25585839)

Given a specific dataset with a specific MD5 hash, you can create another dataset with the same hash in minimal time (a few minutes on a modern computer).

That isn't even remotely true. MD5 has been demonstrated to be easier to break than advertised, therefore it is wise to use better hashes. But when I say "better than advertised" I'm saying defeating a good hash is about as easy as any of us getting Angelina Jolie in the sack; but someone has discovered a trick that makes defeating MD5 about as easy as bagging Paris Hilton. For all practical purposes, none of us will achieve either, but Paris is still no Angelina Jolie...

experts (2, Insightful)

flynt (248848) | more than 5 years ago | (#25584065)

Cryptography: Unique in computing in that it is a field where the so-called experts, really are experts

--modified from Jack Handy

Its a trap! (1)

FunkyELF (609131) | more than 5 years ago | (#25584219)

first line of the pdf.... Niels Ferguson Microsoft Corp., niels@microsoft.com

Re:Its a trap! (-1)

Anonymous Coward | more than 5 years ago | (#25584659)

Lots of people work for Microsoft who aren't evil. It's mainly just the administration and its policies, but there are a few developers there who are rather corrupt as well.

Microsoft was once known for the number of doctoral students they'd hire straight out of school, similar to how Google is known now.

Wrong numbers? (0)

Anonymous Coward | more than 5 years ago | (#25584257)

from TFA:

"If you hashed 2^80 random messages, you'd find one pair that hashed to the same value. That's the "brute force" way of finding collisions, and it depends solely on the length of the hash value."

Seems to me like the Birthday Problem http://en.wikipedia.org/wiki/Birthday_problem [wikipedia.org] says this is incorrect, and you'd require 2^80

Or is that assuming a Birthday hit?

Bearforce Schneier? (1)

LotsOfPhil (982823) | more than 5 years ago | (#25584405)

Am I the only one that looks at Bruce [schneier.com] and thinks Bearforce1? [bearforce1.nl]

Re:Bearforce Schneier? (3, Funny)

LotsOfPhil (982823) | more than 5 years ago | (#25584557)

Oh, please don't click on the Bearforce link with your speakers turned on/up. Sorry!

Re:Bearforce Schneier? (1)

gnud (934243) | more than 5 years ago | (#25585287)

Lord, we thank thee for flashblock.

mod Up (-1, Troll)

Anonymous Coward | more than 5 years ago | (#25584569)

Hashes collide.. (1)

Sloppy (14984) | more than 5 years ago | (#25584963)

..when they swerve to avoid Bruce Schneier!

Skein, (3, Interesting)

popeye44 (929152) | more than 5 years ago | (#25585037)

Oh what a Tangled Skein we weave.
When we first practice to Deceive.

A new hash has been designed
With File Security firm in mind.

With Threefish this Skein will defeat
Those who would infect and mistreat

One fish two fish red fish blue fishes
Kiss my ass you scummy soap dishes. :-]
Signed, Dr. Pseussdonym.

 

Why use Skein-512 at all? (0)

Anonymous Coward | more than 5 years ago | (#25585225)

From the pdf:

Skein-1024 is our ultra-conservative variant. Because it has twice the internal-state size of Skein-512, it is failure friendly; even if some future attack managed to break Skein-512, it is quite likely that Skein-1024 would remain secure. Skein-1024 can also run nearly twice as fast as Skein-512 in dedicated hardware implementations.

Can someone who understands this explain why you would ever use Skein-512 instead of Skein-1024?

Re:Why use Skein-512 at all? (1)

mike.rimov (1148959) | more than 5 years ago | (#25586525)

Resource limited circuits such as smart cards where
the extra space for the larger hash equals more $ per unit.

More submissions (2, Informative)

LargeMythicalReptile (531143) | more than 5 years ago | (#25585923)

I expect it will take a little while for NIST to compile all the submissions and put them online. In the meantime, someone has started compiling a list (which is unofficial and incomplete, but still useful):

http://131002.net/sha3lounge/ [131002.net]

PHP extension for the Skein hash is available (1, Interesting)

chrysalis (50680) | more than 5 years ago | (#25586077)

A PHP extension for the Skein hash is now available.

You can download it from:
http://download.pureftpd.org/php-skein-hash/ [pureftpd.org]

Re:PHP extension for the Skein hash is available (0)

Anonymous Coward | more than 5 years ago | (#25588395)

Heh, from http://download.pureftpd.org/php-skein-hash/distinfo [pureftpd.org] MD5 (php-skein-hash-0.8.tar.gz) = e6000c115a1594b4de4f1db86270399c

From Bruce Schneier?! (2)

mebrahim (1247876) | more than 5 years ago | (#25587583)

From Bruce Schneier? So what are those seven others?!
I hate it when people ignore many names for a single bigger name.

Export Control (1)

jonaskoelker (922170) | more than 5 years ago | (#25588429)

From Schneier:

Skein is defined for three different internal state sizesâ"256 bits, 512 bits, and 1024 bits [...]. A completely optional and extendable argument system makes Skein an efficient tool to use for a very large number of functions: [...] a stream cipher

So it does symmetric crypto with big keys [I assume the key size is either one internal state, or user-chosen].

Are there still crypto export laws in place? Would this impact Skein? Or will lawyers argue that encryption isn't it's primary purpose? Or...

Personally I hope... (1)

Kjella (173770) | more than 5 years ago | (#25588721)

Personally I hope they just settle on Whirlpool [wikipedia.org] . "The hash has been recommended by the NESSIE project. It has also been adopted by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) as part of the joint ISO/IEC 10118-3 international standard." It's based on AES, patent-free wtih reference implementation in public domain and has been analyzed up and down already. But in all honesty, whatever's good enough for the NSA is probably good enough for me ;)

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?