Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

NIST Selects “Keccak” As winner of SHA-3 Competition

While it may be years before Keccak (pronounced “catch-ack”) is adopted for wide use, that doesn’t take away from the new cryptographic hash algorithm’s promise, or the effort spent in developing it. The NIST launched the search for SHA-3 five years ago, as a way to prepare for the loss of SHA-2 should it be broken.

While it may be years before Keccak (pronounced “catch-ack”) is adopted for wide use, that doesn’t take away from the new cryptographic hash algorithm’s promise, or the effort spent in developing it. The NIST launched the search for SHA-3 five years ago, as a way to prepare for the loss of SHA-2 should it be broken.

Keccak, which was announced by the NIST as the winner of the secure hash algorithm competition on Tuesday, was created by Guido Bertoni, Joan Daemen and Gilles Van Assche of STMicroelectronics and Michaël Peeters of NXP Semiconductors.

SHA-3 CompetitionThe NIST praised the Keccak algorithm for its many admirable qualities, including its elegant design and its ability to run well on many different computing devices.

For those unfamiliar, NIST explains a cryptographic hash algorithm as a “widely-used tool that creates a ‘fingerprint’, or a ‘message digest’ of a file, message or block of data that can be used for digital signatures, message authentication codes, and many other security applications in the information infrastructure.”

The clarity of Keccak’s construction lends itself to easy analysis, and Keccak has higher performance in hardware implementations than SHA-2 or any of the other finalists.

“As the Internet expands, connecting more and more devices, systems, networks and people across the globe, better, faster and more secure technologies are going to be needed to ensure data protection in places where we didn’t even know it was needed,” said Jeff Hudson, CEO of Venafi told SecurityWeek.

“Just knowing that there is a new algorithm on the block that can better ensure trusted communications isn’t enough though,” Hudson added. “Organizations need to locate all of the weak encryption technologies deployed across their networks and quickly upgrade them to current standards, otherwise, they lose the advantage of what cutting edge technologies have to offer.”

NIST clearly articulates why it chose Keccak cryptographic hash algorithm as the winner of its contest, Hudson added, so “organizations should take advantage of what it has to offer.”

As mentioned, NIST started looking for a replacement to SHA-2 in 2007, when it was thought that it might be threatened. Despite the attacks that broke other somewhat similar but simpler hash algorithms in 2005 and 2006, SHA-2 has held up well and NIST considers SHA-2 to be secure and suitable for general use.

Advertisement. Scroll to continue reading.

“Keccak has the added advantage of not being vulnerable in the same ways SHA-2 might be,” says NIST computer security expert Tim Polk. “An attack that could work on SHA-2 most likely would not work on Keccak because the two algorithms are designed so differently.”

Polk says that the two algorithms will offer security designers more flexibility. It may take years to identify all the possibilities for Keccak, Polk added, commenting in a statement from the NIST, but it immediately provides an essential insurance policy in case SHA-2 is ever broken.

He also speculates that the relatively compact nature of Keccak may make it useful for so-called “embedded” or smart devices that connect to electronic networks but are not themselves full-fledged computers.

“The Internet as we know it is expanding to link devices that many people do not ordinarily think of as being part of a network,” Polk says. “SHA-3 provides a new security tool for system and protocol designers, and that may create opportunities for security in networks that did not exist before.”

More information on the SHA-3 competition can be seen here.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Artificial Intelligence

ChatGPT is increasingly integrated into cybersecurity products and services as the industry is testing its capabilities and limitations.

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...