Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

NIST Selects “Keccak” As winner of SHA-3 Competition

While it may be years before Keccak (pronounced “catch-ack”) is adopted for wide use, that doesn’t take away from the new cryptographic hash algorithm’s promise, or the effort spent in developing it. The NIST launched the search for SHA-3 five years ago, as a way to prepare for the loss of SHA-2 should it be broken.

While it may be years before Keccak (pronounced “catch-ack”) is adopted for wide use, that doesn’t take away from the new cryptographic hash algorithm’s promise, or the effort spent in developing it. The NIST launched the search for SHA-3 five years ago, as a way to prepare for the loss of SHA-2 should it be broken.

Keccak, which was announced by the NIST as the winner of the secure hash algorithm competition on Tuesday, was created by Guido Bertoni, Joan Daemen and Gilles Van Assche of STMicroelectronics and Michaël Peeters of NXP Semiconductors.

SHA-3 CompetitionThe NIST praised the Keccak algorithm for its many admirable qualities, including its elegant design and its ability to run well on many different computing devices.

For those unfamiliar, NIST explains a cryptographic hash algorithm as a “widely-used tool that creates a ‘fingerprint’, or a ‘message digest’ of a file, message or block of data that can be used for digital signatures, message authentication codes, and many other security applications in the information infrastructure.”

The clarity of Keccak’s construction lends itself to easy analysis, and Keccak has higher performance in hardware implementations than SHA-2 or any of the other finalists.

“As the Internet expands, connecting more and more devices, systems, networks and people across the globe, better, faster and more secure technologies are going to be needed to ensure data protection in places where we didn’t even know it was needed,” said Jeff Hudson, CEO of Venafi told SecurityWeek.

“Just knowing that there is a new algorithm on the block that can better ensure trusted communications isn’t enough though,” Hudson added. “Organizations need to locate all of the weak encryption technologies deployed across their networks and quickly upgrade them to current standards, otherwise, they lose the advantage of what cutting edge technologies have to offer.”

NIST clearly articulates why it chose Keccak cryptographic hash algorithm as the winner of its contest, Hudson added, so “organizations should take advantage of what it has to offer.”

As mentioned, NIST started looking for a replacement to SHA-2 in 2007, when it was thought that it might be threatened. Despite the attacks that broke other somewhat similar but simpler hash algorithms in 2005 and 2006, SHA-2 has held up well and NIST considers SHA-2 to be secure and suitable for general use.

“Keccak has the added advantage of not being vulnerable in the same ways SHA-2 might be,” says NIST computer security expert Tim Polk. “An attack that could work on SHA-2 most likely would not work on Keccak because the two algorithms are designed so differently.”

Polk says that the two algorithms will offer security designers more flexibility. It may take years to identify all the possibilities for Keccak, Polk added, commenting in a statement from the NIST, but it immediately provides an essential insurance policy in case SHA-2 is ever broken.

He also speculates that the relatively compact nature of Keccak may make it useful for so-called “embedded” or smart devices that connect to electronic networks but are not themselves full-fledged computers.

“The Internet as we know it is expanding to link devices that many people do not ordinarily think of as being part of a network,” Polk says. “SHA-3 provides a new security tool for system and protocol designers, and that may create opportunities for security in networks that did not exist before.”

More information on the SHA-3 competition can be seen here.

Written By

Click to comment

Expert Insights

Related Content

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Audits

Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Cybersecurity Funding

Forward Networks, a company that provides network security and reliability solutions, has raised $50 million from several investors.

Network Security

Cisco patched a high-severity SQL injection vulnerability in Unified Communications Manager (CM) and Unified Communications Manager Session Management Edition (CM SME).

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...