Now From Bruce Schneier, the Skein Hash Function

An anonymous reader writes "Bruce Schneier and company have created a new hash function called Skein. From his blog entry: 'NIST is holding a competition to replace the SHA family of hash functions, which have been increasingly under attack. (I wrote about an early NIST hash workshop here.) Skein is our submission (myself and seven others: Niels Ferguson, Stefan Lucks, Doug Whiting, Mihir Bellare, Tadayoshi Kohno, Jon Callas, and Jesse Walker). Here's the paper."

what kind of function is that?

a skin rash function? WTF?!?

Re:what kind of function is that?

[Ihmhi]

It's the formal name for a party at a Leper Colony.

Good to see Bruce back

[CRCulver]

I had long feared that the skilled cryptographer Bruce Schneier, author of Applied Cryptography , had been utterly replaced by Bruce Schneier the security consultant who peddles his wares in all of his recent lightweight publications. It's nice to see the cryptographer return.

Re:Good to see Bruce back

[melikamp]

Actually, you got it all wrong. As anyone concerned with personal security, Bruce Schneier has a decoy.

Re:Good to see Bruce back

[ObsessiveMathsFreak]

Would you prefer that he had remained a quiet researcher for the last decade? Would the world be better off if he had?

We've all seen the Schneier-Norris jokes, and it is true that he is something of a celebrity in cryptography and computer science circles. But does becoming a celebrity through making the effort to educate the public about your field automatically cheapen your worth as a scientist or researcher? Does it reduce the worth of the message?

Celebrity has become a smear word, but smearing all celebrities reveals only our own inability to recognize true expertise and talent.

Re:Good to see Bruce back

[ShieldW0lf]

From the article:

One-way hash functions are supposed to have two properties. One, they're one way. This means that it is easy to take a message and compute the hash value, but it's impossible to take a hash value and recreate the original message. (By "impossible" I mean "can't be done in any reasonable amount of time.") Two, they're collision free. This means that it is impossible to find two messages that hash to the same hash value.

This is funny. These two properties, discounting the redefinition of impossible, are mutually exclusive. If each message hashes to a unique value, and there are no collisions, then recreating the original message from the hash is as simple as putting a million monkeys to work writing a million works of gibberish and store the hash and gibberish in a dictionary. If you instructed your monkeys to start from the smallest works of gibberish and work towards the longer works, your dictionary would be complete for any message whose length is equal to or less than the longest message in the dictionary.

So basically, this would mean a large number of the worlds finest mathematicians are working tirelessly to create something that is by definition mathematically impossible.

Re:Good to see Bruce back

[FrangoAssado]

So basically, this would mean a large number of the worlds finest mathematicians are working tirelessly to create something that is by definition mathematically impossible.

Yes, discounting the redefinition of impossible, it would mean that. :-)

Re:Good to see Bruce back

[hal9000(jr)]

Two, they're collision free. This means that it is impossible to find two messages that hash to the same hash value.

This is a poor definition of the second property. In any function that has a fixed length output, a collision is *guaranteed*. a 2^160 output is still finite!

The collision avoidance is that it is computationally infeasible to find, a-priori, two different inputs that will resolve to the same hash value.

Re:Good to see Bruce back

[bigredradio]

For more info about bruce: http://geekz.co.uk/lovesraymond/archive/bruce-schneier-facts

Re:Good to see Bruce back

[norminator]

One-way hash functions are supposed to have two properties. One, they're one way. This means that it is easy to take a message and compute the hash value, but it's impossible to take a hash value and recreate the original message. (By "impossible" I mean "can't be done in any reasonable amount of time.") Two, they're collision free. This means that it is impossible to find two messages that hash to the same hash value.

This is funny. These two properties, discounting the redefinition of impossible, are mutually exclusive. If each message hashes to a unique value, and there are no collisions, then recreating the original message from the hash is as simple as putting a million monkeys to work writing a million works of gibberish and store the hash and gibberish in a dictionary. If you instructed your monkeys to start from the smallest works of gibberish and work towards the longer works, your dictionary would be complete for any message whose length is equal to or less than the longest message in the dictionary.

Hence Schneier's explanation of the word "impossible", which was "can't be done in a reasonable amount of time". The criteria for grading pretty much all encryption is whether it costs more in resources to break the encryption than what the decrypted information would be worth. Truly "impossible" encryption is an impossibility in and of itself. All you can do is make it not worth someone's time and effort to try to break it.

So you're right, that the goal of cryptography (including hash functions) is contradictory, which means that some compromises must be made. The trick is finding how to make reasonable compromises so that you have a useable system that's still relatively secure (and Schneier is always the first to say that 'secure' is always relative).

That's why Joe Schmoe can't just make up his own encryption schemes and expect it to be secure, because it's hard work and takes a lot of understanding. That's why MD5 and SHA can't last forever. That's why they're taking proposals from smart people (excuse me, teams of people) like Schneier to come up with new hash methods, which will also have a limited lifespan as people find ways to break them.

All we can do is to come up with the best solution we can for now, and in a few years, we'll need something better.

Re:Good to see Bruce back

Hashes can be brute-forced, what a surprise..

Take a 1024-bit hash. How many values do you think you are going to have to bruteforce; how long do you think it is going to take?

Go learn something about computational complexity and cryptography.

Re:Good to see Bruce back

[DerekLyons]

We've all seen the Schneier-Norris jokes, and it is true that he is something of a celebrity in cryptography and computer science circles. But does becoming a celebrity through making the effort to educate the public about your field automatically cheapen your worth as a scientist or researcher? Does it reduce the worth of the message?

When one has used ones celebrity status primarily to advance ones political beliefs and to lend unwarranted weight to claims in fields where one has no expertise - yes, it reduces the worth of the message because it calls into question the motives behind the message.

Re:Good to see Bruce back

[droopycom]

Bruce Facts:

Bruce has done the impossible. Twice.

Re:Good to see Bruce back

[pizza_milkshake]

Yup, all you need to violate the second property over N slots is N+1 data per the Pigeonhole principle. So the trick to temporarily satisfying the first property is making reversal of the algorithm just complex enough to be computationally infeasible by everyone except the NSA and the store the result in just enough slots to make it practically unlikely that a set of meaningful existing documents/data will collide.

Re:Good to see Bruce back

[jonaskoelker]

Re-read the definition of impossible that was given. It wasn't a one-shot definition.

Re:Good to see Bruce back

[mvdwege]

You may call pointing out that the Emperor has no clothes a political belief, but when the facts show that the Emperor is in fact naked, that's too bloody bad for you. Reality does not bend to your preferences.

And you're one to talk. Your beliefs about SCO and the bullshit you asserted in that case have become legendary.

Mart

Re:Good to see Bruce back

[MikeBabcock]

Bruce is the opposite of a traditional peddler in my view; he comes at problems from an obviously wide perspective and a deep understanding of his expertise; cryptography. I see most of his 'light-weight' contributions to security as those moments where he's trying to explain how cryptography, his passion, will not solve your problems.

He frequently explains how cryptography doesn't implicitly guarantee security, that security is a larger process that involves many other factors of which good cryptography is only one.

Depending on poor cryptography will of course weaken the solution should crypto be a major factor, but the design of the whole system needs to be taken into account, and that's where his frequently-cited works come into play.

Can you actually find good examples of him NOT being insightful or seeing an issue correctly? Are you simply annoyed that he doesn't sit in the corner you've made for him as a cryptographer? I don't care if Oprah talks about weight loss; she's been through it. I care that she talks about literature, because the books she likes suck.

Bruce can talk about process security all he likes in my world, he's good at it and doesn't mince words.

Re:Good to see Bruce back

[complete+loony]

While nothing will ever be completely impossible. It is possible to make an encryption scheme so hard to brute force that you'd need to boil the oceans or even harness all the power of all the visible stars in the universe to perform the calculations.

Re:Good to see Bruce back

[Free+the+Cowards]

These two properties, discounting the redefinition of impossible, are mutually exclusive.

Are you some kind of moron, or are you just being disingenuous?

Re:Good to see Bruce back

[Malevolyn]

char crypt(char v[])
{
char[14] ret = "encrypteddata";
return ret;
}
Let's see someone crack THAT!

Ok, ok, it's technically crackable because everything gets the same result, so therefore the possible encrypted data is an infinite number of possibilities. But that's the beauty of it!

Now back to your regularly scheduled thread of people who have a better understanding of encryption than I do.

Time to get glasses

[smooth+wombat]

Read the title as "Skin Hash Function". For a moment, wasn't sure if this was a SFW article.

Re:Time to get glasses

[Phreakiture]

Yeah, me too. I had wondered if there was some sort of cream you could put on it.

Re:Time to get glasses

[gardyloo]

Of course! Or it gets the hose again.

Re:Time to get glasses

[Tmack]

The Music Video.... ot, but worth it. (scene in it might be nsfw, otherwise just creepy).

FYI: Skein is pronounced like vein (i.e. "skane")

Reference: http://www.merriam-webster.com/dictionary/skein

From the fpdf

[Bonker]

http://www.schneier.com/skein.html

Re:From the fpdf

[MrNaz]

FPDF? That looks more like a FHTML file to me. I think that, if Bruce was really pro-community, he'd publish his writing in the FODF format.

On a side note, perhaps Slashdot could apply to the ISO to have its family of F* file formats registered.

Re:From the fpdf

[SpaceLifeForm]

fpdf -> (fsoftware) -> fhtml

Hence, *from* the fpdf.

Hax

[mfh]

I love hearing about new functions, but the fundamental growth of the security industry has me concerned for the well-being of my cat -- HR director for a large corporation that shall remain nameless (although they dabble in web security). The growth of industry standards like SHA, typically stimulates additional growth in other market-based drives for change, and this is all pioneered by an industry that brought us the y2k bug, which was a total success. We made millions and did so in an unapologetic fashion. Keep em coming!

Summary: I want more money, so keep hacking and we'll keep thinking up ways to protect people from ourselves.

Re:Hax

[The+Clockwork+Troll]

Did you know your uid is a prime number when interpreted in base 7 or 11?

How do you sleep at night?

Re:Hax

[w_mute]

> How do you sleep at night?

Do you really need to ask that of a no good 56er?

Re:Hax

You forgot base 1!

Re:Hax

[jonaskoelker]

Did you know your uid is a prime number when interpreted in base 7 or 11? How do you sleep at night?

If he tells anyone about it, chances are the answer is "lonely".

Re:Hax

[Just+Some+Guy]

Did you know your uid is a prime number when interpreted in base 7 or 11?

Must... resist...

I can't take it anymore. I hoped someone else would point out that his UID has a 7 in it so it can't be a base-7 number.

Gah, you all suck. I'm going to go throw rocks at inanimate objects until I feel less geeky.

Re:Hax

A prime number is a prime number in all bases. The only categories that depend on having a specific base involve operations with specific digits.

Re:Hax

It's also an even number in any base so it can't be prime.

Re:Hax

[Mozk]

There's no 7 in 56... Or am I missing something?

Re:Hax

[Just+Some+Guy]

Crud. Slashdot's Discussion2 system made that show up under a different parent. Never mind.

Re:Hax

[SnowZero]

Caution, this guy's UID has the following prime factors:
    2 2 2 419
That means he's a scammer that's in to computers... be careful around him. He could easily not be "Just Some Guy" but actually be "Zero Cool" in disguise.

You can trust what I say, my UID is prime.

A likely story

How do we know he's not just spinning a good yarn here?

Re:A likely story

[apathy+maybe]

For those who didn't know and can't be bothered to even skim the PDF, the first footnote says:

A âoeskeinââ"pronounced \sk Ìn\ and rhymes with âoerainââ"is a loosely coiled length of yarn or thread wound on reel.

Of course, the copy and paste doesn't quite do it justice.

(I blame Slashcode.)

What the hell is Threefish

[ciroknight]

Certainly it's related to Blowfish and Twofish, but I cannot find a word one on Threefish outside of this document. Anyone care to explain for some good karma?

Re:What the hell is Threefish

[TorKlingberg]

Threefish is the name of the block cipher part of Skein.

Re:What the hell is Threefish

[ciroknight]

Your powers of deduction are amazing Holmes.

Re:What the hell is Threefish

What the hell is Threefish

A 50% improvement over Twofish?

Re:What the hell is Threefish

[dnwq]

Schneier, responding to 'shadowfirebird's comment on his blog:

"Sooner or later some dumb ass is going to ask why Skein is based on Threefish, which was (apparently, according to the intertubes) broken." Threefish can't possibly be broken yet; we only just announced it yesterday. No one knew of its existence before then. I think your intertubes are clogged.

Re:What the hell is Threefish

[andrewd18]

Personally, I'm waiting for the cypher built on Onefish, Twofish, Redfish, and Bluefish.

Re:What the hell is Threefish

[Mister+Whirly]

or what about Redfish and Bluefish?

Re:What the hell is Threefish

[oni]

Torklingberg's point is that you shouldn't expect to find word one about threefish. It's just been published in this paper. Who could possibly be talking about it, psychics?

Re:What the hell is Threefish

[ciroknight]

No, his point was in its entirety: "Threefish is the name of the block cipher part of Skein."

Which is pretty much what I got from reading the introduction to said paper. My question was posited to discover why there was no information on it, which was more completely answered by later replies, which stated it was just published as a part of this paper; nobody has had time to run any independent cryptanalysis on it.

Re:What the hell is Threefish

[Legion_SB]

Threefish is the name of the block cipher part of Skein.

I thought Redfish and Bluefish came after Twofish.

Re:What the hell is Threefish

[hesaigo999ca]

If you take the redfish, you can go back to your previous life,
but if you take the bluefish you ......

Re:What the hell is Threefish

[redF1sh]

If you take the redfish, you can go back to your previous life...

Hey, leave me alone!

Re:What the hell is Threefish

[STrinity]

Threefish is to Twofish as Dreadfish is to Blowfish.

Re:What the hell is Threefish

[steelfood]

The Cat in the Hat fed 'em to Thing 1 and Thing 2 for breakfast.

Re:What the hell is Threefish

[jd]

You cannot break it in a train, you cannot break it in a plane, you cannot break it here or there, you cannot break it anywhere. You cannot break *fish and ham, you cannot break it Sam-I-Am. (Hmmmm.... *fish would be a cool name for the next algorithm in that family...)

Re:What the hell is Threefish

[joncallas]

In the late '90s, when I was at Counterpane, John Kelsey and I created a series of Blowfish variants. The goal was that they were intentionally non-interoperable so we could have SSL that only Counterpane machines would have the code for. I referred to this as a "you must be at least this tall to hack this system" measure. They were: Blackfish, brownfish, redfish, orangefish, yellowfish, greenfish, bluefish, indigofish, violetfish, goldfish, whitefish, silverfish, plaidfish, and octarinefish. Maybe someday those names will be reused, but I think Fourfish is also a great name.

Re:What the hell is Threefish

[MarkRose]

I like to eat Whitefish. In fact, my digestive system is a one way hash function for it.

Re:What the hell is Threefish

[narcberry]

A very famous Doctor explained it as "one fish, two fish, red fish, blue fish."

Bruce should go to Washington

[multiOSfreak]

Bruce is the friggin' man. He ought to get some kind of advisory role in the next administration. I think his views on security in general would help straighten out a lot of FUD...assuming that anyone in Washington would actually listen to him, that is. :)

Re:Bruce should go to Washington

Didn't Bruce leave the NSA because he saw that the NSA was irreformably dedicated to violation of privacy for political gain, regardless of the pressure honest politicians put on it to stick to legitimate national security concerns?

Re:Bruce should go to Washington

[viridari]

Bruce is the friggin' man. He ought to get some kind of advisory role in the next administration.

I'll talk to Bob and see what we can do for Bruce.

Re:Bruce should go to Washington

[daem0n1x]

politicians => ~honest

|Politicians|Honest|Result|
| f | f | t |
| f | t | t |
| t | f | t |
| t | t | f |

Honest politicians is a logical incoherence.

Re:Bruce should go to Washington

Didn't Bruce leave the NSA

No, according to all the bios I can find online he never worked at the NSA at all.

Sounds good, but MD5 et al. still have a place

[apathy+maybe]

Disclaimer: I'm not a cryptographer, and I'm not a professional (anything). This post is based on my understanding, which may be wrong. Corrections accepted and welcomed.

Yes, MD5 is broken. Given a specific dataset with a specific MD5 hash, you can create another dataset with the same hash in minimal time (a few minutes on a modern computer).

You should thus not use MD5 to authenticate documents and other data as being "not-tampered with". As a checksum algorithm, it should not be used.

However, this is not the only use for hash functions. Hash functions are also used to obscure passwords. "Wait", I hear you say, "what about rainbow tables?". Wikipedia says (from the link above)

Recently, a number of projects have created MD5 "rainbow tables" which are easily accessible online, and can be used to reverse many MD5 hashes into strings that collide with the original input, usually for the purposes of password cracking. However, if passwords are combined with a salt before the MD5 digest is generated, rainbow tables become much less useful.

That's right folks, if you know what you are doing, you can still use MD5.

Basically, you have to salt your passwords before storing them in the DB (in case the DB gets broken into), send the original salt, and another (random) salt along with the login page, make sure that everyone hashes in the correct order and compare. Simplified, but I'm sure you're all intelligent enough to find what I'm talking about.

VoilÃ, a safe method of using MD5. (As far as I know, there is still no way to convert an MD5 hash back into the original text, or even a possible original text without using a Rainbow table.)

-----

That said, new hashing methods are always welcome. Especially when it comes to things like checksums. (I can't believe some websites still relay on MD5...)

Re:Sounds good, but MD5 et al. still have a place

[jhol13]

MD5 should have been scrapped years ago. There is absolutely no excuse for using it anymore.

Whirlpool, for example, is much, much better and more secure.

Re:Sounds good, but MD5 et al. still have a place

[tangent3]

Yes, MD5 [wikipedia.org] is broken. Given a specific dataset with a specific MD5 hash, you can create another dataset with the same hash in minimal time (a few minutes on a modern computer).

Wrong.
The MD5 attacks demonstrated are collision attacks - attacks where you generate two datasets that hash to the same MD5 hash.

What you are describing is a Preimage attack. Finding a dataset that has the same MD5 hash to an existing dataset is a different attack which is many orders of magnitude harder than collision attack, and AFAIK, has so far not been demonstrated yet for MD5.

Re:Sounds good, but MD5 et al. still have a place

[apathy+maybe]

Umm, do you know of a free (pref. BSD-style without ad. clause licensed) JavaScript implementation of Whirlpool? Because I know of one for MD5. Namely Paul Johnston's JavaScript MD5 .

From that site:

The use of MD5 or SHA-1 for most JavaScript purposes (e.g. challenge-response login) does not rely on the collision resistance property. These weaknesses do not create any vulnerability in such web sites and there is no need to panic. If these weaknesses do concern you, there are alternative algorithms available:

Wait, that's what I said!

(Oh, and while on the subject, Building a CHAP Login System.)

Re:Sounds good, but MD5 et al. still have a place

[MostAwesomeDude]

If MD5(a) == MD5(b), then MD5(a + c) == MD5(b + c), where "a", "b", and "c" are arbitrary payloads and "+" is the concatenation operator.

Thus, it's quite easy to craft preimages, if you're not really concerned with the contents of the resulting payload.

Now, if given MD5(a), it's not (yet) possible to craft a possible payload "a", but I'm sure it'll be figured out soon.

Re:Sounds good, but MD5 et al. still have a place

[afidel]

Correct, and getting a Preimage attack that generates a useful binary that collides with the original and has the same size would still be extremely difficult even if a more broad preimage attack was known.

Re:Sounds good, but MD5 et al. still have a place

[apathy+maybe]

Oooh... Umm... Err...

My mistake? Give the person a cookie for picking up on it.

(I must have misremembered my reading.)

So, do any of the commonly used hash functions have a preimage attack demonstrated for them?

Re:Sounds good, but MD5 et al. still have a place

[alabandit]

but if they get your password, they most likely have your salt, and then "a few minuets later on a modern computer" we back at the drawing broad ;) haven't read his method but if you serious about security leave md5 alone.

Re:Sounds good, but MD5 et al. still have a place

[Waffle+Iron]

MD5 should have been scrapped years ago. There is absolutely no excuse for using it anymore.

Well, I still use it as a replacement for cksum to make checksum files for DVDs and the like (which is not a security critical task). It runs marginally faster than cksum (and much faster than sha1sum) on my machine, and the 'md5sum -c' option lets me conveniently verify whole directory trees.

Re:Sounds good, but MD5 et al. still have a place

[Hatta]

You should thus not use MD5 to authenticate documents and other data as being "not-tampered with". As a checksum algorithm, it should not be used.

If you're worried about people tampering with your data, you shouldn't use any checksum. Sign it with PGP.

If you just want to check that your download didn't corrupt, MD5 is still fine for that purpose.

Re:Sounds good, but MD5 et al. still have a place

[m50d]

VoilÃ[sic, thanks slashdot], a safe method of using MD5. (As far as I know, there is still no way to convert an MD5 hash back into the original text, or even a possible original text without using a Rainbow table.)

Safe for now, sure. But for how long? MD5 is crumbling, yes it's crumbling slowly, but once an algorithm has been shown to have flaws it usually collapses entirely not that long after. Worse, in the academic world the difference between "perfect" and "imperfect" matters a lot more than the difference between "partially broken" and "fully broken" - so now that it's been shown to have serious flaws, the people most interested will not be the academics but the criminals and the spies. Paranoid though it may seem, it's not at all unreasonable to believe that the NSA et al. or even your favourite organized crime syndicate have broken MD5 more thoroughly than has been done in published papers.

That MD5 hasn't been completely broken only means there's no need to panic-drop existing systems. For any new system being written today, MD5 shouldn't even be under consideration.

Re:Sounds good, but MD5 et al. still have a place

[Just+Some+Guy]

salt

No amount of salt makes a broken algorithm un-broken. Imagine the trivial case where the output of a hash function is the unmodified input. The salt wouldn't do a lot, would it?

Well, MD5 is broken. Given that their are freely available alternatives not known to be broken, it's utterly irresponsible to endorse MD5.

Re:Sounds good, but MD5 et al. still have a place

[theapeman]

And how do you think PGP signs something? It takes a checksum of it (hopefully avoiding md5) and passes that through the signature algorithm (RSA or something similar). So you can't avoid the checksum (hash function) by using PGP.

Re:Sounds good, but MD5 et al. still have a place

[SatanicPuppy]

Mostly secure isn't good enough. There is no reason to continue using MD5; it's not like there aren't better alternatives, and it's not like it's growing more secure with time.

Re:Sounds good, but MD5 et al. still have a place

[gnud]

All payloads x with md5(x) = md5(a) are possibly = a. A computer really can't do much better than that.

Re:Sounds good, but MD5 et al. still have a place

[Hatta]

To create a valid PGP signature, the attacker needs your private key. To create a valid checksum, all they have to do is run their bad data through the checksum algorithm and replace the checksum.txt file or whatever. Clearly one is much more secure than the other.

But in a strictly pedantic sense, you are correct. I should have said, "don't use checksums only".

Re:Sounds good, but MD5 et al. still have a place

[marcosdumay]

"I'm not a cryptographer"

Well, thank God or that. First, MD5 is not broken the way you say it is. Yes, it is broken, but you can't just create a string that will have a wanted hash. Maybe you'll can at the near future, but you can't do that now.

Second, salt won't save a broken hash. Salting will protect you when you use a (unbroken) hash function against a big set of data. Without salting there is a big chance of any random value being on your set of hashes. A colateral effect of salting is that it will make dictionary attacks a bit slower (avoiding the use of a rainball table), but that is not very important, since it is only a proportional speedup.

Finally, MD5 is quite ok for checksums. It will make sure your download is not corrupt and, being as fast as it is, will not be a burden to your system. That new Skein algorith does look better, but there is no hush to replace MD5 here.

Now, I'm not a cryptographer either. But I do know a thing or two.

Re:Sounds good, but MD5 et al. still have a place

[John+Hasler]

> You should thus not use MD5 to authenticate documents and other data as being
> "not-tampered with". As a checksum algorithm, it should not be used.

As a security checksum algorithm, it should not be used. There are other uses for checksums.

Re:Sounds good, but MD5 et al. still have a place

[Lord+Ender]

Given a specific dataset with a specific MD5 hash, you can create another dataset with the same hash in minimal time (a few minutes on a modern computer).

That isn't even remotely true. MD5 has been demonstrated to be easier to break than advertised, therefore it is wise to use better hashes. But when I say "better than advertised" I'm saying defeating a good hash is about as easy as any of us getting Angelina Jolie in the sack; but someone has discovered a trick that makes defeating MD5 about as easy as bagging Paris Hilton. For all practical purposes, none of us will achieve either, but Paris is still no Angelina Jolie...

Re:Sounds good, but MD5 et al. still have a place

Man, I hope you don't try to implement "secure solutions" for anyone.

Everyone else on this thread is talking about attacks on hash algorithms to fool people into accepting bogus data that will pass the hash test. This works against PGP signatures just as well, if the attack is available for the hash algorithm used in the signature. The signature helps convey the hash value to the user securely, over insecure channels, but does not make the hash value more effective at screening for corrupt data.

Nobody else is talking about attacks on hash verification where you substitute a different hash value in the distribution channel and fool the user into believing it is valid. This is of course trivial with EVERY hash algorithm that will ever exist.

Re:Sounds good, but MD5 et al. still have a place

[evanbd]

That's still just a collision, not a preimage. The definition of a preimage attack is the ability to go from MD5(x1) to x2 such that MD5(x2) == MD5(x1). The fact that you can generate additional collisions once you've found the first has no (direct) bearing on your ability to work backwards. In order for your concatenation process to be useful, you somehow have to generate a and b such that one of them is the same as the start of your message text -- the current collision attacks give you very little control over either a or b, they simply produce a pair that's useful.

Re:Sounds good, but MD5 et al. still have a place

[Chris+Burke]

If MD5(a) == MD5(b), then MD5(a + c) == MD5(b + c), where "a", "b", and "c" are arbitrary payloads and "+" is the concatenation operator.

The difference between a collision and a preimage attack is that in a collision, "a", "b", and "c" are all of your own design, while in a pre-image attack, "a" is a pre-existing document and you want to create a second document "b", that results in the same hash.

It's much easier to find two arbitrary payloads which collide than it is to start with a fixed payload and then find another payload which collides with it.

Re:Sounds good, but MD5 et al. still have a place

But that doesn't gain anything, as they will just attack at the weak link: make a new payload with a hash collision so the hash is the same, and then use your signed hash (which is also the correct hash for the new payload, per definition of "hash collision") with their payload.

You just gained nothing vs. the attack discussed.

Of course, if you don't use private-key signing, they can pull a MITM attack by replacing the data and the hash with an arbitrary payload and its hash, but that wasn't under discussion. (And is obvious.)

Re:Sounds good, but MD5 et al. still have a place

[ChatHuant]

And how do you think PGP signs something? It takes a checksum of it (hopefully avoiding md5) and passes that through the signature algorithm (RSA or something similar). So you can't avoid the checksum (hash function) by using PGP.

PGP may do that, but note that a hash is a convenience, used because it's much smaller than the original document, so encrypting/decrypting the signature uses fewer computational resources. A "real" hash is not however required to sign a document: just provide the original document and the same document encrypted with your private key. The encrypted version is your signature. Users can verify you're the one that signed the document by decrypting the encrypted version with your public key and comparing it against the plaintext one.

Re:Sounds good, but MD5 et al. still have a place

[this+great+guy]

The MD5 attacks demonstrated are collision attacks

Correct.

What you are describing is a Preimage attack.

Incorrect. The GP described a second preimage attack. Three main types of attacks exist against hash function. In order of increasing complexity:

• Collision attack. (You are correct in that so far only this type of attack has been demonstrated against MD5.)
• Second preimage attack.
• Preimage attack.

Re:Sounds good, but MD5 et al. still have a place

[theapeman]

Yes, it could be done that way. But nobody does this (and PGP probably does not support it). RSA and other similar algorithms can only 'encrypt' things which are quite a lot shorter than the key length (and they use some kind of padding scheme). So you would have to define some kind of encoding scheme which splits the source into blocks to 'encrypt' them (and with some kind of chaining scheme so that the bad guys could not take blocks from different messages and rearrange them). As far as I know, there is no standard for this with widespread support.

Re:Sounds good, but MD5 et al. still have a place

[ChatHuant]

RSA and other similar algorithms can only 'encrypt' things which are quite a lot shorter than the key length (and they use some kind of padding scheme). So you would have to define some kind of encoding scheme which splits the source into blocks to 'encrypt' them (and with some kind of chaining scheme so that the bad guys could not take blocks from different messages and rearrange them). As far as I know, there is no standard for this with widespread support.

Well, not quite. The block size for RSA is equal to the size of the key modulus (basically the key size). If you encrypt plaintexts shorter than the block size, you'll need to pad them, of course (and there are well defined standards for the padding too, see here ). For plaintexts of arbitrary size, you use one of the (well known and standardized) modes of operation - for example ECB (Electronic Code Book), CBC (Cipher Block Chaining) or various feedback modes. The modes of operation are defined in the ANSI X3.106 standard for DES or in ISO92b (for cyphers with arbitrary block sizes). FWIW, it's not recommended to simply split the plaintext in MODULUS_SIZE blocks, but instead pad every block - see OAEP (Optimal Asymmetric Encryption Padding).

Re:Sounds good, but MD5 et al. still have a place

[et764]

Given that there are only 2^128 possible values for md5(a), and effectively infinite possible values for x (since it can be any length), I'd say if you happen to find an x with md5(x) equal to md5(a), it's almost certain that x != a.

Re:Sounds good, but MD5 et al. still have a place

[jhol13]

CHAP relies on MD5 (or whatever is being used) being one-way function.

With rainbow tables it is arguable how one-way MD5 is. That is, how much information of the secret key MD5 exposes. Clearly this is unnecessarily high.

Re:Sounds good, but MD5 et al. still have a place

[theapeman]

You certainly can't take a block of arbitrary data the same size as the modulus, as it might represent a number which is larger than the modulus (if enough high order bits are set). I dont think you can directly use CBC or similar schemes, as the input to the encryption is shorter than the output (so you would end up trying to do XOR with different sized objects). You would need to modify CBC to handle this - you really need to define a special chaining scheme. And ECB would be bad because you could shuffle blocks around (because they are not chained together) - actually ECB is bad for many reasons and should only be used in special cases.

Re:FYI: Skein is pronounced like vein (i.e. "skane

Funny, your website indicates the star trek pronunciation \'Skhaaaaaaaaan\

From the article

[joeflies]

you're asking a recursive question - it was announced in the paper. The following is a blog post from the comments section.

Quoted from the comments section

"Sooner or later some dumb ass is going to ask why Skein is based on Threefish, which was (apparently, according to the intertubes) broken."

Threefish can't possibly be broken yet; we only just announced it yesterday. No one knew of its existence before then.

I think your intertubes are clogged.

Posted by: Bruce Schneier at October 30, 2008 7:24 PM

Re:From the article

[ciroknight]

I normally don't read comments on random blogs, so I missed this piece of (important) trivia. Thanks.

Re:From the article

[gnud]

You don't read random blogs, but comment on stories about papers published in said blog.
Yay.

Re:From the article

[ciroknight]

Slashdot is more of a general forum for discussion, whereas blogs typically are not. Slashdot has a better set of regular contributors and more even opinions on topics than most blogs do (due to intellectual and geographic and other biases). There are a lot of advantages to discussing things on Slashdot, like having comments prefiltered and screened for content worth reading and adjustable filters to keep the noise floor low.

I could go on, but hopefully I've made my point.

Re:From the article

[babyrat]

I don't think you understand the point - 'His' in the case above refers to Bruce Schneier one of the authors of the paper.

The paper was announced in his (Bruce Schneier's) blog.

That particular blog can hardly then be referred to as a 'random' blog. It is more specifically the exact blog that announced the paper that you read.

Re:From the article

[fbjon]

That information property of the blog is cancelled out by it being TFA, which no-one can read.

experts

[flynt]

Cryptography: Unique in computing in that it is a field where the so-called experts, really are experts

--modified from Jack Handy

Re:experts

[The-Pheon]

Cryptography: Unique in computing in that it is a field where the so-called experts, really are experts

--modified from Jack Handy

We tend to scoff at the beliefs of the security experts. But we can't scoff at them personally, to their faces, and this is what annoys me.

Its a trap!

[FunkyELF]

first line of the pdf.... Niels Ferguson Microsoft Corp., niels@microsoft.com

Re:Its a trap!

[joncallas]

You know, we didn't stop being Niels's friend when he went to work for Microsoft. We thought about, but when it was put to a vote, our touch-screen voting machine said it was unanimous that we'd keep him. I think it must also be said that they didn't suck out his brain when he went to work there, except for that one small part of the left temporal lobe, his pineal gland, and that extra defibrillator they installed. He's fine. Really.

Wrong numbers?

from TFA:

"If you hashed 2^80 random messages, you'd find one pair that hashed to the same value. That's the "brute force" way of finding collisions, and it depends solely on the length of the hash value."

Seems to me like the Birthday Problem http://en.wikipedia.org/wiki/Birthday_problem says this is incorrect, and you'd require 2^80

Or is that assuming a Birthday hit?

Bearforce Schneier?

[LotsOfPhil]

Am I the only one that looks at Bruce and thinks Bearforce1?

Re:Bearforce Schneier?

[LotsOfPhil]

Oh, please don't click on the Bearforce link with your speakers turned on/up. Sorry!

Re:Bearforce Schneier?

[gnud]

Lord, we thank thee for flashblock.

the algorithm's no good

[BitterAndDrunk]

Not enough rhyming collisions

Bruce shouldN'T go to Washington

[widman]

BS made a good starters book, but with many errors. BS is not taken seriously on cryptography circles. I appreciate his work on pushing freedom for cryptography exports on US, but all his other work is irrelevant and gets publicity from his gestalt of self promotion.

Hashes collide..

[Sloppy]

..when they swerve to avoid Bruce Schneier!

Re:FYI: Skein is pronounced like vein (i.e. "skane

[tepples]

Funny, your website indicates the star trek pronunciation \'Skhaaaaaaaaan\

It might in IPA, but Merriam-Webster's English-to-English dictionaries do not use IPA. Instead, they use a traditional English phonetic alphabet, where a-bar represents the "a" in "ace" or the "ey" in "they", spelled in X-SAMPA as [eI].

It's too bad Slashdot's character whitelist doesn't include anything with a macron; otherwise, this post would have been easier both to write and to read.

Skein,

[popeye44]

Oh what a Tangled Skein we weave.
When we first practice to Deceive.

A new hash has been designed
With File Security firm in mind.

With Threefish this Skein will defeat
Those who would infect and mistreat

One fish two fish red fish blue fishes
Kiss my ass you scummy soap dishes. :-]
Signed, Dr. Pseussdonym.

 

Quick trick function stack

[TiggertheMad]

Personally, I'm waiting for the cypher built on Onefish, Twofish, Redfish, and Bluefish.

I do not like it encrypting my stocks,
I do not like it securing my box,
I do not like it, sam-I-am.

Re:Quick trick function stack

For more crypto-Seuss goodness:
That RSA (I do not like it, Sam-I-Say)

Bruce Schneier Facts

[brunes69]

There are no finite state machines. There are only a series of states that Bruce Schneier allows to exist.

Bruce Schneier can tell you where to find your GPG key into the digits of PI.

Bruce Schneier owns a chicken that lays scrambled eggs. Whenever he wants a hard-boiled egg, he just unscrambles one.

SHA = "Schneier has access" SHA2 = "Schneier has access - and a spare too"

When transmitted over any socket, Bruce Schneier's public key causes libpcap to enter an infinite malloc loop.

Bruce Schneier knows Alice and Bob's shared secret.

Bruce Schneier's secure handshake is so strong, you won't be able to exchange keys with anyone else for days.

Bruce Schneier knows the state of schroedinger's cat

When Bruce Schneier observes a quantum particle, it remains in the same state until he has finished observing it.

Bruce Schneier once decrypted a box of AlphaBits.

http://geekz.co.uk/schneierfacts/

Why use Skein-512 at all?

From the pdf:

Skein-1024 is our ultra-conservative variant. Because it has twice the internal-state size of Skein-512, it is failure friendly; even if some future attack managed to break Skein-512, it is quite likely that Skein-1024 would remain secure. Skein-1024 can also run nearly twice as fast as Skein-512 in dedicated hardware implementations.

Can someone who understands this explain why you would ever use Skein-512 instead of Skein-1024?

Re:Why use Skein-512 at all?

[mike.rimov]

Resource limited circuits such as smart cards where
the extra space for the larger hash equals more $ per unit.

More submissions

[LargeMythicalReptile]

I expect it will take a little while for NIST to compile all the submissions and put them online. In the meantime, someone has started compiling a list (which is unofficial and incomplete, but still useful):

http://131002.net/sha3lounge/

PHP extension for the Skein hash is available

[chrysalis]

A PHP extension for the Skein hash is now available.

You can download it from:
http://download.pureftpd.org/php-skein-hash/

Re:PHP extension for the Skein hash is available

Heh, from http://download.pureftpd.org/php-skein-hash/distinfo MD5 (php-skein-hash-0.8.tar.gz) = e6000c115a1594b4de4f1db86270399c

From Bruce Schneier?!

[mebrahim]

From Bruce Schneier? So what are those seven others?!
I hate it when people ignore many names for a single bigger name.

Re:From Bruce Schneier?!

[meringuoid]

From Bruce Schneier? So what are those seven others?!

They're the mythical Norse heroes from his epic passpoem.

Export Control

[jonaskoelker]

From Schneier:

Skein is defined for three different internal state sizesâ"256 bits, 512 bits, and 1024 bits [...]. A completely optional and extendable argument system makes Skein an efficient tool to use for a very large number of functions: [...] a stream cipher

So it does symmetric crypto with big keys [I assume the key size is either one internal state, or user-chosen].

Are there still crypto export laws in place? Would this impact Skein? Or will lawyers argue that encryption isn't it's primary purpose? Or...

Answer to Life, the Universe, and Everything

[mfh]

Did you know your uid is a prime number when interpreted in base 7 or 11?

It's also the Answer to Life, the Universe, and Everything (once you adjust for inflation, from 42).

Personally I hope...

[Kjella]

Personally I hope they just settle on Whirlpool. "The hash has been recommended by the NESSIE project. It has also been adopted by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) as part of the joint ISO/IEC 10118-3 international standard." It's based on AES, patent-free wtih reference implementation in public domain and has been analyzed up and down already. But in all honesty, whatever's good enough for the NSA is probably good enough for me ;)

Re:Personally I hope...

[Goaway]

I seem to recall that Whirlpool was also the ONLY hash submitted to the NESSIE project, so that's not saying all THAT much.

Also, I'd imagine any standard chosen by NIST would be patent free and public domain.

"Optional Arguments", not just for skein?

[jonaskoelker]

For the crypto geeks, and those interested: look at the paper, section 2.5 "Optional arguments"

A Skein computation consists of processing these options in order, using UBI. Each input has a
different "type" value for the tweak, ensuring that inputs are not interchangeable.

Q: Couldn't you get the same effect for any other hash function?

A: Yes, I think. If there's extra data you want to tie to the message, come up with a type-length-value encoding scheme;

To tie a randomized hash value to the public key used to verify the signature, simply do H("nonce:64:" || the_nonce || "pubkey:1024:" || the_pubkey || "message:$length:" || the_message).

Or use numbers instead of names to identify types, and use fixed-sized words for lengths (or do unary encoding of the length of the length, then the length in binary). Just keep the tie-in function injective.

Can anyone see a fault in this?

Re:"Optional Arguments", not just for skein?

[joncallas]

What you suggest is a fine thing to do. However, the advantage of UBI is that the tweak is used throughout the hash function and thus has better anti-collision properties. They're so good that we have proofs of them.

Can't we use AES?

[Joce640k]

Any block cipher can be used as a hash function in feedback mode.

(Also as a stream chiper - there's nothing they can't do!)

Re:Can't we use AES?

[joncallas]

To quote Ron Rivest, it's easy to make a secure hash function, it's hard to make a secure hash function that is also fast. You can trivially wrap AES to make a secure hash function, but it would have a 128-bit output, which is not wide enough. It would also be slow. The trick is to make a wide hash function that runs fast.

I dunno.

[jd]

A one-time pad is pretty damn uncrackable, so long as the pad can be transferred without being intercepted, and quantum cryptography guarantees a message cannot be intercepted without you knowing. Thus, delivering one-time pads by quantum cryptography and then encrypting at most one message with that pad guarantees that the encryption cannot be broken. Well, unless the machine the pad is stored on is itself broken into, but you'd be stupid to provide an OTP keystore with Internet access or the root password on a sticky note on the monitor.

Re:I dunno.

[norminator]

Sure a one-time pad can be secure, but as you mentioned, you still have to transfer or at least store the pad, which means that you have to encrypt the pad. If you have quantum crypto available to you to begin with, then why not use that to encrypt the original data to begin with, instead of using the pad?

And even with quantum crypto, I doubt it will be the magic bullet it's hyped to be. I'm sure applications will be limited, and we'll all still keep trying to stay one step ahead of the attackers.

Re:I dunno.

[jd]

Quantum crypto is breakable, the only benefit is that you can tell what packets are sniffed. So, if you only use unsniffed packets, you're guaranteed nobody else has those - at least at that time. You can't guarantee it for later on, at least to the same degree of certainty, but you can produce a reasonable level of trust. An A1-class OS with tamper-resistant hardware and strong authentication should put the cost of getting to the key above most infiltrators. Not all, and the greatest vulnerability is still going to be social engineering attacks against those authorized to have access, but it's as close to "good enough" as you're going to see in your lifetime.

The idea of using quantum cryptography for the actual data is BAD. Nonononono. It doesn't protect the data any better, all it does is identifies if it has been looked at. So, using it for data simply allows you to know when others have stolen your secrets, it doesn't stop them from doing the stealing.

The "perfect" encryption system (one that is totally unbreakable) will only exist once computer-brain interfaces move into the Neuromancer realm. Perfect? Yes. Same idea as before, for the one-time pad, but deliver the key and data to the subconcious. Then the person can act on the information without actually knowing they know it. This eliminates any form of social engineering and thus the only remaining weak point. It is also well beyond anything that will exist for a long long time, so will remain theoretical only. Nonetheless, as a theoretical concept, it does establish a method by which an unbreakable system could exist without violating any known physical or mathematical laws.

Re:I dunno.

[ShieldW0lf]

The "perfect" encryption system (one that is totally unbreakable) will only exist once computer-brain interfaces move into the Neuromancer realm. Perfect? Yes. Same idea as before, for the one-time pad, but deliver the key and data to the subconcious. Then the person can act on the information without actually knowing they know it. This eliminates any form of social engineering and thus the only remaining weak point. It is also well beyond anything that will exist for a long long time, so will remain theoretical only. Nonetheless, as a theoretical concept, it does establish a method by which an unbreakable system could exist without violating any known physical or mathematical laws.

Assuming the subconsious is "write only". Though, really, it sounds like poppycock. And, even if it wasn't, the participants would be monsters to be driven to extinction through violence. Who would be prepared to live in the presence of such?