Slashdot Mirror

← Back to Stories (view on slashdot.org)

New SHA Functions Boost Crypto On 64-bit Chips

Posted by Soulskill on from the t-rkwmwxtnv-swc-yregtqx-jwdc-gtav-ytgu-gute-pcjkgwxcra dept.

An anonymous reader writes "The National Institute of Standards and Technology, guardian of America's cryptography standards, has announced a new extension to the SHA-2 hashing algorithm family that promises to boost performance on modern chips. Announced this week, two new standards — SHA-512/224 and SHA-512/256 — have been created to directly replace the SHA-224 and SHA-256 standards. They take advantage of the speed improvements inherent in SHA-512 on 64-bit processors to produce checksums more rapidly than their predecessors — but truncate them at a shorter length, reducing the overall timespan and complexity of the digest." Further details are available from NIST (PDF).

13 of 60 comments (clear)

  1. faster?? by Firkragg14 · · Score: 2

    Wasn't there an article recently complaining that the speed of SHA made it relativly useless as a hashing algorithm to protrect passwords? Surely the increase in speed would have a greater effect on cracking speed than on the speed of legitimite authentication.

    1. Re:faster?? by sl3xd · · Score: 3, Interesting

      I thought this as well - you'd think being able to compute a hash faster makes it a bit easier to compute a rainbow table with the hash.

      Then again, there are many other perfectly reasonable ways you'd want the hash to be faster - for instance, how git uses the sha1 hash throughout - or any hash-summing of a file to verify the contents are unchanged.

      So the 'faster hash' really only means that it might be something to consider when using it for a password hash - but for data integrity checking, it can be a real boon.

      --
      -- Sometimes you have to turn the lights off in order to see.
    2. Re:faster?? by Goaway · · Score: 3, Insightful

      Cryptographic hashes for a huge number of things besides protecting passwords, which indeed they are somewhat poorly suited for.

    3. Re:faster?? by petermgreen · · Score: 3, Informative

      IIRC the CRC hashes are only designed to protect against accidental changes while secure hashes are designed to protect against both accidental and malicious changes. This makes them more suited to distributed systems where not every participant is trustworthy.

      --
      note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
    4. Re:faster?? by Firkragg14 · · Score: 2

      Yes but a) assuming your password file is invulnerable is stupid otherwise we would all just use plaintext, b) multiple rounds are great but tbh only exist because the current crypto algortihms are so fast so you have to multiple cycles to slow crackins and c) salts are great but if you have a fast algorithm factoring that into your cracking process isnt impossible. TBH though most of these issues boil down to the fact that MD5 and SHA are stupid algorithms to use for encryption and if you take the encryption uses of the algorithm out of the equation then faster SHA is great for file integrity checking.

    5. Re:faster?? by blair1q · · Score: 2

      My password file is in plaintext.

      Its location, however, is knowable only by breaking a 4096-bit key that changes daily.

  2. Re:Why? by Goaway · · Score: 2

    Somewhat easily, yes, but not quite that easily. You should never use a cryptographic algorithm carelessly like that. Always look up the recommended ways to do these things, because naïve algorithms like the one you suggest tend to have unexpected weaknesses.

  3. CRC has its limits. by jhantin · · Score: 3, Informative

    Different hashes are for different purposes.

    No argument there.

    The CRC class of hash functions actually makes certain statistical guarantees for the longest run of possible errant bytes in source data and are extremely faster, making them far more suitable for file integrity checks.

    CRC is great for packet-sized input, but not so great over larger chunks of data; also, the way its design targets burst errors means that widely separated point errors aren't as effectively caught. There's a reason Ethernet jumbo frames haven't gone much over 9000 bytes -- Ethernet's CRC-32 is much less effective at message sizes over 12000 bytes or so. Cryptographically strong hashes tend to be less sensitive to input length.

    --
    ...when you're writing a game...tweak the difficulty of "Easy" to something [your mother] can cope with. -- onion2k
  4. Re:Now wait a moment by pjt33 · · Score: 2

    I suppose that would be one way to make Bittorrent CPU-bound rather than IO-bound.

  5. Re:Encryption on chip approved by by bk2204 · · Score: 2

    SHA-512 is indeed faster than SHA-256 on 64-bit processors. SHA-512 uses 80 rounds using 64-bit variables on block sizes of 128 bytes, and SHA-256 uses 64 rounds using 32-bit variables on block sizes of 64 bytes. Since on most 64-bit machines 64-bit operations are roughly as fast as 32-bit operations, you see a speed increase because you're processing twice as much data and doing only a little more work (80 rounds versus 64). Both algorithms are very similar internally, so a round in each algorithm generally performs the same amount of computation.

    The traditional way to make a longer hash value into a shorter one is to truncate it, using the leftmost bits. This is used with DSA and is generally considered suitable for most purposes. I don't therefore really see a need for SHA-512/t; at best it seems like this is an effort to improve performance.

  6. Link to the standard by owlstead · · Score: 3, Informative

    If anyone is interested in the source material, here it is:

    http://csrc.nist.gov/publications/drafts/fips180-4/Draft-FIPS180-4_Feb2011.pdf

    Fresh from the press, it seems.

    By the way, the SHA-512/224, SHA-512/256, SHA-384 and SHA-512 are only different in their initial hash value, so it is very easy to implement these algorithms. Just change the constant and cut the required number of output bits. Personally, I think it is at least two hash functions too many.

  7. Ability to Spymore by NSN+A392-99-964-5927 · · Score: 2

    Remember governments want their cake and they want to eat it plus more. I do recall many years ago before 9/11 I was part of the movement who sent mass "keywords" to force the FBI into admitting the existence of Carnivore. These were the days before wikileaks and the source code was leaked onto planetsourcecode.com for 8 hours.

    Eventually the FBI admitted what they were doing then scrapped the code and set about an entire overhaul of systems including the CIA DHS etc. The new code name was Magic Lantern, still the same code but now a different name with variations added in like Bit Locker into systems shipped part of Microsoft.

    You might ask why this is important? Well since the fiasco of Carniovre, it has taken 11 years for the government to catch up and they have spent Billion's of Dollars of the good honest people of America to spy more.

    Only SHA 512 is acceptable nowadays, Put it together 3DES http://en.wikipedia.org/wiki/Triple_DES and AES http://en.wikipedia.org/wiki/AES serpent http://en.wikipedia.org/wiki/Serpent_encryption_algorithm and blowfish http://en.wikipedia.org/wiki/Blowfish_%28cipher%29 You will really piss of governments royally and set them back 200 years of spy more!

    --
    All cows eat grass!
  8. Re:Does SHA2 still produce the same results? by butlerm · · Score: 2

    Since we would already be calculating the 512-bit hash, why not just use it instead of truncating it?

    Because there are many applications where carrying the extra 256 bits either breaks compatibility or is storage/transmission cost prohibitive for some reason or another. ZFS style block checksums, for example. Hashed authentication of network packets is another.