Modernize Your PKI → Optimize Productivity → Reduce Risks    |Here’s how to replace Microsoft PKI with EJBCA

SHA-3 Announcement

As many know, the cryptographic hash function known as Secure Hash Algorithm 1 (SHA-1) has been deemed weak by NIST, and is no longer recommended. The NSA addressed the weaknesses in SHA-1 by publishing the SHA-2 hash function standard back in 2001. SHA-2 builds on SHA-1 by using similar algorithms with larger block and state sizes.

But to date, SHA-2 has not enjoyed the same adoption rate as SHA-1. I believe that this is due in part to compatibility issues with legacy systems, risk perception, and the upcoming SHA-3 standard.

That said, NIST has recently concluded a five year competition designed to select a new hashing algorithm that will be known as SHA-3. Sixty-four separate hashing functions were submitted for testing and evaluation, and this week, the winner was chosen. The winning hashing algorithm was designed by Guido Bertoni, Joan Daemen, Michaël Peeters, and Gilles Van Assche, and is known as Keccak (pronounced: “catch-ack”). Keccak is an evolution of the RadioGatún hash primitive, and represents a clear algorithmic departure from the current family of hash functions that were originally designed by the NSA and Ronald Rivest. Keccak would not theoretically be subject to the same weaknesses and vulnerabilities of previous hash functions.

I would not look for the immediate inclusion of SHA-3 by the major OS manufacturers as the adoption of this standard will take considerable time. The appropriate Cryptographic Service Providers and modules still need to be first created and then tested. And when you consider all the various hardware devices included in any PKI, the complete adoption of the SHA-3 standard may in fact take many years.

Related Posts:

Time’s Up for SHA-1, CSS’ Suggested Migration Path