8

Possible Duplicate:
What is SHA-3 and why did we change it?

SHA-3 has been finalized! So, what does secuirty.se think about the new hash funciton? Should we start replacing all uses of md5/sha1/sha2 with Keccak? Is it too soon? Or do you think that the NIST process is rigorous enough.

rook
  • 47,004
  • 10
  • 94
  • 182

2 Answers2

7

First, there is no "real SHA-3" yet. In a few months, NIST will publish a specification which will define unambiguously what SHA-3 is. Unless there is a big blunder somewhere, we can predict that SHA-3 will be bit-to-bit compatible with the specification of Keccak as submitted for round 3 of the competition.

Then there is no reason to replace SHA-2 with (future-)SHA-3: neither scientifically (SHA-2 is not broken, far from it; and, for performance, Keccak is not terribly better than SHA-2, and often worse, depending on the architecture), nor administratively (the NIST people themselves posit that there is no need to replace SHA-2 with SHA-3).

There are reasons to replace MD5 and SHA-1 with SHA-2 (or SHA-3 in the future) but these reasons were already valid last week and you should already be doing it.

Algorithm agility is an important quality of protocols -- but that's a question of protocol design. People who are qualified to design security protocols already know it, and the other should refrain from designing protocols.

Thomas Pornin
  • 322,884
  • 58
  • 787
  • 955
2

Hash functions are fairly new, and we are still discovering new cryptanalysis attacks against them. SHA-3 looks useful, so I disagree with Schneier's comments about a no-award. However, we should plan on having a SHA-4 competition in the near future. Being able to change what hash function that you rely upon is a useful feature. SSL/TLS is a good example of this.

rook
  • 47,004
  • 10
  • 94
  • 182