The NIST (National Institute of Standards and Technology) is holding a competition aimed at finding the best possible replacement for the cureent SHAs (Secure Hash Algorithms) — SHA-1 and SHA-2. Cryptographers are submitting new mathematical algorithms in order to develop a more secure and robust substitute that will strengthen the hash functions that are used in digital signatures, call-message authentication and several other secure protocols on the Internet that help prevent attacks and keep digital information secure.
Ever since cryptographic researchers first discussed a generation of attacks at the annual International Cryptology Conference in 2004, the NIST has been working with the cryptography community to develop a more secure algorithm that can replace both SHA-1, which has been attacked and “wounded,” and SHA-2, which is SHA-1’s algorithmic descendant.
“SHA-3 may be faster and more efficient than the SHA-2s, but it will not, as far as we can tell at this point, do anything that the SHA-2s don’t do; it will just be more secure,” said William Burr, manager of the security technology group at the NIST.
Burr said that the NIST expects to get dozens of candidate hash-algorithm submissions, but the organization doesn’t expect to pick the final winner until about 2012.
How Cryptography Works
SHA-1 is very widely used in many security applications and protocols such as TLS (Transport Layer Security) and SSL (Secure Sockets Layer), S/MIME (Secure/Multipurpose Internet Mail Extensions), PGP (Pretty Good Privacy), SSH (Secure Shell), and IPsec. The Git source-code control system developed by Linus Torvalds for managing the Linux kernel also uses SHA-1 to prevent data corruption. Many of these applications use SHA-1 for message authentication codes, and while those applications are not now threatened, applications used for digital signatures are.
Certainly, SHAs and other cryptography standards like ECC (Elliptic Curve Cryptography), AES (Advanced Encryption Standard) and RSA are in greater demand as computer networks continue to process and store larger quantities of data.
Essentially, cryptography is the science of using mathematical algorithms, whose codes are unique, difficult to duplicate and hard to penetrate. These algorithms are used for encryption or data privacy, as well as authentication applications, and they increase the probability that attackers will be unsuccessful in penetrating computer systems.
Indeed, cryptography has permeated the technology landscape and can be found in applications that run on everything from mobile phones to laptops to DVD drives.
“Cryptography gets used pretty much in any kind of system you can imagine. The products we work on range from low-level silicon-chip designs all the way up to high-level architectures,” said Paul Kocher, president and chief scientist at Cryptography Research Inc.
The San Francisco-based company designs security systems for the telecommunications, financial, digital-television and Internet industries. According to Kocher, the mathematical algorithms used in cryptography have become virtually foolproof.
“It is not possible for somebody to break the codes by trying key combinations or by analyzing the encrypted messages,” Kocher said.
According to Kocher, a bigger problem is that no one has figured out how to make bug-free software, and implementation errors often allow attackers to circumvent the cryptographic algorithms.
“For example, someone wanting data from an encrypted laptop hard drive could bypass the encryption by attacking it while it is running. If there is a software bug that enables malicious code to run, this code can load the data, then send it to a network port, bypassing the cryptographic protections completely,” Kocher said.
Derek Brink, a research fellow with Aberdeen Group in Boston, agrees that breaches in security are more often caused by flaws in software, processes or configurations, and he noted that the recent attack on Hannaford Brothers Co. computer systems that potentially compromised 4.2 million credit- and debit-card numbers highlights such vulnerabilities.
“Most breaches are not because there’s a problem with the cryptographic algorithm but because there’s a problem with the practice,” Brink said. “In the case of Hannaford, information was captured at the point of sale, so as data was in flight, it was not encrypted, and someone was able to capture that data. It was not the result of a faulty algorithm, it was the result of how encryption was — or in this case, wasn’t — applied,” Brink added.
Moving Security Measures to Hardware
Software vulnerabilities that allow attackers to bypass cryptographic algorithms is a trend that Kocher said is increasing as the number and complexity of products that are attached to networks grows rapidly.
“Designers try to use cryptography to segregate trusted and untrusted pieces of these complex networks. The more complex the piece is, the more likely it is to have security defects, so the overall security can be improved if the most complicated pieces are isolated from the most devastating attacks,” Kocher observed.
Kocher said that in response to these trends, his company has been focused on the push to move security components out of the software realm and into hardware. For example, Kocher said that for applications like pay-television services, where people make huge amounts of money by attacking the security, traditional software-based approaches have been unable to manage the problem, and the fixes require moving the security out of software components that are relatively easy to attack to special-purpose, tamper-resistant hardware.
“It’s too difficult to be sure that the software is doing what you want it to do, whereas if you build something directly in the hardware and you do it right, the software can’t screw it up,” Kocher said.
A Good Time to Be a Cryptographer
In the meantime, the future looks bright for cryptographers, as systems will demand the greater use of mathematical algorithms for IT security, said Dr. Colin Walter, head of cryptography at the digital-trust research lab at Comodo Group, a firm that provides security solutions for companies that conduct business over the Internet.
Walter pointed to the banking sector, where cryptography will be increasingly used for online banking, which sends encrypted information between the account holder and the bank. Walter also expects a greater number of bank customers to use card readers that can be attached to their laptops to access their bank information.
“You’ve seen wireless routers in domestic applications attached wirelessly to router laptop connections,” said Walter. “That should be done with cryptography so that other people cannot connect into your router and cannot see what you are doing. I think mathematically that cryptography is well up to anything we require.”