September 30, 2016

In brief: NIST declares Keccak winner of Secure Hash Algorithm (SHA-3) competition

(LiveHacking.Com) – The National Institute of Standards and Technology (NIST) has announced the winner of its five-year competition to select a new cryptographic hash algorithm. At the end of 2007, NIST announced a free-for-all competition to find the next Secure Hash Algorithm (known as SHA-3). Now after five years, 64 entries and three rounds of eliminations, there is a winner: Keccak. Pronounced “catch-ack”, it was created by Guido Bertoni, Joan Daemen and Gilles Van Assche of STMicroelectronics and Michaël Peeters of NXP Semiconductors.

Hash algorithms are widely-used to creates “fingerprints”, or “message digests” of a file. The marks of a good hash algorithm are that any change in the original data will change the digest, and for any given file it must be infeasible for a forger to create a different file with the same hash. NIST liked Keccak because of its elegant design and its ability to run well on many different computing devices.

NIST received sixty-four entries in total. Fifty-one were selected as first-round candidates, and this was narrowed down to fourteen second-round candidates in July 2009. On December 9, 2010, NIST announced five third-round candidates – BLAKE, Grøstl, JH, Keccak and Skein.

“Keccak has the added advantage of not being vulnerable in the same ways SHA-2 might be,” says NIST computer security expert Tim Polk. “An attack that could work on SHA-2 most likely would not work on Keccak because the two algorithms are designed so differently. The Internet as we know it is expanding to link devices that many people do not ordinarily think of as being part of a network. SHA-3 provides a new security tool for system and protocol designers, and that may create opportunities for security in networks that did not exist before.”

ElcomSoft Releases New Software to Recover Passwords on NIST Certified BlackBerry PlayBook Backups

(LiveHacking.Com) – Only a few days ago the BlackBerry PlayBook became the first tablet to be certified for US government use by passing the FIPS 140-2 certification from the National Institute of Standards and Technology (NIST). No other tablet, including the iPad, has gained this certification and the PlayBook is the only tablet ready for deployment within the U.S. federal government.

Since this particular FIPS (Federal Information Processing Standard) certification is about cryptography, you would think that any government data on a PlayBook would be secure… Not so… ElcomSoft has updated its Phone Password Breaker with the ability to recover passwords protecting BlackBerry PlayBook backups. This means that it can recover the original plain-text password protecting the PlayBook backups. Once the password is known the backup can be restored to and analyzed on another PlayBook device.

The result is that forensic investigators (or hackers, spies and foreign governments) can access email messages, call history, contacts, web browsing history, voicemail and email accounts stored in those backup files.

To crack the passwords on the Backups, ElcomSoft use GPU-accelerated attacks, offloading parts of the computation-intensive jobs onto highly parallel units available in today’s ATI and NVIDIA video cards. The result is that the Elcomsoft Phone Password Breaker can try tens of thousands of passwords per second.

ElcomSoft plans to add a PlayBook backup decryption module, which allows the backups to be cracked open without restoring them to another PlayBook device, to the next version of Elcomsoft Phone Password Breaker.

NIST’s search for the super hash – just five candidates left in SHA-3 final

The National Institute of Standards and Technology (NIST)’s SHA-3 competition is entering its final round with five candidates – BLAKE, Grøstl, JH, Keccak and Skein – remaining. Europe’s performance in the US agency’s selection process has been conspicuously good.

Read the full story here.