October 9, 2012 by Bruce Morton     No Comments

On October 2, 2012, the National Institute of Standards and Technology (NIST) announced that the winner of the new SHA-3 hash function competition was Keccak. The plan is SHA-3 will eventually replace SHA-1 and the SHA-2 hash families.

To support digital certificates, the hashing function is used by the certification authority (CA) to put its signature on the certificates and CRLs. The signature needs to be strong enough so it cannot be replicated or predicted.

Bruce Schneier, a security guru, was a in the SHA-3 competition. Schneier states there is no need to rush to implement SHA-3; to date, SHA-256 (a SHA-2 variant) is still looking good. Upon the announcement of the winner, he stated Keccak is a fine hash function, but so are the four variants of SHA-2. He will take some time before making specific recommendations on when to move to SHA-3.

The SSL certificate industry still has CAs that are removing MD5-signed certificates. The industry is slowly implementing SHA-2, but most certificates are signed with SHA-1 due to backwards compatibility issues with browsers and other applications.

I think the next step will be for NIST to develop a schedule as to when SHA-3 should be used. We will then see how well the software industry supports SHA-3.


Bruce Morton has worked in the public key infrastructure and digital certificate industry for more than 15 years and has focused on SSL and other publicly trusted certificates since 2005. He has been an active member of the CA/Browser Forum that released guidelines for extended validation (EV) certificates and Baseline Requirements for SSL certificates. Bruce oversees the governance and compliance of Entrust’s publicly trusted PKI.

Add to the Conversation