SHA-3 extensions for Ruby and Node.js
A few days ago, NIST announced the winner of the SHA-3 competition: Keccak (prounced [kɛtʃak], ketchak). The researchers who authored Keccak released a reference implementation in C.
We’ve created Ruby and Node.js extensions for Keccak. Our extensions utilize the code from the official reference implementation and come with a extensive suite of unit tests. But note however that I do not claim to be a security expert. Feel free to review the code for any flaws.
Install with:
gem install digest-sha3
npm install sha3
We’ve strived to emulate the languages’ standard hash libraries’ interfaces, so using these extensions is straightforward:
require 'digest/sha3'
Digest::SHA3.hexdigest("foo")
and
var SHA3 = require('sha3');
var hash = SHA3.SHA3Hash();
hash.update('foo');
hash.digest();
Both libraries are MIT licensed. Enjoy!
Why does the world need SHA-3?
If you’re not a security researcher then you’ve undoubtedly asked the same questions as I did. What’s wrong with SHA-1, SHA-256 and SHA-512? Why does the world need SHA-3? Why was Keccak the winner?
According to to well-known security researcher Bruce Schneier, there’s nothing wrong with the SHA-2 family of hashing functions. However he likes SHA-3 because it’s completely different. SHA-1 and SHA-2 are both based on the Merkle–Damgård construction. It may be feasible to find a flaw in SHA-1 that also affects SHA-2. In contrast, Keccak is based on the sponge construction so any attacks on SHA-1 and SHA-2 will probably not affect Keccak. Indeed, it appears that NIST chose Keccak because it was looking for some kind of insurance in case SHA-2 would be broken. Many people commented that they expected Skein to win.
Do not hash your passwords
In any case, the following cannot be repeated enough. Do not use SHA-3 (or SHA-256, SHA-512, RIPEMD-160 or whatever fast hash) to hash passwords! Do not even use SHA-3 + salt to hash passwords. Instead, use a slow hash like bcrypt. As Coda Hale explained in his article, you’ll want the hash to be slow so you can defend against attackers effectively.
-
Hello, we are Phusion. We provide amazing products and services for web apps written in Ruby, Python, Node.js and Meteor.
Featured articles
- Docker-friendly Vagrant boxes
- Duplicity + S3: easy, cheap, encrypted, automated full-disk backups for your servers
- Efficient Substring Searching
- Mail in 2012 from an admin’s perspective
- Making Ruby threadable: properly handling context switching in native extensions
- Objective-C for Ruby developers
- Passing environment variables to Ruby from Phusion Passenger
- Securely store passwords with bcrypt-ruby
- The right way to deal with frozen processes on Unix
- Tuning Phusion Passenger's concurrency settings
- Tutorial: setting up Gitlab on Debian 6
- Why Rails 4 Live Streaming is a big deal
Phusion. All rights reserved.