Score:1

Would it be any good to create a new cryptographic hash function?

gb flag

Would it be beneficial to create a cryptographic hash function for more security. A cryptographic hash function is pretty much a pseudorandom string generating algorithm and it can easily be made difficult to break by increasing the number of possible hashes that can be generated.

Why make another cryptographic hash function

I want to hash passwords in a database such that the attacker cannot find their original value. I could use pepper and/or salts while generating the hashes but I wanna make it more secure. When I would make a proprietary hash function that is not available to the common public, how would the attacker even generate rainbow tables for the passwords.

kelalaka avatar
in flag
Welcome to Cryptography.SE. First, make sure that you understand there is no security by obscurity. No one is going to use your hash function. Secondly, when they start to use it, they will steal the design. Thirds, how you can have a big claim that you can do better than Argon2, etc?
kelalaka avatar
in flag
We can call this dupe of this [Differences between industrial and military cryptography](https://crypto.stackexchange.com/q/62511/18298)
kelalaka avatar
in flag
And another; [Why is writing your own encryption discouraged?](https://crypto.stackexchange.com/q/43272/18298)
Hargunbeer Singh avatar
gb flag
Thanks @kelalaka for the resources
Score:2
us flag

While you can create your own hash function, symmetric cipher, public key encryption scheme, etc. such that no one would know its design, it is probably a bad idea to rely on obscurity (as @kelalaka commented) to obtain security.

In the 19th century, Auguste Kerckhoffs stated a principle we call as "Kerckhoffs's principle":

a cryptosystem should be secure even if everything about the system, except the key, is public knowledge.

Additionally, Shannon's Maxim was also formulated in the 20th century and it states that:

one ought to design systems under the assumption that the enemy will immediately gain full familiarity with them

Or in other words - when you design a system for security, you must assume that the attacker knows how the system operates.

In your example of a proprietary hash function, the attacker might somehow get access to the software or hardware that computes such a hash function, and using crypto-analysis or backwards engineering it will manage to find vulnerabilities such as collision attacks or pre-image recovery techniques.

Another reason not to rely on proprietary or secret techniques is consumer trust: Why would a consumers trust that you keep their (hashed) password secure if you admit that the security comes from not knowing the implementation?

This is why in industry, the cryptographic primitives (hash functions, ciphers, signature schemes, etc.) are often only adopted after significant scrutiny from the scientific community. Then, RFCs and standards are being drafted so that vendors and service providers can quantify their security by saying which standard they comply to.

kelalaka avatar
in flag
Kerckhoffs is the first in [their principles](https://en.wikipedia.org/wiki/Kerckhoffs%27s_principle)
yacovm avatar
us flag
Thanks I added it
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.