tags:

views:

356

answers:

3

I don't mean for this to be a debate, but I'm trying to understand the technical rationale behind why so many apps use SHA1, when SHA512 is more secure. Perhaps it's simply for backwards compatibility.

Besides the obvious larger size (128 chars vs 40), or slight speed differences, is there any other reason why folks use the former?

Also, SHA-1 I believe was first cracked by a VCR's processor years ago. Has anyone cracked 512 yet (perhaps with a leaf blower), or is it still safe to use without salting?

+7  A: 

Both SHA1 and SHA512 are hash functions. If you are using them as a cryptographic hash, then perhaps that is good reason to use SHA512; however, there are applications that use these function simply to identify objects. For example, Git uses SHA1 to cheaply distinguish between objects. In that case, because the possibility of collision between two documents is incredibly small with SHA1, there really is no justification for the additional space requirement of SHA512 when SHA1 is more than suitable for the task.

In terms of cryptographic hashes and the choice to use a salt or not, you may be interested in reading Don't Hash Secrets. Even with SHA512, using a salt is a good idea (and it's cheap to do, too, so why not do it?), because you can guess the top passwords and see if they have the same hash, but the author points out that HMAC is a more secure mechanism. In any case, you will have to determine the costs associated with the extra time+space and the costs associated with the possibility of a breach, and determine how paranoid you want to be. As was recently discovered by Microsoft, constantly changing passwords is a waste of money and doesn't pay off, so while paranoia is usually good when it comes to security, you really have to do the math to determine if it makes sense.... do the gains in security outweigh time and storage costs?

Michael Aaron Safyan
@Michael I really meant: Why are people still using SHA1 as a security device (not for checksum purposes, or others).
orokusaki
@orokusaki; you might want to update the question to say that. :-)
Dean J
@Dean J I thought the `more secure?` part in the title and in the question would take care of that. What else could I be referring to with regards to `sha1` and security?
orokusaki
@orokusaki: why use a chair when a couch is more comfortable?
Javier
@Javier, you take the chair, and the couch. I'm headed to bed :)
orokusaki
@orokusaki; you could very easily be unaware that hashes are used outside of security. Since you had to clarify it to *both* people who typed an answer for you, it seems obvious that you weren't quite clear enough the first time around.
Dean J
@Dean J True, but also worth noting is that the majority of the population doesn't know the know the first line of the constitution, but it's there for those who read.
orokusaki
@orokusaki: Happy downvote, buddy.
Dean J
@Dean right back at ya :)
orokusaki
+1  A: 

If you need something to be hashed quickly, or only need a 160 bit hash, you'd use SHA-1.

For comparing database entries to one another quickly, you might take 100 fields and make a SHA-1 hash from them, yielding 160 bits. Those 160 bits are 10^50ish values.

If I'm unlikely to ever have more than a tiny fraction of 10^50th values, it's quicker to just hash what I have with the simpler and faster algorithm.

Dean J
+2  A: 

Most uses of SHA-1 are for interoperability: we use SHA-1 when we implement protocols where SHA-1 is mandated. Ease of development also comes into account: SHA-1 implementations in various languages and programming environment are more common than SHA-512 implementations.

Also, even so most usages of hash functions do not have performance issues (at least, no performance issue where the hash function is the bottleneck), there are some architectures where SHA-1 is vastly more efficient than SHA-512. Consider a basic Linksys router: it uses a Mips-derivative CPU, clocked at 200 MHz. Such a machine can be reprogrammed, e.g. with OpenWRT (a small Linux for embedded systems). As a router, it has fast network (100Mbit/s). Suppose that you want to hash some data (e.g. as part of some VPN software -- a router looks like a good candidate for running a VPN). With SHA-1, you will get about 6 MB/s, using the full CPU. That's already quite lower than the network bandwidth. SHA-512 will give you no more than 1.5 MB/s on the same machine. On such a system, the difference in performance is not negligible. Also, if I use SHA-1 on my Linksys router for some communication protocol, then the machine at the other end of the link will also have to use SHA-1.

The good news is that there is an ongoing competition to select a new standard hash function, code-named SHA-3. Some of the competing candidates provide performance similar to SHA-1, or even somewhat better, while still yielding a 512-bit output and be (probably) as secure as SHA-512.

Thomas Pornin
@Thomas thanks for the great info. I'm simply using SHA512 for password protection in a private machine in a colo, because I don't want salted data (for some OCD reason) but I want it to be crack proof (at least for a while). Security is a concern, but there is no risk of credit card numbers being lost, etc.
orokusaki
@Thomas Wow, was impressed by your answer so I checked out your site and CV. PhD in this stuff eh. So, do you think my password sheesh is a bad idea?
orokusaki
@orokusaki: for password protection of a private machine in a colo, cryptography is overkill. _If_ the potential attackers are really motivated, physical access to the system is all they need (e.g. to install a key logger device, when you type your password). Therefore, you may use whatever makes you feel "secure".
Thomas Pornin