views:

158

answers:

3

Hi,

After reading the topic "Is MD5 really that bad", I was thinking about a better solution for generating hashes. Are there better solutions like Adler, CRC32 or SHA1? Or are they even broken?

+5  A: 

CRC32 is probably the worst thing you could possibly use for passwords (besides maybe crc16 :). Cyclic Redundancy Checks are to detect if a message has been damaged though natural causes, it is trivial to generate collisions using nothing more than algebra. SHA0 and SHA1 are also broken, although unlike md5() no one has generated a SHA1 collision, but it is believed to be computationally feasible with our current technology.

Any member of the SHA-2 family should be used. Sha-256 is good, SHA-512 is probably more than you need. NIST is holding the SHA-3 competition right now and this will be finalized sometime in 2012. (Skein for the win!)

Rook
+1 for mentioning SHA-3 competition... I have some doubts about Skein though.. ;) [Disclaimer: I might be biased!]
Krystian
@krystian your right skein has hit some bumps and has been patched. I'm looking forward to see how this plays out.
Rook
Performance-wise, Skein is quite fast on 64-bit platforms, but it sucks on 32-bit systems, especially those embedded systems where performance matters most (e.g. routers or tamper-resistant payment terminals). BMW and SHABAL appear to be much faster, and more friendly to systems with hard constraints on code size.
Thomas Pornin
@Thomas Pornin The end of life for a NIST's sponsored primitive can decades as long as it isn't broken. Undoubtedly 64bit systems will become more popular even on embedded platforms and cryptographic accelerators. (interesting read: http://csrc.nist.gov/groups/ST/toolkit/index.html)
Rook
I doubt that 32-bit platforms will become rare enough to be overlooked. Old architectures never die; they just become cheaper, and thus more widely used. And there is little incentive to mass-produce 64-bit low-cost CPU (64 bits architectures were developed to deal with massive amounts of RAM, not to perform computations on big numbers).
Thomas Pornin
Also, even on big, 64-bit CPU, BMW, BLAKE and SHABAL tend to be on par or faster than Skein.
Thomas Pornin
@Thomas Pornin I didn't know that. I'm glad you realize that a message digest should be fast, some people think sha256 is better because its slower. Oops!
Rook
+2  A: 

If you are looking for a cryptographic hash function, Adler and CRC32 are really bad idea. SHA-1 is also broken already, but in a much less dangerous way than MD5. However, this will probably change in the future.

Right now the only sensible choice seems to be to use SHA-256, possibly truncating the digest to the desired length.

Krystian
-1 truncation is a bad idea. Although this is how sha-384 is created from sha-512 and sha-224 is created form sha-256. This is a waste of computation while only saving a few bytes.
Rook
@The Rook: It's true in general, but I had some specific cases in mind. If you can afford storing the full hash, it's the best option and this should be done. But if you need exactly 160 bits of the digest (replacing SHA-1 in some non-flexible codebase), then it's better to use truncated SHA-2 than leave SHA-1.
Krystian
@Krystian i agree with that statement. It is the lesser of two evils.
Rook
+2  A: 

SHA1 has some theoretical attacks but AFAIK there is still nothing practical that will let you break it as of yet.

SHA2 seems to hold steady for now.

shoosh