Which hash method do you use (MD5, SHA1, other?)

Question

This Wikipedia page has an extensive list of hashing methods

As you can see, both MD5 and Sha1 have been broken (in Cryptography, "broken" means there's an attack less complex than the brute force attack. In other words, if you need 1 million year to find a collision instead of one billion year using brute force, the algorithm is consider broken, even if it's probably still safe to use it)

What do you use as a hash algorithm?

SHA1 is broken but one still needs billion of years to compute a collision.

Other hashes are still unbroken, but we have to keep in mind that ressearchers concentrate their efforts on mainstream algorithm (that is MD5 and SHA1), so unbroken hashes may be unsecure aswell.

Answer 1

There are others like SHA-256 or RIPEMD-160 or even one of the SHA-3 candidates (see list here for you to choose. Bear always in mind that these have not been as toroughly tested and analyzed as MD4/5 and SHA-1. This has also a cost in terms of performance of course.

One answer to your question would be to use two of them, hopefully different enough that breaking one does not break the other. The odds against both being broken enough to fake two checksums is pretty abyssal IMHO.

Answer 2

If security is your concern, it's better to avoid "broken" hash functions. What you said may be true for some hash functions that are just broken by researchers, but a real world attack can soon surface by using new insights gained through the research work.

For example, collisions of MD5 can now be found very quickly (I think wikipedia mentioned a method that can do it within minutes but correct me if I'm wrong).

You don't want to re-compute all your hash/signature for tons of things you have already computed in case that happens.

Answer 3

I use the Whirlpool hash. However... you must not rely on hashing to protect passwords. If you're storing a password in a database, always use a decent salt (which helps prevent rainbow table attacks and collisions).

And follow other appropriate security guidelines for your platform :)

Answer 4

It depends on what I am using the hash for... Security? File change detection? Find duplicates files?

I assume from the way the question was asked the former is the reason you are using hashes. In which case I would recommend not using a "broken" method.

If non security uses are the case (i.e. finding duplicate files), MD5 works fine and is quicker.

Answer 5

As I understand it the broken part of MD5 is that someone with the original text is now able to easily construct a second text that has the same MD5 digest.

It's still not possible for someone who only has the MD5 digest of that original text to construct a second text that matches it.

Answer 6

These days most people still use SHA1 or even MD5, broken or not. Because the current state of the art in hashing is that we have some functions that we know have theoretical vulnerabilities but no really practical breaks, and some unproven functions that we know very little about at all.

If you're using a hash function for password storage, the theoretical vulnerabilities probably don't matter to you. Firstly because the nature of the vulnerabilities doesn't really help in reversing passwords. Secondly because if you care about security that much, you probably wouldn't be using passwords.

Where it will matter more is if you are using digital signature, SSL, IPSEC, etc, which all rely on hash functions, and if you need the hash function to remain secure for a long time. However here you have little choice but to wait and see which hash function(s) become the new proven standard, and/or use more than one hash function if you can.

Even then, this is way down on the list of threats in the big picture. Security problems in your system are far more likely to be in your own code, or people threats, than somebody attacking your hash function!

Still, if designing a new system, the advice to design it so you can replace any of your crypto algorithms at any time remains valuable. Ideally via configuration / plugin, and not a recompile.