[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

which is the best hash algorithm?

Posted on 2007-03-29
7
Medium Priority
?
2,684 Views
Last Modified: 2007-12-19
I am looking for a hash function which will best hold up under the following scenario.

As I am intending to use it, the hashed output and algorithm will be readily available to any attacker. They must not be able to find some other string that will produce the same hash output. Also they must not be able to recover the original text.

I realize that *eventually* if they dedicate enough cpu time to it, they will succeed. That's okay. I'd like to know which function will make this absolutely as difficult as possible for them.

I'm currently leaning towards Tiger, but am not sure if it's my best option. I will award points to somebody who can:

a) identify the best algorithm for the scenario above
b) link to an open source implementation in C code

Thanks in Advance!
0
Comment
Question by:cc16
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +1
7 Comments
 
LVL 18

Accepted Solution

by:
PowerIT earned 1600 total points
ID: 18815652
cc, you just defined what a good hash is all about: no collisions. ;-)

I recommend that you use SHA-2, it's FIPS approved: http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
SHA-1 will be fased out by the NIST by 2010, to be replaced by SHA-2 (SHA-224, SHA-256, SHA-384, and SHA-512).
So stick with SHA-2.

Most open source OS's have an implementation of SHA-2. E.g. Openbsd: http://fxr.watson.org/fxr/source/crypto/sha2.c?v=OPENBSD and http://fxr.watson.org/fxr/source/crypto/sha2.h?v=OPENBSD

J.
0
 
LVL 53

Expert Comment

by:Infinity08
ID: 18816239
After DES (which can be cracked in under 24 hours today), and MD5 (for which some quite important flaws were discovered), their successor SHA-1 is indeed the current "king". SHA-1 is starting to show signs of weakness though, and will probably be unusable in a few years. The other SHA variants (SHA-224, SHA-256, SHA-384 and SHA-512) are a lot harder to break, and are possibly better alternatives to SHA-1.
Further research is being done to find even better (more secure) hash algorithms, but as far as I know, nothing final has been put out.

A lot depends on where your priorities are, and how secure you need the algorithm to be. You could go for MD5 because it's well known and has a lot of supporting code, but you should not be using it on highly sensitive data.
SHA-1 is also pretty well supported today, but as I mentioned it will probably not last longer than a few years in terms of security. That might be sufficient for your purposes though.
The other SHA variants are probably the best (current) alternatives in terms of security. So, that's maybe what you should go for, unless you want to wait for the "next-generation" hash algorithms that are under review/design.
0
 
LVL 84

Expert Comment

by:ozo
ID: 18820514
0
Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

 

Author Comment

by:cc16
ID: 18821371
Thanks for replying guys.

Once I put this system into use, there could be serious consequences for me if anybody manages to jimmy the hash open. As such, I don't want to use MD5 and SHA-1 (thanks for the schneier article  ozo).

SHA-2 sounds good. Especially that it's certified by FIPS. I'm guessing that these other variants (SHA-512 etc) are not certified?

I guess my main question is how would SHA-2 compare to Tiger hash?

I will be able to update the algorithm later, so it sounds good to go with SHA-2 now, and then update to SHA-3 or whatever when it gets put into mainstream use.
0
 
LVL 53

Assisted Solution

by:Infinity08
Infinity08 earned 400 total points
ID: 18822012
>> I don't want to use MD5 and SHA-1 (thanks for the schneier article  ozo).

You have to put that article in perspective though.
It only describes a way to find a collision faster than brute-force ... It still requires 2^69 hash operations though, which would take 56 hours on a $25M-38M machine.
That's still quite safe for most applications (except military and the like).

Read this follow-up article for more information :
http://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html

I don't know what you plan to use this for, but for most applications SHA-1 is still sufficiently safe for a few years.

Furthermore, this attack does not allow to reconstruct the original message from the hash - it just allows to find a collision.


>> SHA-2 sounds good. Especially that it's certified by FIPS. I'm guessing that these other variants (SHA-512 etc) are not certified?

SHA-2 is a common name for the 4 variants SHA-224, SHA-256, SHA-384 and SHA-512. It is indeed probably your best option if you need more security than what SHA-1 offers (see my note in the beginning of this post).


>> I guess my main question is how would SHA-2 compare to Tiger hash?

Tiger is well under way to being cracked in a similar way and speed as SHA-1 :
http://th.informatik.uni-mannheim.de/People/Lucks/papers/Tiger_FSE_v10.pdf

Although the attack has not been tested on the full 24 rounds of Tiger, the authors of that article are pretty confident that it's possible to find a collision faster than brute-force (and probably with a similar amount of operations as for SHA-1).

I couldn't find a direct comparison of SHA-2 and Tiger, but if security is your main concern, then I would still pick SHA-1 over Tiger and SHA-2 over SHA-1.



I'm not convinced that you need SHA-2, and that SHA-1 or Tiger are sufficient. But you're better positioned to make that choice :)

The question is : do your "opponents" have the resources and the time to break the hash (read : find a collision) - I refer to the earlier machine needed to find a collision for SHA-1 ?
And another question : Does finding a collision create any serious problems in your situation ? If the collision can't be exploited, then you can treat SHA-1 as not crackable ...
0
 
LVL 18

Expert Comment

by:PowerIT
ID: 18822014
SHA-2 has several variants: from SHA-224 up to SHA-512. Only SHA-224 is not certified. So you can go with SHA-256, -384 or 512.

Tiger compared to SHA-2:
Bit-sizes of hashes: Tiger: 192, 160, 128. SHA-2 (FIPS): 512,384,256. The less bits the faster but the less secure (greater chance of collision).
Tiger is optimized for speed on 64-bit processors. SHA-2 has no specific optimization.
Tiger is not FIPS certified. SHA-2 is. I think that this should be your major concern when you state something like 'there could be serious consequences for me if anybody manages to jimmy the hash open'. If those encryption experts certify it, then you can pratically bet your life on it that for the moment there is no better choice.
The university of Mannheim (Germany) together with the NIST (the guys begind FIPS) have found ways to attack Tiger/192 (he longest one!). As a result they got near collisions and possible collisions, with reduced rounds. They found that Tiger has not enough rounds and got their results with 16 and 20 rounds (collisions and near collisions respectively). Tiger only has 24 rounds. This means that in the near future Tiger will probably be broken. See this paper:
http://th.informatik.uni-mannheim.de/people/lucks/papers/Tiger_FSE_v10.pdf
I know where I would bet my career on ;-)

J.
0
 

Author Comment

by:cc16
ID: 18822107
I've decided that I'm going to go with SHA-2. I had no idea that Tiger was close to being broken. But then again, I don't exactly keep up to date with the latest and greatest in the crypto world so I suppose that's to be expected.

Thanks for all the helpful information folks. Much appreciated.
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How does someone stay on the right and legal side of the hacking world?
With the evolution of technology, we have finally reached a point where it is possible to have home automation features like having your thermostat turn up and door lock itself when you leave, as well as a complete home security system. This is a st…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question