Solved

which is the best hash algorithm?

Posted on 2007-03-29
7
2,563 Views
Last Modified: 2007-12-19
I am looking for a hash function which will best hold up under the following scenario.

As I am intending to use it, the hashed output and algorithm will be readily available to any attacker. They must not be able to find some other string that will produce the same hash output. Also they must not be able to recover the original text.

I realize that *eventually* if they dedicate enough cpu time to it, they will succeed. That's okay. I'd like to know which function will make this absolutely as difficult as possible for them.

I'm currently leaning towards Tiger, but am not sure if it's my best option. I will award points to somebody who can:

a) identify the best algorithm for the scenario above
b) link to an open source implementation in C code

Thanks in Advance!
0
Comment
Question by:cc16
  • 2
  • 2
  • 2
  • +1
7 Comments
 
LVL 18

Accepted Solution

by:
PowerIT earned 400 total points
Comment Utility
cc, you just defined what a good hash is all about: no collisions. ;-)

I recommend that you use SHA-2, it's FIPS approved: http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
SHA-1 will be fased out by the NIST by 2010, to be replaced by SHA-2 (SHA-224, SHA-256, SHA-384, and SHA-512).
So stick with SHA-2.

Most open source OS's have an implementation of SHA-2. E.g. Openbsd: http://fxr.watson.org/fxr/source/crypto/sha2.c?v=OPENBSD and http://fxr.watson.org/fxr/source/crypto/sha2.h?v=OPENBSD

J.
0
 
LVL 53

Expert Comment

by:Infinity08
Comment Utility
After DES (which can be cracked in under 24 hours today), and MD5 (for which some quite important flaws were discovered), their successor SHA-1 is indeed the current "king". SHA-1 is starting to show signs of weakness though, and will probably be unusable in a few years. The other SHA variants (SHA-224, SHA-256, SHA-384 and SHA-512) are a lot harder to break, and are possibly better alternatives to SHA-1.
Further research is being done to find even better (more secure) hash algorithms, but as far as I know, nothing final has been put out.

A lot depends on where your priorities are, and how secure you need the algorithm to be. You could go for MD5 because it's well known and has a lot of supporting code, but you should not be using it on highly sensitive data.
SHA-1 is also pretty well supported today, but as I mentioned it will probably not last longer than a few years in terms of security. That might be sufficient for your purposes though.
The other SHA variants are probably the best (current) alternatives in terms of security. So, that's maybe what you should go for, unless you want to wait for the "next-generation" hash algorithms that are under review/design.
0
 
LVL 84

Expert Comment

by:ozo
Comment Utility
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 

Author Comment

by:cc16
Comment Utility
Thanks for replying guys.

Once I put this system into use, there could be serious consequences for me if anybody manages to jimmy the hash open. As such, I don't want to use MD5 and SHA-1 (thanks for the schneier article  ozo).

SHA-2 sounds good. Especially that it's certified by FIPS. I'm guessing that these other variants (SHA-512 etc) are not certified?

I guess my main question is how would SHA-2 compare to Tiger hash?

I will be able to update the algorithm later, so it sounds good to go with SHA-2 now, and then update to SHA-3 or whatever when it gets put into mainstream use.
0
 
LVL 53

Assisted Solution

by:Infinity08
Infinity08 earned 100 total points
Comment Utility
>> I don't want to use MD5 and SHA-1 (thanks for the schneier article  ozo).

You have to put that article in perspective though.
It only describes a way to find a collision faster than brute-force ... It still requires 2^69 hash operations though, which would take 56 hours on a $25M-38M machine.
That's still quite safe for most applications (except military and the like).

Read this follow-up article for more information :
http://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html

I don't know what you plan to use this for, but for most applications SHA-1 is still sufficiently safe for a few years.

Furthermore, this attack does not allow to reconstruct the original message from the hash - it just allows to find a collision.


>> SHA-2 sounds good. Especially that it's certified by FIPS. I'm guessing that these other variants (SHA-512 etc) are not certified?

SHA-2 is a common name for the 4 variants SHA-224, SHA-256, SHA-384 and SHA-512. It is indeed probably your best option if you need more security than what SHA-1 offers (see my note in the beginning of this post).


>> I guess my main question is how would SHA-2 compare to Tiger hash?

Tiger is well under way to being cracked in a similar way and speed as SHA-1 :
http://th.informatik.uni-mannheim.de/People/Lucks/papers/Tiger_FSE_v10.pdf

Although the attack has not been tested on the full 24 rounds of Tiger, the authors of that article are pretty confident that it's possible to find a collision faster than brute-force (and probably with a similar amount of operations as for SHA-1).

I couldn't find a direct comparison of SHA-2 and Tiger, but if security is your main concern, then I would still pick SHA-1 over Tiger and SHA-2 over SHA-1.



I'm not convinced that you need SHA-2, and that SHA-1 or Tiger are sufficient. But you're better positioned to make that choice :)

The question is : do your "opponents" have the resources and the time to break the hash (read : find a collision) - I refer to the earlier machine needed to find a collision for SHA-1 ?
And another question : Does finding a collision create any serious problems in your situation ? If the collision can't be exploited, then you can treat SHA-1 as not crackable ...
0
 
LVL 18

Expert Comment

by:PowerIT
Comment Utility
SHA-2 has several variants: from SHA-224 up to SHA-512. Only SHA-224 is not certified. So you can go with SHA-256, -384 or 512.

Tiger compared to SHA-2:
Bit-sizes of hashes: Tiger: 192, 160, 128. SHA-2 (FIPS): 512,384,256. The less bits the faster but the less secure (greater chance of collision).
Tiger is optimized for speed on 64-bit processors. SHA-2 has no specific optimization.
Tiger is not FIPS certified. SHA-2 is. I think that this should be your major concern when you state something like 'there could be serious consequences for me if anybody manages to jimmy the hash open'. If those encryption experts certify it, then you can pratically bet your life on it that for the moment there is no better choice.
The university of Mannheim (Germany) together with the NIST (the guys begind FIPS) have found ways to attack Tiger/192 (he longest one!). As a result they got near collisions and possible collisions, with reduced rounds. They found that Tiger has not enough rounds and got their results with 16 and 20 rounds (collisions and near collisions respectively). Tiger only has 24 rounds. This means that in the near future Tiger will probably be broken. See this paper:
http://th.informatik.uni-mannheim.de/people/lucks/papers/Tiger_FSE_v10.pdf
I know where I would bet my career on ;-)

J.
0
 

Author Comment

by:cc16
Comment Utility
I've decided that I'm going to go with SHA-2. I had no idea that Tiger was close to being broken. But then again, I don't exactly keep up to date with the latest and greatest in the crypto world so I suppose that's to be expected.

Thanks for all the helpful information folks. Much appreciated.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Suggested Solutions

This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protec…
Video by: Grant
The goal of this video is to provide viewers with basic examples to understand and use while-loops in the C programming language.
The goal of this video is to provide viewers with basic examples to understand how to create, access, and change arrays in the C programming language.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now