which is the best hash algorithm?

I am looking for a hash function which will best hold up under the following scenario.

As I am intending to use it, the hashed output and algorithm will be readily available to any attacker. They must not be able to find some other string that will produce the same hash output. Also they must not be able to recover the original text.

I realize that *eventually* if they dedicate enough cpu time to it, they will succeed. That's okay. I'd like to know which function will make this absolutely as difficult as possible for them.

I'm currently leaning towards Tiger, but am not sure if it's my best option. I will award points to somebody who can:

a) identify the best algorithm for the scenario above
b) link to an open source implementation in C code

Thanks in Advance!
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

cc, you just defined what a good hash is all about: no collisions. ;-)

I recommend that you use SHA-2, it's FIPS approved: http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
SHA-1 will be fased out by the NIST by 2010, to be replaced by SHA-2 (SHA-224, SHA-256, SHA-384, and SHA-512).
So stick with SHA-2.

Most open source OS's have an implementation of SHA-2. E.g. Openbsd: http://fxr.watson.org/fxr/source/crypto/sha2.c?v=OPENBSD and http://fxr.watson.org/fxr/source/crypto/sha2.h?v=OPENBSD


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
After DES (which can be cracked in under 24 hours today), and MD5 (for which some quite important flaws were discovered), their successor SHA-1 is indeed the current "king". SHA-1 is starting to show signs of weakness though, and will probably be unusable in a few years. The other SHA variants (SHA-224, SHA-256, SHA-384 and SHA-512) are a lot harder to break, and are possibly better alternatives to SHA-1.
Further research is being done to find even better (more secure) hash algorithms, but as far as I know, nothing final has been put out.

A lot depends on where your priorities are, and how secure you need the algorithm to be. You could go for MD5 because it's well known and has a lot of supporting code, but you should not be using it on highly sensitive data.
SHA-1 is also pretty well supported today, but as I mentioned it will probably not last longer than a few years in terms of security. That might be sufficient for your purposes though.
The other SHA variants are probably the best (current) alternatives in terms of security. So, that's maybe what you should go for, unless you want to wait for the "next-generation" hash algorithms that are under review/design.
Top Threats of Q1 & How to Defend Against Them

WEBINAR: Join WatchGuard CTO and our Threat Research Team on Aug. 2nd to hear the findings from our Q1 Internet Security Report! Learn more about the top threats detected in the first quarter and how you can defend your business against them!

cc16Author Commented:
Thanks for replying guys.

Once I put this system into use, there could be serious consequences for me if anybody manages to jimmy the hash open. As such, I don't want to use MD5 and SHA-1 (thanks for the schneier article  ozo).

SHA-2 sounds good. Especially that it's certified by FIPS. I'm guessing that these other variants (SHA-512 etc) are not certified?

I guess my main question is how would SHA-2 compare to Tiger hash?

I will be able to update the algorithm later, so it sounds good to go with SHA-2 now, and then update to SHA-3 or whatever when it gets put into mainstream use.
>> I don't want to use MD5 and SHA-1 (thanks for the schneier article  ozo).

You have to put that article in perspective though.
It only describes a way to find a collision faster than brute-force ... It still requires 2^69 hash operations though, which would take 56 hours on a $25M-38M machine.
That's still quite safe for most applications (except military and the like).

Read this follow-up article for more information :

I don't know what you plan to use this for, but for most applications SHA-1 is still sufficiently safe for a few years.

Furthermore, this attack does not allow to reconstruct the original message from the hash - it just allows to find a collision.

>> SHA-2 sounds good. Especially that it's certified by FIPS. I'm guessing that these other variants (SHA-512 etc) are not certified?

SHA-2 is a common name for the 4 variants SHA-224, SHA-256, SHA-384 and SHA-512. It is indeed probably your best option if you need more security than what SHA-1 offers (see my note in the beginning of this post).

>> I guess my main question is how would SHA-2 compare to Tiger hash?

Tiger is well under way to being cracked in a similar way and speed as SHA-1 :

Although the attack has not been tested on the full 24 rounds of Tiger, the authors of that article are pretty confident that it's possible to find a collision faster than brute-force (and probably with a similar amount of operations as for SHA-1).

I couldn't find a direct comparison of SHA-2 and Tiger, but if security is your main concern, then I would still pick SHA-1 over Tiger and SHA-2 over SHA-1.

I'm not convinced that you need SHA-2, and that SHA-1 or Tiger are sufficient. But you're better positioned to make that choice :)

The question is : do your "opponents" have the resources and the time to break the hash (read : find a collision) - I refer to the earlier machine needed to find a collision for SHA-1 ?
And another question : Does finding a collision create any serious problems in your situation ? If the collision can't be exploited, then you can treat SHA-1 as not crackable ...
SHA-2 has several variants: from SHA-224 up to SHA-512. Only SHA-224 is not certified. So you can go with SHA-256, -384 or 512.

Tiger compared to SHA-2:
Bit-sizes of hashes: Tiger: 192, 160, 128. SHA-2 (FIPS): 512,384,256. The less bits the faster but the less secure (greater chance of collision).
Tiger is optimized for speed on 64-bit processors. SHA-2 has no specific optimization.
Tiger is not FIPS certified. SHA-2 is. I think that this should be your major concern when you state something like 'there could be serious consequences for me if anybody manages to jimmy the hash open'. If those encryption experts certify it, then you can pratically bet your life on it that for the moment there is no better choice.
The university of Mannheim (Germany) together with the NIST (the guys begind FIPS) have found ways to attack Tiger/192 (he longest one!). As a result they got near collisions and possible collisions, with reduced rounds. They found that Tiger has not enough rounds and got their results with 16 and 20 rounds (collisions and near collisions respectively). Tiger only has 24 rounds. This means that in the near future Tiger will probably be broken. See this paper:
I know where I would bet my career on ;-)

cc16Author Commented:
I've decided that I'm going to go with SHA-2. I had no idea that Tiger was close to being broken. But then again, I don't exactly keep up to date with the latest and greatest in the crypto world so I suppose that's to be expected.

Thanks for all the helpful information folks. Much appreciated.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.