Re: [fw-wiz] MD5 x SHA-1

From: Adam Shostack (adam@homeport.org)
Date: 12/07/02


From: Adam Shostack <adam@homeport.org>
To: Bill Royds <broyds@rogers.com>
Date: Sat Dec  7 19:01:03 2002

On Fri, Dec 06, 2002 at 10:07:57PM -0500, Bill Royds wrote:
| I once did a comparison of MD5 versus SHA1 when generating checksums
| of binaries before backing them up.
| Our policy was to calculate a cryptographic checksum has of every
| file in backup, put that on backup tape, then the backup
| ufsdump. Saved our bacon several times when we could trace back to
| exactly when a file was corrupted.
|
| MD5 is about 50% faster than SHA1, but as others have said SHA1 is
| considered more secure.

Thats roughly accurate for large files; for small files, the
difference may be less. (openssl has a speed command;
% openssl speed md5
if you want to see performance numbers.

| Basically there is a greater chance of an attacker being able to add
| nonce bytes to a modified file to get same hash with MD5 than SHA1
| (SHA1 uses more widely distributed bytes to generate the hash).
| But the modifications that allow one to spoof the hash are
| generally computationally difficult to calculate and modify the file
| in other obvious ways (file size, in particular).

Generally the attacks are birthday attacks; they allow you to find two
strings that hash to the same value, rather than finding a new string
that hashes to the same value as a set string.

As Marcus said, the likely attack is to muck with the filesystem or
md5 program. The way I'd approach it is to look at your backup
system. Does using SHA1 slow you down too much? Generally, I'd
expect a backup system to be blocking on reads and writes, and have
CPU to spare, but my experience with such things is out of date. If
SHA1 is too slow, I'd look at MD5, or even explore other faster hashes
(which are rare, cryptographers seem to assume that they can use all
those new computrons that people are buying.) However, if SHA1 is too
slow, then the alternatives are to either install more compute power,
or use less of it. In the using less department, md4 is far more secure
than nothing or a CRC that's not designed to resist attack.

Adam

PS: There's a set of SHA hashes, ranging from SHA (also called SHA-0),
the original, to SHA-1, which is SHA-0 with an extra xor which fixes a
problem, to SHA2, which is SHA-1 with longer output fields. I'd be
suprised to see SHA-0 fit anyplace SHA-1 won't. You're probably not
doing capacity planning well if the speed difference shows up.

-- 
"It is seldom that liberty of any kind is lost all at once."
					               -Hume


Relevant Pages

  • RE: SHA-1 vs. triple-DES for password encryption?
    ... Same did not happen against the full MD5 yet and who knows when/if it will. ... Cryptographers call an attack something that ... > than you would of SHA1 to get the difficulty up to the same level. ... > cryptographers who are under the impression that Dobbertin has ...
    (SecProg)
  • Re: F12-i386-DVD iso wont burn properly -- SOLVED
    ... and the disc to be checked against it. ... All files get an MD5 or SHA1 check performed on ... means to embed such a CRC in the program which does the checks. ...
    (Fedora)
  • Re: Best Performance File Compare: MD5/SHA1 or Byte-by-Byte Checking?
    ... SHA1 and MD5 will both require looping through the whole file just to ... generate the hash so in either method you're looping through both ... and assuming that the accuracy/reliability of SHA1 is ... What about MD5? ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: SHA-1 vs. triple-DES for password encryption?
    ... > birthday attack succeeds with probability 0.5 or 50%. ... > full MD5. ... > theoretical cryptographers call an "attack" create FUD on this issue. ... Note that you are correct in saying that SHA1 is of the same family as ...
    (SecProg)
  • Re: OT: MD4 encryption
    ... what is MD4 used for? ... and just replaced by MD5 and is no longer used? ... Shortly after MD4 was published a number of attacks were demonstrated against parts of it. ... SHA1 isn't without problems either and discussion rages on about what is the best cryptographic hash algorithm out there. ...
    (comp.sys.mac.system)