Re: [fw-wiz] MD5 x SHA-1

From: Adam Shostack (adam@homeport.org)
Date: 12/07/02


From: Adam Shostack <adam@homeport.org>
To: Bill Royds <broyds@rogers.com>
Date: Sat Dec  7 19:01:03 2002

On Fri, Dec 06, 2002 at 10:07:57PM -0500, Bill Royds wrote:
| I once did a comparison of MD5 versus SHA1 when generating checksums
| of binaries before backing them up.
| Our policy was to calculate a cryptographic checksum has of every
| file in backup, put that on backup tape, then the backup
| ufsdump. Saved our bacon several times when we could trace back to
| exactly when a file was corrupted.
|
| MD5 is about 50% faster than SHA1, but as others have said SHA1 is
| considered more secure.

Thats roughly accurate for large files; for small files, the
difference may be less. (openssl has a speed command;
% openssl speed md5
if you want to see performance numbers.

| Basically there is a greater chance of an attacker being able to add
| nonce bytes to a modified file to get same hash with MD5 than SHA1
| (SHA1 uses more widely distributed bytes to generate the hash).
| But the modifications that allow one to spoof the hash are
| generally computationally difficult to calculate and modify the file
| in other obvious ways (file size, in particular).

Generally the attacks are birthday attacks; they allow you to find two
strings that hash to the same value, rather than finding a new string
that hashes to the same value as a set string.

As Marcus said, the likely attack is to muck with the filesystem or
md5 program. The way I'd approach it is to look at your backup
system. Does using SHA1 slow you down too much? Generally, I'd
expect a backup system to be blocking on reads and writes, and have
CPU to spare, but my experience with such things is out of date. If
SHA1 is too slow, I'd look at MD5, or even explore other faster hashes
(which are rare, cryptographers seem to assume that they can use all
those new computrons that people are buying.) However, if SHA1 is too
slow, then the alternatives are to either install more compute power,
or use less of it. In the using less department, md4 is far more secure
than nothing or a CRC that's not designed to resist attack.

Adam

PS: There's a set of SHA hashes, ranging from SHA (also called SHA-0),
the original, to SHA-1, which is SHA-0 with an extra xor which fixes a
problem, to SHA2, which is SHA-1 with longer output fields. I'd be
suprised to see SHA-0 fit anyplace SHA-1 won't. You're probably not
doing capacity planning well if the speed difference shows up.

-- 
"It is seldom that liberty of any kind is lost all at once."
					               -Hume