TalkPHP

TalkPHP (http://www.talkphp.com/forums.php)
-   General (http://www.talkphp.com/general/)
-   -   MD5 or SHA1? (http://www.talkphp.com/general/2226-md5-sha1.html)

Gareth 02-11-2008 01:08 PM
MD5 or SHA1?
 
Hey,

What would be the best encryption algorithm to use?
I know / think that if I use both conflictions occur, but am not sure which is better to use!

Gareth

Village Idiot 02-11-2008 01:35 PM
I use sha1, I believe its better encrypted but I'm not positive.

RobertK 02-11-2008 03:14 PM
MD5 has chances of collision, and is a lighter weight hash. While SHA1 does have potential collisions, they are all theoretical at this stage. SHA1 is a military-grade hash algorithm.

Village Idiot 02-11-2008 06:43 PM
Quote:
Originally Posted by RobertK (Post 10588)
MD5 has chances of collision, and is a lighter weight hash. While SHA1 does have potential collisions, they are all theoretical at this stage. SHA1 is a military-grade hash algorithm.
That last part is inaccurate, they use 256 bit encryption. Though I believe (without proof) that the military and government agencies use algorithms not available commercially.

RobertK 02-11-2008 07:22 PM
Of course, but SHA1 was designed by military-grade sources and released to the public after a time. Hashes are simply used for encryption, they do not themselves provide encryption. Hence the freedom to give secure hashes. The encryption algorithm is more important than the hash in cryptology, as a poor cipher will mathematically reveal the hash.

Quote:
The original specification of the algorithm was published in 1993 as the Secure Hash Standard, FIPS PUB 180, by US government standards agency NIST (National Institute of Standards and Technology). This version is now often referred to as SHA-0. It was withdrawn by the NSA shortly after publication and was superseded by the revised version, published in 1995 in FIPS PUB 180-1 and commonly referred to as SHA-1. SHA-1 differs from SHA-0 only by a single bitwise rotation in the message schedule of its compression function; this was done, according to the NSA, to correct a flaw in the original algorithm which reduced its cryptographic security. However, the NSA did not provide any further explanation or identify what flaw was corrected. Weaknesses have subsequently been reported in both SHA-0 and SHA-1. SHA-1 appears to provide greater resistance to attacks, supporting the NSA’s assertion that the change increased the security.
SHA hash functions - Wikipedia, the free encyclopedia -- SHA-0 and SHA-1

ReSpawN 02-11-2008 07:29 PM
About MD5;

Quote:
Originally Posted by Wikipedia
In 2004, more serious flaws were discovered making further use of the algorithm for security purposes questionable.
Quote:
Originally Posted by Wikipedia
The use of MD5 in some websites' URLs means that Google can also sometimes function as a limited tool for reverse lookup of MD5 hashes.[12] This technique is rendered ineffective by the use of a salt.
Therefor I choose SHA1 to encode my strings with. I think RobertK quoted it quite well.

MD5 - Wikipedia, the free encyclopedia
Salt (cryptography) - Wikipedia, the free encyclopedia

TlcAndres 02-11-2008 10:40 PM
Wait until quantum encryption picks up.

Sam Granger 02-19-2008 05:57 AM
Wasn't SHA1 cracked by some Chinese professor? Can't remember, but some programmer who use to work for me showed me some article. Let me try and digg it up. Same goes for MD5.

Here we go: The Epoch Times | Chinese Professor Cracks Fifth Data Security Algorithm

SOCK 02-19-2008 06:21 AM
Thanks for the link, Sam. I know I had read that awhile back as well. I think for most applications SHA1 will be fine for awhile (esp. when used with a salt). I've used MD5, SHA1 and SHA256 in various applications, with rijndael-256 (AES) in one. As long as you're not storing sensitive data you're fine. I don't think prof. Wang Xiaoyun is that interested in getting into your blog.

ReSpawN 02-19-2008 11:01 AM
As well as SOCK, thanks for the link Sam. You're on a roll at the moment aren't you? :-P

I've triple encoded my passwords with SHA1 and MD5. Since you'll mostly only use it when loggin in and registering, it won't slow the site down tremendously. Plus, I am using SALT so I'll be fine for a couple of years.

But, the time for change is near. Hopefully PHP will incorporate it into their new PHP 6 or above, but upgrade PHP 4 and 5 with it as well. (since more programs still depend on 4.4.8)

Once again, thanks!

The solution for now is, use it in conjunction. SHA1, MD5 and SALT put together offer a great deal of security.

Gareth 02-20-2008 12:08 AM
In fact, ReSpawn, I read an article which says that SHA1 and MD5 put together wasn't secure at all; because it increases collisions!

CHASE 02-28-2008 12:28 AM
Just because I can't find the answer to this question myself, I just:

sha1(md5($string));

:)


All times are GMT. The time now is 12:37 PM.

Powered by vBulletin® Version 3.6.8
Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Search Engine Optimization by vBSEO 3.1.0