MD5 security: Time to migrate to SHA-1 hash algorithm?
Many organizations have been replacing the MD5 hash algorithm with the SHA-1 hash function, but can the MD5 hash algorithm still be used securely?
Many organizations have been replacing the MD5 hash algorithm with the SHA-1 hash function, but can the MD5 hash algorithm still be used securely?
MD5 (Message-Digest algorithm 5) is a cryptographic one-way hash function. Hash functions output a short, fixed-length value called a hash -- an MD5 hash is typically expressed as a 32-digit hexadecimal number -- based on a piece of data such as a file or message. Hash functions have many uses in cryptography because any change to the original input, accidental or otherwise, will change the resulting hash value. They're used in many forms of authentication, such as digital signatures and message authentication codes, as well as for verifying file integrity, because even the slightest change to the data will change its hash value. For example, many software publishers provide the MD5 hash value of their down-loadable software so that users can verify that the file is authentic and has not been tam-pered with.
However, because hash algorithms create a short, fixed-length hash value to represent data of any size, it means that there are far more possible input values than there are unique hash values. This means there have to be multiple input values that will produce the same hash value. This is known as a collision and for a hash function to be deemed cryptographi-cally secure and collision resistant, it has to be hard to find two inputs that hash to the same output. In March 2005, two researchers created two X.509 digital certificates with different public keys but with the same MD5 hash; since then various methods have been published that can find an MD5 collision in under a minute. This is why MD5 is considered cryp-tographically broken and is being replaced by the SHA-2 family of hash functions.
MD5 security is certainly not suitable for security-based applications and services like SSL or digital signatures that rely on collision resistance. For a legacy application that stores the MD5 hash value of its users' passwords, it is possible to mitigate against MD5's weaknesses by adding a salt (a brief set of random characters) to the passwords before hashing them. This makes a dictionary attack against the hashed passwords more or less impractical and although MD5 can no longer guarantee that a file hasn't been tampered with, it can play an error-checking role when downloading larger files and validate that the file isn't corrupted or incomplete.
However there is no reason to use MD5 in new applications, most U.S. government applica-tions are required to move to the SHA-2 family of hash functions by the end of this year, and older applications should be upgraded where at all possible. In your question you mention the SHA-1 hash algorithm, but this too has security flaws and al-though no successful attacks have been reported yet on the SHA-2 variants, development is already underway on SHA-3. A good way to stay abreast of the latest developments in en-cryption is to follow the news and recommendations from standards bodies such as National Institute of Standards and Technology
- Is using an MD5 implementation or RC4 encryption a better steganography technique? Read more.
- Learn more about encryption collisions and how to prevent them at your enterprise.