Which type of encryption?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
Sequalit
Forum Commoner
Posts: 75
Joined: Wed Oct 12, 2005 9:57 pm
Location: Texas

Which type of encryption?

Post by Sequalit »

Which type of encryption would be better to use?

Blowfish or SHA256?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

s.h.a. :)


but maybe I'm biased! :D
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Re: Which type of encryption?

Post by Roja »

Sequalit wrote:Which type of encryption would be better to use?

Blowfish or SHA256?
The strength of SHA has been tested longer, and has been attacked (unsuccessfully) more often. The successful attacks against SHA have only reduced the relative strength overall, not compromised ("Broken"), the core elements of the algorithm.

Blowfish, by way of comparison is relatively new, has had fewer formal analyses performed on it, and uses an unrelated algorithm.

Traditionally, cryptographers would weight SHA256 as more secure, based on those criteria.

But since we don't *know* the true strengths and weaknesses of either to a provable point, its a judgement call at best.
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Re: Which type of encryption?

Post by Chris Corbyn »

Roja wrote:
Sequalit wrote:Which type of encryption would be better to use?

Blowfish or SHA256?
The strength of SHA has been tested longer, and has been attacked (unsuccessfully) more often. The successful attacks against SHA have only reduced the relative strength overall, not compromised ("Broken"), the core elements of the algorithm.

Blowfish, by way of comparison is relatively new, has had fewer formal analyses performed on it, and uses an unrelated algorithm.

Traditionally, cryptographers would weight SHA256 as more secure, based on those criteria.

But since we don't *know* the true strengths and weaknesses of either to a provable point, its a judgement call at best.
How long has SHA256 been around for? I'm sure Blowfish was around a good 3 years back.... unless I'm getting muddled with something else :?

(Maybe I should learn to use Google :P )
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Re: Which type of encryption?

Post by Roja »

d11wtq wrote: How long has SHA256 been around for? I'm sure Blowfish was around a good 3 years back.... unless I'm getting muddled with something else :?

(Maybe I should learn to use Google :P )
Well, thats a tricky phrasing. The better question is when did SHA get introduced. SHA-256 is just a larger bitsize variation of the original algorithm.

I'll leave it to wikipedia to answer both:
Wikipedia wrote:The SHA algorithms were designed by the National Security Agency (NSA) and published as a US government standard.

The first member of the family, published in 1993, is officially called SHA; however, it is often called SHA-0 to avoid confusion with its successors. Two years later, SHA-1, the first successor to SHA, was published. Four more variants have since been issued with increased output ranges and a slightly different design: SHA-224, SHA-256, SHA-384, and SHA-512 — sometimes collectively referred to as SHA-2.

Attacks have been found for both SHA-0 and SHA-1, while no attacks have been reported on the SHA-2 variants.
Wikipedia wrote:Blowfish is a keyed, symmetric block cipher, designed in 1993 by Bruce Schneier and included in a large number of cipher suites and encryption products. While no effective cryptanalysis of Blowfish has been found to date, more attention is now given to block ciphers with a larger block size, such as AES or Twofish.

Schneier designed Blowfish as a general-purpose algorithm, intended as a replacement for the aging DES and free of the problems associated with other algorithms. At the time, many other designs were proprietary, encumbered by patents or kept as government secrets. Schneier has stated that, "Blowfish is unpatented, and will remain so in all countries. The algorithm is hereby placed in the public domain, and can be freely used by anyone."
As you can see, I was mistaken, and they both came out in the same year.

I return to my previous statement of "its a judgement call at best".
Post Reply