sha2 best to use

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
mainegate
Forum Newbie
Posts: 14
Joined: Sat Nov 29, 2008 5:49 pm

sha2 best to use

Post by mainegate »

From php.net on sha1:
It is recommended that developers start to future proof their applications by using the stronger sha-2, hashing methods such as sha256, sha384, sha512 or better.
So I'm asumming sha512 is better than sha384 and the later is better than sha256. According to this there are better ones than sha512...why use sha256 when sha512 is better? I don't get it. Don't you want to use the best out there? What is the best anyway?
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Re: sha2 best to use

Post by alex.barylski »

From what I understand, the greater the key length, the greater the security, yes...

I also understand, that depending on where you are in the world, anything greater than 256 is typically illegal, because even the gov't would have a hard time brute forcing. :P

The key length is virtually unlimited, but what is virtual and real are quite different. For most purposes, 256 bit length is more than sufficient...

Basically (I think) it means there are 4+ billion different possibilities, which is a lot to brute force, even for a super computer or cluster of computers.

With 4,294,967,296 possibilities...even if you could brute force 10000/second (which is damn fast considering the complexity of code required to brute force) you would need 429496.7296 seconds or 7158.2788266666666666666666666667 minutes or 119 hours or just under 5 days.

A super computer which was used by universities or government institutions "might" have that kind of processing power...but no hackers in India or Russian or China is going to be able to crack that kind of encryption using brute force in any acceptable amount of time.

I would guess that even the best personal computer (4-5Ghz) running nothing but a system for brute forcing passwords, considering latency of Internet connections (unless you some how got a hold of the hash) would take you 1000 years before you cracked the password.

So while 256 might seem less than 512 (it's because it is) there is little point, unless you are a terrorist and wish to hide details from the gov't, which is why most encryption applications will not allow you to go above 512.

I may be way off here, this is just from thinking about encryption and it's theoretical limits.

Keep in mind that while key lengths go up, it becomes increasing more expensive in CPU terms as well...so while 1024 might sound better for banking security, the Internet would experience a serious punch in the stomach as every SSL connection would effectively be slowed down exponentially.

For that reason I believe the industry standard stays at 256 until the day comes that PC's or CPU's for general purpose are a million times faster than they are today, at which point key lengths will need be larger.

Cheers,
Alex
mainegate
Forum Newbie
Posts: 14
Joined: Sat Nov 29, 2008 5:49 pm

Re: sha2 best to use

Post by mainegate »

What about using protecting username's too? Isn't a username half the battle? If someone where to gain access to your table of username and password and the username is not hashed then they know one variable right?

Thanks for the advice on 256.
User avatar
Syntac
Forum Contributor
Posts: 327
Joined: Sun Sep 14, 2008 7:59 pm

Re: sha2 best to use

Post by Syntac »

The problem with hashing the username is you can't display it to anyone; it can only be used for comparison purposes.
Hannes2k
Forum Contributor
Posts: 102
Joined: Fri Oct 24, 2008 12:22 pm

Re: sha2 best to use

Post by Hannes2k »

Hi,
From what I understand, the greater the key length, the greater the security
That's not correct. You can use a polyalphabetic cipher with a key length of 8000 bits, it remains insecure. On the otherside you can use e.g. Blowfish with a 80 bit key, it's much more secure than your polyalphabetic cipher.

And: Hash algorithm have nothing to do with keys or encryption.

Basically (I think) it means there are 4+ billion different possibilities, which is a lot to brute force, even for a super computer or cluster of computers.
4 billions different possiblilites are also for the cpu in a modern mobile phone ridiculous. On a modern pc, you just needs arround 100-200 seconds to test 4 billion md5/sha1 combinations. So, 4 billion (or 2^32) are an incredible small number in terms of cryptography.
even if you could brute force 10000/second (which is damn fast considering the complexity of code required to brute force)
A modern cpu have a rate of 50 million md5/sha1/sha2 hashs per second. If you additional use your GPU (graphics processing unit) of e.g. GeForce 8, the rate would be 10 up to 25 times higher. So a rate of 200-300 million hashs per seconds isn't unrealistic (ElcomSoft can reach it)


If you use now multiple computers or if you use your GPU (graphics processing unit)
So while 256 might seem less than 512 (it's because it is) there is little point, unless you are a terrorist and wish to hide details from the gov't, which is why most encryption applications will not allow you to go above 512.
256 bits (which means 2^256 possible keys, or arround 100 trillion vigintillion keys (~10^77 keys)) are with brute force unbreakable.
If you construct a pc which should solve this problem in 1 year, and you can use each atom as a single decipher unit with a clock rate of 10^15 Hz (which means hard X-Rays), this computer whould be so heavy that you create a black hole...


Back to topic:
So I'm asumming sha512 is better than sha384 and the later is better than sha256. According to this there are better ones than sha512...why use sha256 when sha512 is better?
SHA512 isn't better than SHA256 and SHA256 isn't better than SHA-1. It isn't that easy.

If you wanna hash the password of an user and save it in a database, SHA1 is the right choise. To choose there SHA-2 do not increase your security (at the moment).

But:
Just to save sha1('password from user'); in the database isn't sufficient and sha256 or sha512 do not help here.
You can create so called rainbow tables, which can speed up the cracking of many password hashes enormously.
So at minimum you have to use a random Salt, so that pre calculated rainbow tables won't work.
The seconds step should then be to use a key strengthing mechanism.

For more information read this article:
Password hashing howto and hownotto

Personally I can recommend the following class to save your passwords in a safe way:
Improved Hash Algorithm
mainegate
Forum Newbie
Posts: 14
Joined: Sat Nov 29, 2008 5:49 pm

Re: sha2 best to use

Post by mainegate »

This is what I have as my hash. Obviously I have changed my pepper for this posting but the string is similar. Would this be beneficial? I don't like hard coding the salt...I feel like for some reason someone could in the extreme case see this code and know how it it is structured in my php files. I have read though that even if they have all variables salt,hashed in db, pepper that it would still take a very long for them to figure it out. Plus if they cracked it would be only for one user anyway.

Code: Select all

$salt = $_POST['$user'];
$pepper = "*A8(md%+$j@[,a4yir*";
$password = $_POST['password'];
$password = hash("sha512", $salt.$password.$pepper, false);
I don't care about displaying the username so I'm thinking of doing the same for the username as well. I think I'll change the hash to be something different. That way if they figure out one then they still need the other.

I read somewhere that never send stored hashes. So I was thinking that when I go to my db to get the hashes for the username and password...add some salt to both before sending them to check the credentials. Then I'll be sure the proper hashes won't be displayed. Does all of this sound all right?
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: sha2 best to use

Post by Mordred »

mainegate wrote:I read somewhere that never send stored hashes. So I was thinking that when I go to my db to get the hashes for the username and password...add some salt to both before sending them to check the credentials. Then I'll be sure the proper hashes won't be displayed. Does all of this sound all right?

Code: Select all

SELECT blah FROM login WHERE username='beep' and password='09243b..(assume it's a hash)..9b83'
You don't need to send the stored hashes anywhere. You send the hashed user input to be checked in the database server. Adding salt and hashing the sent password is possible only with a crypto lib in javascript, which means that either your clients will not be able to login with js turned off, or you'll need the plaintext authentication mechanism as a fallback
sylnsr
Forum Newbie
Posts: 1
Joined: Mon Jul 20, 2009 11:35 am

Re: sha2 best to use

Post by sylnsr »

Or, you can use a rotating key for encryption/decryption, so long as your site has down time between each key change.
coalgames
Forum Newbie
Posts: 8
Joined: Sun Apr 26, 2009 12:22 am

Re: sha2 best to use

Post by coalgames »

MD5 hashes have been successfully attacked and you can make a collision with MD5 easily now. Soon, Sha will be cracked and even SHA512 will be unsafe. The best way to do this is to just use two different types of hashing algorithms.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: sha2 best to use

Post by kaisellgren »

I like this kind of discussion.
mainegate wrote:So I'm asumming sha512 is better than sha384 and the later is better than sha256. According to this there are better ones than sha512...why use sha256 when sha512 is better? I don't get it. Don't you want to use the best out there? What is the best anyway?
SHA-512 should be better than SHA-256 in terms of pure brute force resistance, but it needs twice the amount of storage space compared to SHA-256 and it consumes more CPU. That's why some people use SHA-256. Another reason is that eventually someone might find an efficient way to bite the SHA-2 family so that both SHA-256 and SHA-512 are insecure, but it will take a while until we get there. SHA-256 hash is impossible to crack (at the moment) as long as the preimage is strong. That said, SHA-256 can be just as secure as SHA-512. The bits alone do not make you more secure, but they may help you.
PCSpectra wrote:Basically (I think) it means there are 4+ billion different possibilities,
It's a lot more than that. SHA-256 produces (theoretically) 115 quattuorvigintillion different possibilities (2^256). Even though the cracking process is affected by the birthday paradox, no computer or a cluster of computers can do that as long as the preimage is strong.

I don't think there's much point of using SHA-512. It's pretty much the same as SHA-256 (the inner workings). When SHA-256 gets cracked (by which I'm referring to some sort of design flaws), SHA-512 is probably affected, too. Whirlpool is a good alternative. It is also 512-bit, but is entirely different from the SHA-2 family. Whirlpool is based on the Miyaguchi-Preneel while SHA-2 family is based on the Merkle-Damgård (MD) construction.
Hannes2k wrote:
From what I understand, the greater the key length, the greater the security
That's not correct. You can use a polyalphabetic cipher with a key length of 8000 bits, it remains insecure. On the otherside you can use e.g. Blowfish with a 80 bit key, it's much more secure than your polyalphabetic cipher.
I agree. I think it would be better to say that adding more bits equal to same or higher security.
Hannes2k wrote:SHA512 isn't better than SHA256 and SHA256 isn't better than SHA-1. It isn't that easy.
True.
Hannes2k wrote:If you wanna hash the password of an user and save it in a database, SHA1 is the right choise. To choose there SHA-2 do not increase your security (at the moment).
I don't think SHA-1 is a good choice. There have been attacks against it every now and then. I believe SHA-2 is slightly harder to break than SHA-1. I prefer using Whirlpool myself and I highly recommend using it.
mainegate wrote:What about using protecting username's too?
That's completely valid, but realize the way it affects your application. Your application does not know the usernames any longer. You can have display names to show on your pages (and I actually never recommend showing usernames on websites).
coalgames wrote:The best way to do this is to just use two different types of hashing algorithms.
I don't agree. Using two hash algorithms is just as secure as using the stronger of the two.
Post Reply