Best form of encryption [hashing algorithms?]

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
jayshields
DevNet Resident
Posts: 1912
Joined: Mon Aug 22, 2005 12:11 pm
Location: Leeds/Manchester, England

Best form of encryption [hashing algorithms?]

Post by jayshields »

Hi guys.

I'm currently setting up a table in my database to handle users and their passwords.

I'm stuck on which form of encryption to use, and which would be the best choice.

I know that MD5 and SHA1 are not worth going with, but I'm unsure what would be the right choice.

I was thinking about using Feyd's SHA256 algorithm but I read this on a Slashdot comment:
MD5 is dead. SHA-1 is currently dying. They're both based on the same fundamental math, and the attacks on SHA1 are getting stronger and stronger. Now would be a really good time to get off of that entire family of hashes if you can (MD4, MD5, RIPEMD-* SHA-*, etc).

The crypto world is in a little bit of a bind when it comes to strong hashes now. We simply don't have any left that both have a long proven track record of analysis and haven't been seriously compromised. Best bet, IMHO, is to go with a new-blood hash algorithm. They seem to be the answer we're looking for - but of course what they lack is more years of intensive study by the experts for flaws they themselves might harbor.

So if you want to give them a whirl, I'd recommend looking at Tiger and Whirlpool:

http://en.wikipedia.org/wiki/Tiger_(hash) [wikipedia.org]
http://en.wikipedia.org/wiki/Whirlpool_(algorithm) [wikipedia.org]
I'm thinking about looking into those hashing algorithm's he links to, but I would like your opinions first, and maybe you can let me/us know what form of encryption you use/would recommend?

This may be straying slightly OT, but what's wrong with MySQL's PASSWORD() function? Has that been flawed?

Thanks for any input :)
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

SHA256 is quite strong. As for the "advice" of going after new kids on the block, they aren't in any better boat as the others really. The devil you know, may apply here.

As for MySQL's PASSWORD(), the internal algorithms used have been altered throughout time, so you may hit a migration problem. There's also this note from the MySQL manual:
MySQL wrote:Note: The PASSWORD() function is used by the authentication system in MySQL Server; you should not use it in your own applications. For that purpose, consider MD5() or SHA1() instead. Also see RFC 2195 for more information about handling passwords and authentication securely in your applications.

If you want more security than SHA256 offers, I hope to publish SHA512 and SHA1024 hashing runs in the near future (if I can find the time.)
User avatar
jayshields
DevNet Resident
Posts: 1912
Joined: Mon Aug 22, 2005 12:11 pm
Location: Leeds/Manchester, England

Post by jayshields »

I've just been reading some of the other threads in this sub-forum, and it's got me thinking about it in a bit more detail.

The only way MD5 has been flawed is because someone has made all these tables with existing collisions.

So all I would have to do is add a salt to my MD5 and then all these tables would become obselete and my encryption would be flawless?

Also, does the amount of bit's produced by the algorithm accurately denote how secure it is? For example, an MD5 (32-bit) hashed string with a salt, would be 8 times less secure than a salt-less SHA256 (256-bit) hashed string? Or does the least secure primarily come down to which one is the most popular method, and therefore the most exploited?

Straying away slightly, can you use MySQL's MD5() function with a salt? Or is the only way to MD5 the string in PHP with the salt and then put the hashed string straight across to MySQL?

Please correct any of my statements if they're wrong :)
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

MD5 is 128 bit. Salting is possible with all the hashing algorithms via things like one-time pads.

In general, the more bits you have in a hash, the more secure it becomes. In the case of SHA256, there's 128 bits of "compression" and 128 bits of security.
User avatar
jayshields
DevNet Resident
Posts: 1912
Joined: Mon Aug 22, 2005 12:11 pm
Location: Leeds/Manchester, England

Post by jayshields »

Right, OK, I'm learning :)

So I may aswell go with the SHA256 with a salt.

Thanks for the input Feyd.
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Re: Best form of encryption [hashing algorithms?]

Post by Roja »

jayshields wrote:Hi guys.

I'm currently setting up a table in my database to handle users and their passwords.

I'm stuck on which form of encryption to use, and which would be the best choice.
Well, first, lets get terms right. Hashing isn't technically encryption. Its closer to compression, but even that isn't really accurate. Its a very unique, seperate term from both - hash algorithms.

But, you are on the right track, I'm just trying to reduce confusion.
jayshields wrote:I know that MD5 and SHA1 are not worth going with, but I'm unsure what would be the right choice.
If a man offers to give you a car (for free!) that can never - NEVER - go over 60 mph (or it will blow up), that car would not be worth going with. Unless, you knew for a fact that when driving to work and back each day, you never went that fast. Then suddenly, it has some value.

Same thing with md5 and sha1. While they are both flawed, and *less* secure than they were originally designed to be, that doesn't mean they have NO value. It means they have LESS value. You could argue (and some do) that web-based applications don't need to have fort-knox level security.

Personally, I prefer to do something right if I am going to do it at all, so I avoid those two. But to be fair, they do have significant security.
jayshields wrote:I was thinking about using Feyd's SHA256 algorithm but I read this...

I'm thinking about looking into those hashing algorithm's he links to, but I would like your opinions first, and maybe you can let me/us know what form of encryption you use/would recommend?
The challenge with crypto is that the unknown is often more dangerous than the known (even if the known is flawed).

There are other hashing algo's. Lots of them. Some old, some new, some strong, some weak. Crypto, oddly, works like a bell-curve in terms of perceived security. When it first comes out, it's considered fairly weak. Over time, the consensus grows that its strong, and its perceived security reaches its peak. Eventually, flaws are found, or computing speed catches up to it, and the perceived strength starts dropping. At some point, it becomes nearly worthless.

The flaws found in the SHA family are "serious", but non-fatal. They weaken it, but that class is *so* strong as to make even a serious weakness fairly workable.

The SHA-256 family has such a low level of collision as to be unreasonably strong - even with the faults found so far.

You can look at alternatives. Nothing wrong with that. But sha-256 is beyond strong enough for the reasonable and forseeable future.

Of course, that could change tomorrow, but thats true for any algorithm.
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Post by Roja »

jayshields wrote:The only way MD5 has been flawed is because someone has made all these tables with existing collisions.
NO. Definitely wrong. The MD5 algorithm has been weakened because of multiple found flaws, that have nothing to do with rainbow tables.

Here's an example to help. Get a room of 23 people and ask them when their birthday is. You would think that the odds of finding two people in that room with the same birthday would be less than 50% (much lower). You would be wrong. Thats called a "Collision". In algorithms, especially hashing algo's, you need to avoid those. (Read more: http://en.wikipedia.org/wiki/Birthday_paradox )

The flaws have found ways to not only find a collision, but to cause a meaningful collision. If you did an MD5sum of a file, and I wanted you to accept my hacked version with a virus in it, I'd need a MATCHING md5sum for it. With the ability to force a meaningful collision, I can do that.

(Please note: That ability, under md5, is currently under intense scrutiny. To be fair, you cannot pre-generate an attack yet, based on the current findings. You can however post-generate, which is *almost* as dangerous.).

So if you expect your formula to have (for example) 100 quintillion combinations without any likely collisions, and suddenly, you can have them, you have a critical flaw.

Thats what has happened in md5. Just like you didnt expect two people to have the same birthday in that room, cryptologists didnt expect collisions as close together as they exist in md5.

Notably, the flaws in sha are slightly less fatal, and quite a bit harder to explain. I'll just say that they have knocked down the door, but they aren't in the house. Yet.
jayshields wrote:So all I would have to do is add a salt to my MD5 and then all these tables would become obselete and my encryption would be flawless?
Flawless, no. You can still use birthday attacks, and other attack vectors to try to take it on. However, it does deeply reduce the likelihood of rainbow table attacks, yes.
jayshields wrote:Also, does the amount of bit's produced by the algorithm accurately denote how secure it is? For example, an MD5 (32-bit) hashed string with a salt, would be 8 times less secure than a salt-less SHA256 (256-bit) hashed string? Or does the least secure primarily come down to which one is the most popular method, and therefore the most exploited?
None of the above. Most popular means most tested, which can mean most secure. Bit strength is just that - the number of bits involved in the algo. In Eliptic Curve Crypto, the bit rate can be far lower to get much higher strength than other algo types. Does that make it more secure? Less secure? Its newer than other systems, which means its less tested. Does that make it less secure?

Crypto is tricky! But yes, generally speaking, bit strength is one measure that gives more strength to an algo.
User avatar
jayshields
DevNet Resident
Posts: 1912
Joined: Mon Aug 22, 2005 12:11 pm
Location: Leeds/Manchester, England

Post by jayshields »

Great, thanks for all the information Roja. That birthday paradox thing made for interesting reading too!

As soon I thought about it, I thought the percentage would be much lower.

Ps. Nice theme Pickle, I just turned it on now :)
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Post by Roja »

jayshields wrote:Great, thanks for all the information Roja. That birthday paradox thing made for interesting reading too!

As soon I thought about it, I thought the percentage would be much lower.
Happy to help.

Re: the birthday paradox.. The flash point for me on that note was *knowing* about it, and then having a demonstration of it in a security class, and with 25 people *FIVE* people had the same birthday. Take about improbability drives! Anything is possible, but what an eye opener.

Crypto algo's are also fairly interesting things to dig into. Eliptical curve crypto works thanks to a very specific set of equations about how eliptical curves (shocking, right?) are formed. Because they are both predictable, and highly chaotic in the focal area (tight on the curve, instead of far away, where you see the curve), it works. Its really very cool to try and get your head around it.

Thats one reason I get frustrated when people ask about double encrypting something. (aka md5(md5($something))). I know, and can state, that it is far less secure due to reduced entropy, etc. etc. However, giving a clear and understandable example that makes the reason for it clear is harder.

I'm reminded of Albert Einstein's where near the end of his career he said something to the effect of "I've simply run out of math".
Post Reply