Reputation: 1175
Do I need MD5 as a companion to SHA-1?
Do I need both MD5 and SHA-1 values to be sure the downloaded file is
a) Untouched by hackers. For example, when I need to download some app's .iso via torrents
and
b) Not corrupted during technical issues? For example, some unstable network connection during download.
Or, probably, SHA-1 value will be enough for both checks?
Also, is SHA-1 (without MD5) enough to be sure that some file downloaded years ago and stored somewhere on my HDD haven't degradated?
Upvotes: 0
Views: 66
Answers (1)
Reputation:
From a security perspective MD-5 is utterly broken.
SHA-1 is considered suspicious, and avoided for most uses if at all possible. For new projects: don't use it at all.
SHA-2 (aka SHA-256, SHA-512, etc.) is still widely used for fast hashes.
SHA-3 is the future since 2012, nothing is stopping you from using it already. I see little reason not to use it for new projects.
What's the problem with older ones:
- Their resistance to finding collisions is below par: This is an attacker creating 2 contents that have the same hash. These are constructed at the same time. This problem is there for MD5 and SHA-1, and it's BAD, but requires the attacker creating both versions (and then they can do a switch at any time they want undetected).
- Their resistance to length extension attacks is relatively weak. This is especially true for MD5, but SHA-1 and even SHA-2 to some degree suffer from it.
When is it not a problem: to ensure your disk has not produced an error: and hash will do, even a simple CRC32 will work wonders (and I'd recommend the simpler CRC check), or a RAID array, as these can fix errors, not just detect them.
Use both ? Well if you have to find a collision on one hash and have that same set of plaintexts also produce a collision on another hash, is probably more difficult. This approach has been used in the past, The original PGP did something like it. If I'm not mistaken it had a number of things it calculated, one of them simply the length (which would prevent the extension attack above).
So yes, it likely adds something, but the way md5 and SHA-1 and SHA-2 work internally is quite similar, and that's the worrisome part: they are too much alike to be sure just how much it adds against a highly sophisticated attacker (think the level of the NSA and their counterparts).
So why not use one of the more modern versions of SHA-2, or even better SHA-3 ? They've no known weaknesses and have been peer-reviewed heavily. As such for any commercial level use, they should be more than enough.
Refs:
- https://en.wikipedia.org/wiki/Length_extension_attack
- https://en.wikipedia.org/wiki/Collision_attack
- https://stackoverflow.com/questions/tagged/sha-3
Upvotes: 1
Related Questions
- Are 128 bits of SHA-1 hash safer than an MD5 hash?
- One way hash (not for crypto/security), use SHA256 (not MD5, SHA-1)?
- How secure is MD5 and SHA1
- Why is SHA-1 considered insecure?
- Is it safe to use sha1(md5($password)) and does it make any difference?
- Is there any difference between md5 and sha1 in this situation?
- Quicker, non-secure, replacement needed for MD5/SHA1 hash functions
- Is MD5 still considered secure for single use authentications?
- Is MD5 less secure than SHA et. al. in a practical sense?
- Is it unsafe to use MD5?