Reputation: 1617
How to measure hash algorithm strength
Is there a way to measure the strength of hash algorithms? For instance, a standardised test, written in PHP, to measure the strength of, perhaps, crypt vs. sha1?
Strength can refer to various things; the ability a single home computer can discover the password through a rainbow table or a character loop, the length of bits in the password or the use of symbols and numbers. Unlike simple regular expressions which discover symbols or the number of characters, a requirement for the PHP function which can determine strength, is from how fast the password, key or salt can be broken.
I would like to know, without opinion, which hashing algorithm is best from a PHP's list of hashing algorithms.
foreach (hash_algos() as $algorithm) {
// test strength
}
Upvotes: 3
Views: 1222
Answers (3)
Reputation: 4089
I think mathematically, a good way to look at it would be to consider the running time of an algorithm to compute the key given the other appropriate inputs, if such an algorithm exists.
Based on some of my recent tooling around with some basic cryptographic algorithms, I can say that the fastest algorithm to find k for even a basic exponential cipher runs in e^(sqrt(log p log log p) making it infeasible for large p. It seems like this would be a good theoretical measurement of "strength."
I am by no means an expert on such things, Gavin and Adam seem to be much more knowledgeable.
Upvotes: 0
Reputation: 48290
A hashing algorithm maps an arbitrary input to an output sequence of n bits. A "good" hashing algorithm maps every input of length n bits to a different output sequence of n bits. A collision occurs when two different inputs map to the same output.
So a simple way to test the comparative strength of two hashing algorithms would be to generate a large set of inputs, feed them to both algorithms, and count the number of collisions.
Note that "simple" means "conceptually simple." Performing the actual test will require a significant amount of computing resources.
Upvotes: 1
Reputation: 3963
The strength of a hash is a mathematical/theoretical concept, i.e. if any theoretical or practical differences have been found.
If there are no published weaknesses then the strength is the length of the digest. E.g. SHA-1 has a 160 bit output, but SHA-256 has a 256 bit output.
The only way to "programatically" test the strength would be to brute force the hash which is mostly pointless.
It would be better to research each of the hashes yourself instead of trying to programatically determine the 'best' one.
Upvotes: 5
Related Questions
- How should i check hashed passwords
- Create your own hash in PHP?
- PHP password_hash how to check?
- Is there a two-way hashing algorithm in PHP?
- Modern php hashing algorithm
- How to compare a hashed password from user input?
- Password Hash Algorithm
- Which PHP function uses such hash algorithm?
- How to evaluate a hash generating algorithm
- How can I measure the relative performance cost of different hashing methods in PHP?