Md5, Sha1 or Sha2? Comparing Hash Algorithms

There is a large number of cryptographic hash algorithms out there and it’s not always obvious which one should be used. I’m going to talk about the most popular ones: Md5, Sha1 and Sha2.

Md5

Md5 should never be used as it is not secure. From wikipedia:

The security of the MD5 hash function is severely compromised. A collision attack exists that can find collisions within seconds on a computer with a 2.6 GHz Pentium 4 processor (complexity of 2^24.1). Further, there is also a chosen-prefix collision attack that can produce a collision for two chosen arbitrarily different inputs within hours, using off-the-shelf computing hardware (complexity 2³⁹).

This is not news by any means. Recommendations against its use first starting appearing in 1996, almost two decades ago, and yet its usage is still widespread.

Sha1

Some collision attacks against Sha1 exist but are not currently practical as the CPU power required is estimated as costing almost $3 million for each hash.

Even if Sha1 can be considered acceptable for most uses, Sha2 is all-around a better alternative: it is just as fast, more secure, and the only potential downside is the larger space required for storing the hash. If for some reason this is a concern (we’re talking about 32 bytes instead of 20) truncating Sha2′s output is still more secure than using Sha1.

The only reason Sha1 should be chosen is for interoperability reasons.

Sha2

Sha2 is the successor of Sha1 and has 4 different variants, each with a different digest size (output size):

• Sha-256 should be chosen in most cases where a high speed hash function is desired. It is considered secure with no known theoretical vulnerabilities and it has a reasonable digest size of 32 bytes. For things like hashing user password, though, a function designed to be slow is preferred: a great one is bcrypt.
• Sha-224 uses the same algorithm as Sha-256 (except for the initial seed values) simply truncating its output. It was created because its digest size has the same length as two-key Triple DES keys which can be handy.
• Sha-512 is different, using 64 bit numbers and having 80 rounds (versus 32 bit numbers and 64 rounds of Sha-256). Its digest size – 64 bytes – is very large and it is probably overkill for most uses.
• Sha-384 is the same as Sha-512 (again, except for the initial seed values) but truncated to reduce its digest size.

Performance

I ran a benchmark of all the hash algorithms available in the .NET framework. I found that all hash functions are very fast with the slowest computing over 100,000 hashes per second and that sha-256 is actually faster than sha-1.

Conclusion

• Do not use any of these functions for passwords; use instead functions that are designed to be slow such as bcrypt.
• Never use MD5. It was broken many years ago.
• Use Sha1 only if you must for interoperability reasons.
• Use Sha2 in all other cases. Of its variants, Sha-256 is usually the best alternative; Sha-384 and Sha-512 are probably overkill but can be chosen for added precaution.