Communications - Scientific Letters of the University of Zilina 2015, 17(1):73-80 | DOI: 10.26552/com.C.2015.1.73-80

SHA-1 and MD5 Cryptographic Hash Functions: Security Overview

Roman Jasek1
1 Department of Applied Informatics, Tomas Bata University of Zlin, Czech Republic

Despite their obsolescence and recommendations they are phased out from production environment, MD5 and SHA-1 cryptographic hash functions remain defaults frequently offered in many applications, e.g., database managers. In the article, we present a security overview of both algorithms and demonstrate the necessity to abandon them in favor of more resilient alternatives due to low computational requirements necessary to reverse engineer the message digests, or to future proof security due to advances in hardware performance and scalability. Suitability procedures and their methods of use are part of this article.

Keywords: algorithm; bcypt; function; hashing; MD5; PBKDF2; security; SHA-1; scrypt

Published: February 28, 2015  Show citation

ACS AIP APA ASA Harvard Chicago Chicago Notes IEEE ISO690 MLA NLM Turabian Vancouver
Jasek, R. (2015). SHA-1 and MD5 Cryptographic Hash Functions: Security Overview. Communications - Scientific Letters of the University of Zilina17(1), 73-80. doi: 10.26552/com.C.2015.1.73-80
Share...
Download citation
  • BibTeX (.bib)
  • Bookends (.ris)
  • EasyBib (.ris)
  • EndNote (.enw)
  • EndNote 8 (.xml)
  • ISI WoS (.isi)
  • Medlars (.medlars)
  • Mendeley (.ris)
  • MODS (.xml)
  • Papers (.ris)
  • RefWorks (.txt)
  • RefManager (.ris)
  • RIS (.ris)
  • MS Word (.xml)
  • Zotero (.ris)
    • Open full article

    References

    1. PCI Security Standards Council. Payment Card Industry Data Security Standard 2.0 [Online]. Available: https://www.pcisecuritystandards.org/security_standards/documents.php, 2010.
    2. EU: Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of such Data [Online]. Available: http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML, 1995.
    3. MOORE, G. E.: Cramming More Components onto Integrated Circuits, Electronics, vol. 38, No. 8, pp. 4-8, April 1965.
    4. LEE, T.-Y., LEE, H.-M.: Encryption and Decryption Algorithm of Data Transmission in Network Security, WSEAS Trans. Inf. Sc. Appl., vol. 3, No. 12, pp. 2557-2562, 2006.
    5. QAWASMEH, E., MASADEH, E.: Developing and Investigation of a New Technique Combining Message Authentication and Encryption, WSEAS Trans. Inf. Sc. Appl., vol. 3, no. 7, pp. 1417-1422, 2006.
    6. SCHNEIER, B.: Applied Cryptography, Second Edition: Protocols, Algorithms, and Source Code in C. New Jersey : Wiley, 1996.
    7. FEISTEL, H.: Cryptography and Computer Privacy, Sci. Am., vol. 228, no. 5, pp. 15-23, May 1973. Go to original source...
    8. GOTHBERG, D.: Avalanche effect.svg, 2006 [Online]. Available: https://commons.wikimedia.org/wiki/File:Avalanche_effect.svg
    9. SUNACHIT: MD5.svg, 2005 [Online] Available: https://commons.wikimedia.org/wiki/File:MD5.svg
    10. RIVEST, R.: The MD5 Message Digest Algorithm, 1992 [Online]. Available: http://tools.ietf.org/html/rfc1321 Go to original source...
    11. WANG, X., YU, H.: How to Break MD5 and Other Hash Functions, Lect. Notes Comput. Sc., No. 3494, pp. 561-577, 2005. Go to original source...
    12. DAMGARD, I. B.: A Design Principle for Hash Functions, Lect. Notes Comput. Sc., No. 435, pp. 416-427, 1990, doi: 10.1007/0-387-34805-0_39 Go to original source...
    13. MERKLE, R. C.: A Certified Digital Signature, Lect. Notes Comput. Sc., No. 435, pp. 218-238, 1990, doi: 10.1007/0-387-34805-0_21 Go to original source...
    14. SPRENGERS, M.: GPU-based Password Cracking: On the Security of Password Hacking Schemes regarding Advances in Graphics Processing Units, M. S. thesis [Online]. Fac. Sc., Radboud Univ. Nijmegen, Nijmegen, The Netherlands, 2012. Available: http://enricopagliarini.com/wp-content/uploads/2012/02/thesis.pdf
    15. WANG, X., FENG, D., LAI, X, YU, H.: Collision for Hash Functions MD4, MD5, HAVAL-128 and RIPEMD, 2004 [Online]. Available: http://eprint.iacr.org/2004/199
    16. LENSTRA, A., WANG, X., De WEGER, B.: Colliding X.509 Certificates, 2005 [Online]. Available: http://eprint.iacr.org/2005/067
    17. SOTIROV, A., STEVENS, M., APPELBAUM, J., LENSTRA, A. et al.: MD5 Considered Harmful Today, 2008 [Online]. Available: http://www.win.tue.nl/hashclash/rogue-ca/
    18. KLIMA, V.: Finding MD5 Collisions - a Toy for a Notebook, 2006 [Online]. Available: http://eprint.iacr.org/2005/075
    19. US-CERT: MD5 Vulnerable to Collision Attacks, 2008 [Online]. Available: http://www.kb.cert.org/vuls/id/836068
    20. STEVENS, M.: Single-block Collision for MD5, 2012 [Online]. Available: http://marc-stevens.nl/research/md5-1block-collision/
    21. EATLAKE, D. 3rd, JONES, P.: US Secure Hash Algorithm 1 (SHA1), 2001 [Online]. Available: tools.ietf.org/html/rfc3174 Go to original source...
    22. WANG, X., YU. H. IN, Y. L.: Efficient Collision Search Attacks on SHA-0, Lect. Notes Comput. Sc., vol. 3621, pp. 1-16, 2005, doi: 10.1007/11535218_1 Go to original source...
    23. PIETRYGA: SHA-1.svg, 2007 [Online]. Available: https://commons.wikimedia.org/wiki/File:SHA-1.svg
    24. CANNIERE, C. RECHBERGER, C.: Finding SHA-1 Characteristics: General Results and Applications, Lect. Notes Comput. Sc., No. 4284, pp. 1-20, 2006. Go to original source...
    25. STEVENS, M.: New Collision Attacks on SHA-1 Based on Optimal Joint Local-collision Analysis, Lect. Notes Comput. Sc., No. 7881, pp. 245-261, 2013, doi: 10.1007/978-3-642-38348-9_15 Go to original source...
    26. LAMBERGER, M, MENDEL, F.: Higher-Order Differential Attack on Reduced SHA-256, 2011 [Online]. Available: http://eprint.iacr.org/2011/037
    27. BERTONI, G., DAEMEN, J., PEETERS, M. ASSCHE, G.: Sponge Functions, Proc. ECRYPT Hash Workshop 2007, Barcelona, 1997.
    28. AUMASSON, J. P., MEIER, W.: Zero-sum Distinguishers for Reduced Keccak-f and for the Core Functions of Luffa and Hamsi, 2009 [Online]. Available: https://131002.net/data/papers/AM09.pdf
    29. MING, D. XUAJIA, L.: Improved Zero-sum Distinguisher for Full Round Keccak-f Permutation, 2011 [Online]. Available: http://eprint.iacr.org/2011/023
    30. POLK, T., CHEN, L., TURNR, S., HOFFMAN, P.: Security Considerations for the SHA-0 and SHA-1 Message-Digest Algorithms, 2011 [Online]. Available: http://tools.ietf.org/html/rfc6194 Go to original source...
    31. FERNANDEZ, D.: How to Encrypt User Passwords, 2013 [Online]. Available: http://www.jasypt.org/howtoencryptuserpasswords.html
    32. DANG, O.: NIST Special Publication 800-106: Randomized Hashing for Digital Signatures, 2009 [Online]. Available: http://csrc.nist.gov/publications/nistpubs/800-106/NIST-SP-800-106.pdf
    33. RUKHIN, A., SOTO, J., NECHVATAL, J., SMID, M.: NIST Special Publication 800-22, Revision 1a: A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications, 2010 [Online]. Available: http://csrc.nist.gov/publications/nistpubs/800-22-rev1a/SP800-22rev1a.pdf
    34. TURAN, M. S., BARKER, E., BURR, CHEN, L.: NIST Special Publication 800-132: Recommendation for Password-Based Key Derivation, Part 1: Storage Applications, 2010 [Online]. Available: http://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf
    35. HORNBY, T.: Salted Password Hashing - Doing it Right, 2013 [Online]. Available: https://crackstation.net/hashing-security.htm
    36. WU, M.-L.: Nonce-aware Encryption Scheme, WSEAS Trans. Inf. Sc. Appl., vol. 6, No. 9, pp. 1513-1522, 2009.
    37. SHIREY, R.: Internet Security Glossary, Version 2, 2007 [Online]. Available: https://tools.ietf.org/html/rfc4949 Go to original source...
    38. HELLMAN, M.: A Cryptanalytic Time-Memory Trade-Off, IEEE Trans. Inf. Th., vol. 26, No. 4, pp. 401-406, 1980. Go to original source...
    39. OECHSLIN, P.: Making a Faster Time-Memory Trade-Off, Proc. of 23rd Annu. Int. Cryptology Conf. (CRYPTO 2003), Santa Barbara, pp. 617-630, 2003. Go to original source...
    40. MANBER, U.: A Simple Scheme to Make Passwords Based on One-Way Functions Much Harder to Crack, 1994 [Online]. Available: http://webglimpse.net/pubs/TR94-34.pdf
    41. BELLARE, M., CANETTI, R., KRAWCZYK, H.: Keying Hash Functions for Message Authentication, 1996 [Online]. Available: http://cseweb.ucsd.edu/~mihir/papers/kmd5.pdf Go to original source...
    42. MICHAILH, E., KAKAROUNTAS, A.P., E. FOTOPOULOU, E., GOUTIS, C. E.: Novel Hardware Implementation for Generating Message Authentication Codes, WSEAS Trans. Commun., vol. 4, No. 11, pp. 1276-1283, 2005.
    43. SHINER, J.: Defending Against Crackers: Peanut Butter Keeps Dogs Friendly, Too, 2011 [Online]. Available: http://blog.agilebits.com/2011/05/05/defending-against-crackers-peanut-butter-keeps-dogs-friendly-too/
    44. PERCIVAL: Stronger Key Derivation via Sequential Memory-Hard Functions, 2009 [Online]. Proc. BSDCan'09, Ottawa, 2009. Available: http://www.bsdcan.org/2009/schedule/attachments/87_scrypt.pdf
    45. DUDAS, A., JUHASZ, S.: Blocking and Non-blocking Concurrent Hash Tables in Multi-core Systems, WSEAS Trans. Comput., vol. 12, No. 2, pp. 74-84, 2013.

    This is an open access article distributed under the terms of the Creative Commons Attribution 4.0 International License (CC BY 4.0), which permits use, distribution, and reproduction in any medium, provided the original publication is properly cited. No use, distribution or reproduction is permitted which does not comply with these terms.


    Return to the content