Periodic reminder that you should NEVER use MD5 or SHA1 in any new project/system.
What to use:
- Password hashing: argon2i
- Cryptographically secure hashes (most usecases): BLAKE2 (fastest) or SHA3 (if needed for compatibility)
- Non-CS hashes: xxhash (faster than MD5)
What to use:
- Password hashing: argon2i
- Cryptographically secure hashes (most usecases): BLAKE2 (fastest) or SHA3 (if needed for compatibility)
- Non-CS hashes: xxhash (faster than MD5)
Q: When do you need a cryptographically secure hash function?
A: When an attacker tampering with it in *any* way would cause a security issue. That's almost always, *including* for file deduplication on shared systems.
Q: What about scrypt/bcrypt?
A: Okay if needed for compat.
A: When an attacker tampering with it in *any* way would cause a security issue. That's almost always, *including* for file deduplication on shared systems.
Q: What about scrypt/bcrypt?
A: Okay if needed for compat.
Q: What about PBKDF2?
A: It's easy to unknowingly misuse, so it's best to avoid it. If absolutely *needed* for compatibility, it can be an acceptable option. But only with a secure digest function, not MD5/SHA1!
A: It's easy to unknowingly misuse, so it's best to avoid it. If absolutely *needed* for compatibility, it can be an acceptable option. But only with a secure digest function, not MD5/SHA1!
Q: But I think MD5 is fine here, because it's only broken in a specific way!
A: When *any* security property gets broken, that means the original design made a wrong assumption, and more breaks will follow. Why bother with MD5 anyway, when BLAKE2 is faster *and* more secure?
A: When *any* security property gets broken, that means the original design made a wrong assumption, and more breaks will follow. Why bother with MD5 anyway, when BLAKE2 is faster *and* more secure?
Q: So if I want fast hashing, I should use xxhash?
A: No. You should *only* use xxhash (or a similar non-CS hashing function) if you are *very sure* that you do not need cryptographic security. If you're doing anything related to security at all, you need a CS hash, not xxhash.
A: No. You should *only* use xxhash (or a similar non-CS hashing function) if you are *very sure* that you do not need cryptographic security. If you're doing anything related to security at all, you need a CS hash, not xxhash.
Addendum:
Another addendum:
Design your systems so that you can change the hashing function later, when the one you've used gets broken.
However, *do not* trust any user input to tell you what function to use, or you'll end up making the same mistake as JWT/JOSE: paragonie.com/blog/2017/03/j…
Design your systems so that you can change the hashing function later, when the one you've used gets broken.
However, *do not* trust any user input to tell you what function to use, or you'll end up making the same mistake as JWT/JOSE: paragonie.com/blog/2017/03/j…
