±Partners and Sponsors

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 0
New Yesterday: 2
Overall: 26790
Visitors: 57

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

SHA-1 SHA-256 SHA-512??

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2  Next 
  

SHA-1 SHA-256 SHA-512??

Post Posted: Fri Mar 04, 2011 5:28 am

The software I have developed has MD5 hash values. I have received requests to include SHA-??.

Does anyone have views on which would be considered most useful. SHA-1 is very common, but is the extra security of SHA-256 and SHA-512 actually worth the effort.

Academics seem keen to point out that MD5 and SHA-1 have been broken, but has this ever been critical in a court case?
_________________
Michael Cotgrove
www.cnwrecovery.com
cnwrecovery.blogspot.com/ 

mscotgrove
Senior Member
 
 
  

Re: SHA-1 SHA-256 SHA-512??

Post Posted: Fri Mar 04, 2011 6:28 am

Although MD5 and SHA-1 have been "broken" - the ability to create two objects with the same hash that have any beneficial meaning is still infeasible. What you gain by using the larger numbers is a greater time/chance/distance between collisions in the hash space, thus meaning that any two objects are less likely to have the same hashed value - the downside is the required additional computation time of the larger hash values.

To the best of my knowledge, all attacks at this point have been purely academic, and like all pure academia - have eff-all impact on the real world except to worry people Wink
_________________
--
Azrael
-- 

azrael
Senior Member
 
 
  

Re: SHA-1 SHA-256 SHA-512??

Post Posted: Fri Mar 04, 2011 6:43 am

Personally, I would say it is important to differentiate between flawed and broken in this sense. If either MD5 or SHA-1 had in fact been properly broken, we would not be using them - they would be worthless and each and every time MD5 or SHA-1 was mentioned in court, it would be shot down in flames by the opposition expert / legal team and the examiner's position would be indefensible.

Both functions have however been proven to have weaknesses in the algorithm itself, and if the algorithm of either function is ever proven to be sufficiently weak that it is a trivial matter to alter the contents of a file such that it is possible to generate the same hash value, then it will be broken, and forensically speaking, worthless.

On the matter of SHA-256 and SHA-512; NIST have recommended that as of 2010, the SHA-2 family (SHA-224, -256, -384 and -512) should be used in preference to SHA-1 and MD5 hashing functions. NISTs recommendations always have been ahead of the game (I guess they need to be), but my point of view on the matter is such:

Suppose that you undertake a case today, and everything is hashed using MD5. It goes to court and the suspect is convicted. In 3 years time, a cryptographic breakthrough finds a critical and indefensible flaw in MD5, and it is proven trivial to generate files that match a required hash-value. As such, MD5 at this point becomes worthless. On the back of such discovery, an appeal is launched, focusing on that critical bit of evidence whose reliability can now be brought in to question.

Given the cryptographic attacks on MD5 and SHA-1 in the past, and their known weaknesses, the hashes will not last forever. As the judicial process can be quite drawn out, is it worth taking a risk that the hash function you are using is not going to be forensically reliable when the case reaches court? In my eyes, we need to look ahead too, and what the effect on us as examiners will be if MD5 or SHA-1 is no more...

I believe that it will be a few (5 - 10 years) before MD5 or / and SHA-1 are proved to be sufficiently unreliable. My advice is to use as generous a hash as you can afford (thinking that larger hashes = more computation = greater number of files on computers now = far more time to hash a case) or alternatively, use more than one hash. If it is likely that one hash will be broken, it is less likely that 2 will be, or even 3. Even on the collisions front, it is highly unlikely that if a collision is found in MD5-space for two values, it is unlikely due to the vast differences in the algorithms that the same two files will collide in SHA-1 or the SHA-2 family.

Sorry for the essay, and I hope this helps Smile  

joe_bowman
Member
 
 
  

Re: SHA-1 SHA-256 SHA-512??

Post Posted: Fri Mar 04, 2011 6:44 am

In the time it took to write the essay, the same point was made far more succinctly:)  

joe_bowman
Member
 
 
  

Re: SHA-1 SHA-256 SHA-512??

Post Posted: Fri Mar 04, 2011 9:07 am

- azrael
Although MD5 and SHA-1 have been "broken" - the ability to create two objects with the same hash that have any beneficial meaning is still infeasible.


Azrael, given that you've made that statement, I'd be interested in your comments re this:

MD5 collisions

The work of Daum and Lucks which is referenced is no longer available at the original link, but is still online here:

Daum and Lucks

and here:

Lucks webpage

Will be great to hear your take on that.
_________________
'Tis with our judgments as our watches, none
Go just alike, yet each believes his own. 

mgilhespy
Senior Member
 
 
  

Re: SHA-1 SHA-256 SHA-512??

Post Posted: Fri Mar 04, 2011 10:41 am

Thanks Joe_bowman. Based you what you said, and NIST recommendations I am going for SHA-256. This should be safe until I get my bus pass, even though that has moved back 6 years now.
_________________
Michael Cotgrove
www.cnwrecovery.com
cnwrecovery.blogspot.com/ 

mscotgrove
Senior Member
 
 
  

Re: SHA-1 SHA-256 SHA-512??

Post Posted: Sat Mar 05, 2011 11:55 am

- mgilhespy
- azrael
Although MD5 and SHA-1 have been "broken" - the ability to create two objects with the same hash that have any beneficial meaning is still infeasible.


Azrael, given that you've made that statement, I'd be interested in your comments re this:

MD5 collisions

The work of Daum and Lucks which is referenced is no longer available at the original link, but is still online here:

Daum and Lucks

and here:

Lucks webpage

Will be great to hear your take on that.


My issue with these is with regards to how contrived the examples are - they have demonstrated a theoretical attack, and, as a proof of concept, I have to agree that they are quite good. But in reality lets look at what we actually are using hashes for in Forensics - we are using them to demonstrate that a given file hasn't been altered in the process of examiniation/transit/handling - or indeed deliberately to incriminate an individual. If I wanted to plant evidence of a given crime during an examination, say, for a change, of a nice neat fraud case - I would have to fabricate, not only a file that matched the hash, but a file that met my needs, and, most likely several more files that (a) matched the hash, (b) matched my needs and, now, (c) match the other files. If you look at the "recommendation / clearance" example - both of the files contain, in plain text, both of the letters - so whilst you might have fooled someone giving it a cursory view, you wouldn't fool someone who was looking at a byte level - in this case it is more of an exploit of human falability in believing what you see rather than checking further in depth - I am aware of systems that explicitly will flag content that isn't immediately visible to the user in order to mitigate against this risk.

In other uses of hashes, such as passwords, there is no ability for the attacker to craft both parts of the hash, so although the search space in a brute force attack is reduced ( as potentially more than one passphrase would have the same hash ) this weakness is largely mitigated by the fact that, with a long password with a large character set, even reducing the search space still presents a significant problem for a brute force attack - or - the brute force attack is capable of being run irregardless of the search space size ( using significant resources - HPC or rainbow tables or the like ).

I think that the example that scares me most from the ones given in the excellent links, is the idea that two programs might have the same hash - although I have to say, I find it hard to believe that useful function would be possible to get in the same hash, and, in reality, you'd only have one part of the equation that you could edit ( e.g. your code ) as the other program that had been hashed and was already on the system ( protected by say Tripwire or Sanctuary ) was beyond your control. So you'd be trying to manipulate something to meet that hash that would work.

I do work with secure systems, and we hear about these theoretical attacks constantly, and some people spend a lot of time and money trying to make them work - people who are a lot brighter than me mathematically too - and as of yet, I've not see it presented as a real threat as the exploitation is too elaborate and difficult. I'm really not belittling the very important work done by these academics, and, as a professional on the security side, I'd encourage anyone to use the largest levels of encryption and hash complexity that they can without impacting on the performance of their product and/or system - but in reality there is, in my opinion, no real threat _in court_ or _in the real world_ because of these theoretical compromises.

Kind Regards,

Azrael
_________________
--
Azrael
-- 

azrael
Senior Member
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 1 of 2
Go to page 1, 2  Next