我应该选择哪一个加密散列函数？ [英] Which cryptographic hash function should I choose?

问题描述

在.NET框架附带了6种不同的散列算法：

• MD5：16字节（时间凑500MB：1462毫秒）
• SHA1：20字节（1644毫秒）
• SHA256：32字节（5618毫秒）
• SHA384：48字节（3839毫秒）
• SHA512：64字节（3820毫秒）
• RIPEMD：20字节（7066毫秒）

这些函数执行不同的; MD5是最快和RIPEMD是最慢的。

的MD5具有它在内置的Guid类型适合的优点。这使得它可以很方便用于识别。

MD5然而易受冲突攻击时，SHA1也是脆弱，但程度较轻。

在什么情况下我应该使用哪种哈希算法？

具体的问题，我真的很好奇，想看看回答是：

• 是MD5不被信任？在当您使用MD5算法，没有恶意，也没有第三方有什么恶意，你会想到任何冲突正常情况下（指任意两个byte []的生产相同的散列）

• 如何更好地为RIPEMD比SHA1？ （如果没有更好的），它的5倍慢来计算，但散列大小是一样的SHA1。

• 什么是散列文件名（或其他短字符串）时获得的非恶意的碰撞的几率有多大？ （例如2随机文件名以相同的MD5哈希）（与MD5 / SHA1 / SHA2xx）一般有多大的非恶意的碰撞？

这是我用过的风向标：

 静态无效TimeAction（字符串描述，诠释迭代，动作FUNC）{
        无功表=新的秒表（）;
        watch.Start（）;
        的for（int i = 0; I＆LT;迭代;我++）{
            FUNC（）;
        }
        watch.Stop（）;
        Console.Write（介绍）;
        Console.WriteLine（经过时间{0}毫秒，watch.ElapsedMilliseconds）;
    }

    静态的byte [] GetRandomBytes（INT计数）{
        VAR字节=新字节[统计]
        （新的随机（））的nextBytes（字节）。
        返回字节;
    }


    静态无效的主要（字串[] args）{

        VAR的md5 =新MD5CryptoServiceProvider（）;
        VAR SHA1 =新SHA1CryptoServiceProvider（）;
        VAR SHA256 =新SHA256CryptoServiceProvider（）;
        VAR SHA384 =新SHA384CryptoServiceProvider（）;
        VAR SHA512 =新SHA512CryptoServiceProvider（）;
        VAR RIPEMD160 =新RIPEMD160Managed（）;

        无功源= GetRandomBytes（1000 * 1024）;

        变种算法=新字典＆LT;字符串，HashAlgorithm＆GT;（）;
        算法[MD5] = MD5;
        算法[SHA1] = SHA1;
        算法[SHA256] = SHA256;
        算法[SHA384] = SHA384;
        算法[SHA512] = SHA512;
        算法[RIPEMD160] = RIPEMD160;

        的foreach（VAR对的算法）{
            Console.WriteLine（码的长度为{0} {1}，
                pair.Key，
                pair.Value.ComputeHash（源）.Length）;
        }

        的foreach（VAR对的算法）{
            TimeAction（pair.Key +计算，500，（）=＆GT;
            {
                pair.Value.ComputeHash（源）;
            }）;
        }

        Console.ReadKey（）;
    }
 

解决方案

在加密散列函数提供了三个独立的功能。

1. 冲突性：怎么苦也有人找到两个消息（任何的两个消息）散列相同
2. preimage电阻：给定一个哈希值，是有多难找到另一个消息，散列一样吗？也称为的的单向散列函数的
3. 二preimage电阻：给定一个消息，找到另一个消息，散列相同。

这些属性是相关的，但独立的。例如，碰撞阻力意味着第二preimage阻力，但不是周围的其他方法。对于任何给定的应用程序，你就会有不同的要求，需要其中的一个或多个属性。散列函数用于保护在服务器上的密码通常只需要preimage性，而消息摘要需要所有三个。

有已经表明，MD5是不抗碰撞，但是，并不preclude其在应用中，不需要抗碰撞性使用。实际上，MD5常常仍然使用的应用中更小的关键尺寸和速度是有益的。尽管如此，由于它的缺陷，研究人员建议在新的情况下使用其他散列函数的。

SHA1有一个缺陷，允许碰撞到在除2 ^ 80理论上少得多中找到的步骤其长度将需要的安全散列函数。攻击在不断地修改，目前可以在〜2 ^ 63步来完成 - 刚好在可计算当前的境界。为此NIST正在逐步淘汰使用SHA1的，说明该SHA2家人应该在2010年后可以使用。

SHA2是以下SHA1创建散列函数一个新的家庭。目前，有对SHA2功能没有已知的攻击。 SHA256，384和512是SHA2系列的一部分，只是用不同的密钥长度。

RIPEMD我不能评论太多，但要注意，这是不常用的SHA家庭，所以一直没有审查的密切加密的研究人员。出于这个原因，仅我会建议使用SHA功能了它。在执行您使用的是它似乎很慢的为好，这使得它用处不大。

总之，没有一个最好的功能 - 这一切都取决于你需要它。要考虑到与每个缺陷，你将最有能力选择合适的哈希函数的您的场景。

The .NET framework ships with 6 different hashing algorithms:

• MD5: 16 bytes (Time to hash 500MB: 1462 ms)
• SHA1: 20 bytes (1644 ms)
• SHA256: 32 bytes (5618 ms)
• SHA384: 48 bytes (3839 ms)
• SHA512: 64 bytes (3820 ms)
• RIPEMD: 20 bytes (7066 ms)

Each of these functions performs differently; MD5 being the fastest and RIPEMD being the slowest.

MD5 has the advantage that it fits in the built-in Guid type. Which makes it really easy to use for identification.

MD5 however is vulnerable to collision attacks, SHA1 is also vulnerable but to a lesser degree.

Under what conditions should I use which hashing algorithm?

Particular questions I'm really curious to see answered are:

• Is MD5 not to be trusted? Under normal situations when you use the MD5 algorithm with no malicious intent and no third party has any malicious intent would you expect ANY collisions (meaning two arbitrary byte[] producing the same hash)

• How much better is RIPEMD than SHA1? (if its any better) its 5 times slower to compute but the hash size is the same as SHA1.

• What are the odds of getting non-malicious collisions when hashing file-names (or other short strings)? (Eg. 2 random file-names with same MD5 hash) (with MD5 / SHA1 / SHA2xx) In general what are the odds for non-malicious collisions?

This is the benchmark I used:

    static void TimeAction(string description, int iterations, Action func) {
        var watch = new Stopwatch();
        watch.Start();
        for (int i = 0; i < iterations; i++) {
            func();
        }
        watch.Stop();
        Console.Write(description);
        Console.WriteLine(" Time Elapsed {0} ms", watch.ElapsedMilliseconds);
    }

    static byte[] GetRandomBytes(int count) {
        var bytes = new byte[count];
        (new Random()).NextBytes(bytes);
        return bytes;
    }


    static void Main(string[] args) {

        var md5 = new MD5CryptoServiceProvider();
        var sha1 = new SHA1CryptoServiceProvider();
        var sha256 = new SHA256CryptoServiceProvider();
        var sha384 = new SHA384CryptoServiceProvider();
        var sha512 = new SHA512CryptoServiceProvider();
        var ripemd160 = new RIPEMD160Managed();

        var source = GetRandomBytes(1000 * 1024);

        var algorithms = new Dictionary<string,HashAlgorithm>();
        algorithms["md5"] = md5;
        algorithms["sha1"] = sha1;
        algorithms["sha256"] = sha256;
        algorithms["sha384"] = sha384;
        algorithms["sha512"] = sha512;
        algorithms["ripemd160"] = ripemd160;

        foreach (var pair in algorithms) {
            Console.WriteLine("Hash Length for {0} is {1}", 
                pair.Key, 
                pair.Value.ComputeHash(source).Length);
        }

        foreach (var pair in algorithms) {
            TimeAction(pair.Key + " calculation", 500, () =>
            {
                pair.Value.ComputeHash(source);
            });
        }

        Console.ReadKey();
    }

解决方案

In cryptography, hash functions provide three separate functions.

1. Collision resistance: How hard is it for someone to find two messages (any two messages) that hash the same.
2. Preimage Resistance: Given a hash, how hard is it to find another message that hashes the same? Also known as a one way hash function.
3. Second preimage resistance: Given a message, find another message that hashes the same.

These properties are related but independent. For example, collision resistance implies second preimage resistance, but not the other way around. For any given application, you will have different requirements, needing one or more of these properties. A hash function for securing passwords on a server will usually only require preimage resistance, while message digests require all three.

It has been shown that MD5 is not collision resistant, however, that does not preclude its use in applications that do not require collision resistance. Indeed, MD5 is often still used in applications where the smaller key size and speed are beneficial. That said, due to its flaws, researchers recommend the use of other hash functions in new scenarios.

SHA1 has a flaw that allows collisions to be found in theoretically far less than the 2^80 steps a secure hash function of its length would require. The attack is continually being revised and currently can be done in ~2^63 steps - just barely within the current realm of computability. For this reason NIST is phasing out the use of SHA1, stating that the SHA2 family should be used after 2010.

SHA2 is a new family of hash functions created following SHA1. Currently there are no known attacks against SHA2 functions. SHA256, 384 and 512 are all part of the SHA2 family, just using different key lengths.

RIPEMD I can't comment too much on, except to note that it isn't as commonly used as the SHA families, and so has not been scrutinized as closely by cryptographic researchers. For that reason alone I would recommend the use of SHA functions over it. In the implementation you are using it seems quite slow as well, which makes it less useful.

In conclusion, there is no one best function - it all depends on what you need it for. Be mindful of the flaws with each and you will be best able to choose the right hash function for your scenario.

这篇关于我应该选择哪一个加密散列函数？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！