Hash functions↑
A hash function is a basic building block of many cryptographic protocols. Cryptanalysis of hash functions has made great progress in the last decade.
Summary Table↑
In the table below we list the functions available in common APIs together with their current security status. Justification for the status follows underneath the table.
| Algorithm/mode | OK legacy use | OK future use |
|---|---|---|
| MD2 | No | No |
| MD5 | No | No |
| SHA1 | No* | No |
| SHA256, 384, 512 | Yes | Yes |
| SHA3 | Yes | Yes |
| FASTHASH | No | No |
| RIPEMD-128 | No | No |
| RIPEMD-160 | Yes | No |
MD-2, MD-5↑
MD-2 has known better-than-brute-force attacks for both preimages and collisions. Its use has been deprecated for some time. MD-5 should be considered broken. Collisions can be calculated easily on a desktop PC. There are even known examples of MD-5 collision attacks being used in the wild.
SHA-1↑
A full collision on SHA-1 was announced in February 2017 in a collaboration between CWI and Google, the culmination of many years of cryptanalytic research. The procedure used to find the collision is public and could be followed by others with similar resources. No doubt the procedure will also be improved. As such, SHA-1 should no longer be considered secure for applications that need collision resistance (such as message and certificate digests).
Preimage calculation attacks on reduced round SHA-1 currently require 2^146.2^ steps on 44 round SHA-1 and 2^150.6^ steps on 48 round (full SHA-1 has 80 rounds).
SHA-256, SHA-384, SHA-512↑
There are collision and preimage attacks reported on reduced-round versions of the SHA-2 family, but currently no practical attacks.
SHA-3↑
Standardized in 2015, SHA-3 is the result of a NIST-organized competition to replace the SHA-2 family. Candidates were subject to independent cryptanalysis throughout the competition, hence SHA-3 is believed to be secure.
FASTHASH↑
A relic of export-restricted NSA cryptography, its fixed 40-bit digest size is not suitable for cryptographic applications, since collisions can be found by brute force in one million operations.
RIPE MD↑
Cryptanalysis results on RIPEMD-160 suggest it will soon be broken. RIPEMD-128 has a fixed 128-bit digest size which is now considered too small to resist brute force, and on top of this recent cryptanalytic results have suggested faster attacks will soon be found.