?

Log in

No account? Create an account

Myth: MD5 is faster than SHA-1 - Journal of Omnifarious

Nov. 5th, 2008

11:36 am - Myth: MD5 is faster than SHA-1

Previous Entry Share Next Entry

MD5 is broken. It no longer satisfies one of the basic properties of a hash function. It is possible to find two values that have the same hash relatively simply and quickly. People say that this is a fairly trivial weakness and that there are many things MD5 can still be used for. They are wrong. It is very hard to accurately analyze exactly where and when the lack of that particular property can bite you. But still people persist in saying MD5 is fine, and we should continue to use it because it's faster. But the idea that it's faster is a myth.

OK, so it's not a total myth. On paper MD5 should be faster than SHA-1. It's simpler and requires fewer operations to computer. But in practice it often isn't faster.

Where I work we tested MD5 and SHA-1 from OpenSSL on several different platforms. SHA-1 was actually faster on most of them. OpenSSL has assembly optimized versions of both algorithms for many platforms. But the assembly optimized versions of SHA-1 were consistently faster.

I do not know exactly why this is. But I do have a guess. My guess is that everybody who actually knows enough to do significant work on cryptography algorithm implementations knows that MD5 is broken and should no longer be used for anything, no matter what excuse. And so they don't spend much time trying to tweak the assembly optimized versions of MD5 and instead concentrate their efforts on the much stronger (but still slightly broken) SHA-1. So those versions end up faster.

So please people, stop using MD5. And replace it everywhere it's used. It's broken, and pretending you can do the analysis to know that its brokenness isn't going to affect you is foolish arrogance. There is no excuse but inertia. The "but it's faster" excuse no longer flies.

Current Location: 1500 Dexter Ave N, 98109
Current Mood: [mood icon] determined

Comments:

[User Picture]
From:akashayi
Date:November 5th, 2008 07:53 pm (UTC)
(Link)
I thought SHA-1 was still standard hash practice these days >.>
(Reply) (Thread)
[User Picture]
From:omnifarious
Date:November 7th, 2008 09:32 am (UTC)
(Link)

You know, you'd think so wouldn't you? But I keep hearing the stupidest arguments in favor of MD5 in various situations.

(Reply) (Parent) (Thread)
From:(Anonymous)
Date:August 8th, 2010 03:31 am (UTC)

Sorry but I don't agree. MD5 vs SHA speed comparisons

(Link)
Using Linux command line tools, md5sum and sha1sum on a directory of files md5sum is faster.

Using Ruby's Digest::MD5.hexdigest is faster than Digest::SHA1.hexdigest

Crypto algorithm benchmarking also says MD5 is faster - http://www.cryptopp.com/benchmarks.html

(Reply) (Parent) (Thread)
[User Picture]
From:omnifarious
Date:August 8th, 2010 05:00 am (UTC)

Re: Sorry but I don't agree. MD5 vs SHA speed comparisons

(Link)

For an optimal implementation you are correct. But in the OpenSSL library, which is pretty widely used, SHA1 has received a great deal more optimization effort than MD5 and is faster on many platforms.

(Reply) (Parent) (Thread)
From:hattifattener
Date:November 6th, 2008 02:30 am (UTC)
(Link)
I think that since SHA-1 was designed later, its design makes more effort to make use of elements that are usually easy to implement in software (as opposed to dedicated hardware). I could be wrong. Certainly AES is designed to be more software-friendly than DES, for example. MD5's weaknesses only started showing up in recent years, after all that assembly optimization work had been done in OpenSSL, IIRC.

Anyway, SHA-1 is looking kind of shaky these days too; the goverment is holding a competition to come up with a replacement (much like the one that produced AES from Rijndael back in '99).
(Reply) (Thread)
[User Picture]
From:omnifarious
Date:November 7th, 2008 09:31 am (UTC)

Competition

(Link)

I knew about that. :-)

I'm not so sure about SHA-1 vs. MD5 implementation. You might be right. But I checked the changelog for OpenSSL and the SHA-1 stuff generally had a much more recent modification date than the MD5 stuff. So I took that as partial support for my hypothesis.



Edited at 2008-11-07 09:32 am (UTC)
(Reply) (Parent) (Thread)