Myth: MD5 is faster than SHA-1 - Journal of Omnifarious

11:36 am - Myth: MD5 is faster than SHA-1

MD5 is broken. It no longer satisfies one of the basic properties of a hash function. It is possible to find two values that have the same hash relatively simply and quickly. People say that this is a fairly trivial weakness and that there are many things MD5 can still be used for. They are wrong. It is very hard to accurately analyze exactly where and when the lack of that particular property can bite you. But still people persist in saying MD5 is fine, and we should continue to use it because it's faster. But the idea that it's faster is a myth.

OK, so it's not a total myth. On paper MD5 should be faster than SHA-1. It's simpler and requires fewer operations to computer. But in practice it often isn't faster.

Where I work we tested MD5 and SHA-1 from OpenSSL on several different platforms. SHA-1 was actually faster on most of them. OpenSSL has assembly optimized versions of both algorithms for many platforms. But the assembly optimized versions of SHA-1 were consistently faster.

I do not know exactly why this is. But I do have a guess. My guess is that everybody who actually knows enough to do significant work on cryptography algorithm implementations knows that MD5 is broken and should no longer be used for anything, no matter what excuse. And so they don't spend much time trying to tweak the assembly optimized versions of MD5 and instead concentrate their efforts on the much stronger (but still slightly broken) SHA-1. So those versions end up faster.

So please people, stop using MD5. And replace it everywhere it's used. It's broken, and pretending you can do the analysis to know that its brokenness isn't going to affect you is foolish arrogance. There is no excuse but inertia. The "but it's faster" excuse no longer flies.

Current Mood: determined