Algorithm Choice in PKCS#11 (part 3) - Hash Functions

Graham Steel
June 30, 2014

A hash function is a basic building block of many cryptographic protocols. Cryptanalysis of hash functions has made great progress in the last decade, so how do the hash functions provided by PKCS#11  measure up?

Summary Table

In the table below we list the functions available together with their current status, referring as usual to the ENISA review where applicable.

Algorithm/mode Ok legacy Ok future Note
MD2 × × See text
MD5 × × Completely broken
SHA-1 × See text
SHA256, 384, 512
FASTHASH × × 40 bit digest
RIPEMD-128 × × See text
RIPEMD-160 × See text

MD-2, MD-5

MD-2 has known better-than-brute-force attacks for both preimages and collisions. Its use has been deprecated for some time. MD-5 should be considered broken. Collisions can be calculated easily on a desktop PC. There are even known examples of MD-5 collision attacks being used in the wild.

1.14    SHA-1

A procedure is known to obtain SHA-1 collisions in less than 262 operations (since SHA-1 has a fixed 160 bit output, the theoretical lower bound is 280). A talk by Marc Stevens outlines a procedure requiring 260 operations. Speculation about when practical collisions will be seen ranges from 2018-21.

Preimage calculation attacks on reduced round SHA-1 currently require 2146.2 steps on 44 round SHA-1and 2150.6 steps on 48 round (full SHA-1 has 80 rounds).

Finally, some authors consider even the theoretical lower bound on collision attacks (280) to be too low a security parameter for future applications.

1.15    SHA-256, SHA-384, SHA-512

There are collision and preimage attacks reported on reduced-round versions of the SHA-2 family, but currently no practical attacks.

FASTHASH

A relic of NSA cryptography, its fixed 40 bit digest size is not suitable for cryptographic applications, since collisions can be found by brute force in one million operations.

RIPE MD

RIPEMD-160 has cryptanalytic results that suggest it will soon be broken. RIPEMD-128 has a fixed 128 bit digest size which is now considered too small to resist brute force, and on top of this recent cryptanalytic results have suggested faster attacks will soon be found.

Conclusion

Of all the functions offered by PKCS#11, only large-digest SHA-2 family functions can be considered reasonably good choices for future applications. In the forthcoming PKCS#11 version v2.40, MD2, MD5, FASTHASH and the RIPEMD functions will be consigned to the "historical mechanisms" list. Hopefully this will reduce the chances of their accidental use.

Plug

Cryptosense offers a free whitepaper on PKCS#11 security. Get yours here.