<- Back to the blog

Algorithm Choice in PKCS#11 (part 3) - Hash Functions

Graham Steel
June 30, 2014

A hash function is a basic building block of many cryptographic protocols. Cryptanalysis of hash functions has made great progress in the last decade, so how do the hash functions provided by PKCS#11  measure up?

Summary Table

In the table below we list the functions available together with their current status, referring as usual to the ENISA review where applicable.

Algorithm/mode Ok legacy Ok future Note
MD2 × × See text
MD5 × × Completely broken
SHA-1 × See text
SHA256, 384, 512
FASTHASH × × 40 bit digest
RIPEMD-128 × × See text
RIPEMD-160 × See text

MD-2, MD-5

MD-2 has known better-than-brute-force attacks for both preimages and collisions. Its use has been deprecated for some time. MD-5 should be considered broken. Collisions can be calculated easily on a desktop PC. There are even known examples of MD-5 collision attacks being used in the wild.

1.14    SHA-1

A procedure is known to obtain SHA-1 collisions in less than 262 operations (since SHA-1 has a fixed 160 bit output, the theoretical lower bound is 280). A talk by Marc Stevens outlines a procedure requiring 260 operations. Speculation about when practical collisions will be seen ranges from 2018-21.

Preimage calculation attacks on reduced round SHA-1 currently require 2146.2 steps on 44 round SHA-1and 2150.6 steps on 48 round (full SHA-1 has 80 rounds).

Finally, some authors consider even the theoretical lower bound on collision attacks (280) to be too low a security parameter for future applications.

1.15    SHA-256, SHA-384, SHA-512

There are collision and preimage attacks reported on reduced-round versions of the SHA-2 family, but currently no practical attacks.

FASTHASH

A relic of NSA cryptography, its fixed 40 bit digest size is not suitable for cryptographic applications, since collisions can be found by brute force in one million operations.

RIPE MD

RIPEMD-160 has cryptanalytic results that suggest it will soon be broken. RIPEMD-128 has a fixed 128 bit digest size which is now considered too small to resist brute force, and on top of this recent cryptanalytic results have suggested faster attacks will soon be found.

Conclusion

Of all the functions offered by PKCS#11, only large-digest SHA-2 family functions can be considered reasonably good choices for future applications. In the forthcoming PKCS#11 version v2.40, MD2, MD5, FASTHASH and the RIPEMD functions will be consigned to the "historical mechanisms" list. Hopefully this will reduce the chances of their accidental use.

Plug

Cryptosense offers a free whitepaper on PKCS#11 security. Get yours here.

Further Reading

At last, Secure HSMs in the Cloud

Sam Ross-Gower

Exciting new research from Cryptosense Chief Scientist Riccardo Focardi provides a simple and proven method to remove the risk of API-level attacks and enable widespread adoption of cloud HSMs. 

READ ARTICLE ->

Understanding Cryptography Jargon

Jarred McGinnis

Or ‘Wait, what does SCEP stand for again?’ Cryptography is the study of secure communication, but you would be forgiven if you thought it was a mathematician's hobby of creating unpronounceable acronyms. HSTS, really? What's wrong with something like Radar or Crispr? In this article we’ll go through some of the key terms and acronyms that pop up when working in the cryptography field.

READ ARTICLE ->

How to use a Hardware Security Module (HSM) Securely

Sam Ross-Gower

In this short demo, Graham explains how to use a Hardware Security Module (HSM) securely.

READ ARTICLE ->

How Ledger Hacked an HSM

Graham Steel

The announcement yesterday of this talk about HSM hacking on the BlackHat 2019 program has caused a stir, and for good reason: the authors claim to have discovered remote unauthenticated attacks giving full control of an HSM and complete access to keys and secrets stored on it...

READ ARTICLE ->