next up previous
Next: Silent, deterministic, hard-to-fix errors Up: Questions about compare-by-hash Previous: Randomness of input

Cryptographic hashes -- one size fits all?

Collision-resistant hashes were originally developed for use in cryptosystems. Is a hash intended for cryptography also good for use in systems with different characteristics?

Cryptographic hashes are short-lived. Data is forever, secrecy is not. The literature is rife with examples of cryptosystems that turned out to not be nearly as secure as we thought. Weakness are frequently discovered within a few years of a cryptographic hash's introduction[2,8,10]. On the other hand, lifetimes of operating systems, file systems, and file transfer protocols are frequently measured in decades. Solaris, FFS, and ftp come to mind immediately. Cryptologists choose algorithms based on how long they want to keep their data secure, while computer scientists should choose their algorithms based on how long they want to keep their data, period. (Cryptologists may desire to keep data secure for decades, but most would not expect their current algorithms to actually accomplish this goal.)

Obsolecence can occur overnight. A related consideration is how quickly obsolescence occurs for cryptosystems. In operating systems, we are used to systems slowing and gracefully obsolescing over a period of years. Cryptosystems can go from state-of-the-art to completely useless overnight.

Obsolescence is inevitable. Large governments, corporations, and scientists all have a huge incentive to analyze and break cryptographic hashes. We have no proof that any particular hash, much less SHA-1, is ``unbreakable.'' At the same time, history tells us that we should expect any popular cryptographic hash to be broken within a few years of its introduction. If anyone had built a distributed file system using compare-by-hash and MD4, it would already be unusable today, due to known attacks that take seconds to find a collision using a personal computer. MD5 appears to be well on its way to unusability as well[8].

Upgrade strategy required. Given that our hash algorithms will be obsolete within a few years, systems using compare-by-hash need to have a concrete upgrade plan for what happens when anyone with a personal computer can generate a hash collision. Upgrade will be more difficult if any hash collisions have occurred, because part of your data will now be corrupted, possibly a very important part of your data.


next up previous
Next: Silent, deterministic, hard-to-fix errors Up: Questions about compare-by-hash Previous: Randomness of input
2003-06-16