-1

Somebody could tell me in what sense SHA1 is better than MD5?

Thanks

John
  • 51
  • 1
  • 3
  • 1
    Don't use either of them, they are both irreparably broken. – Stephen Touset Oct 03 '18 at 00:50
  • 2
    @StephenTouset: *"Don't use either of them, they are both irreparably broken."* - broadly claiming these functions to be broken for any kind of use like you do is not true. It instead depends on the use case. They are only broken if specific attacks (like collision) are a problem, i.e. in cases like digital signatures. They are not a problem for use in HMAC, inside key derivation functions etc. – Steffen Ullrich Oct 03 '18 at 01:18
  • 2
    Possible duplicate of [What are the enhancements of SHA1 compared to MD5?](https://security.stackexchange.com/questions/61087/what-are-the-enhancements-of-sha1-compared-to-md5), [Is SHA1 better than MD5 only because it generates a hash of 160 bits?](https://security.stackexchange.com/questions/19705/is-sha1-better-than-md5-only-because-it-generates-a-hash-of-160-bits). – Steffen Ullrich Oct 03 '18 at 01:31
  • MD5 has suffered a lot of security-reducing exploits over the years. SHA1 is much better, it takes [years and millions of bucks to find a SHA1 collision](https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html), whereas wikipedia lists an MD5 collision in the article and mentions that a desktop computer can find a fresh one in short order. – dandavis Oct 03 '18 at 16:20
  • @SteffenUllrich While this is true, it's irrelevant in practice. There are bordering on zero real-world situations where someone should be choosing one of those over something like SHA-256 or BLAKE2b. Even seasoned cryptographers who know that SHA-1 is safe in an HMAC construction will choose to use SHA-256 ten times out of ten. – Stephen Touset Oct 04 '18 at 05:18
  • @StephenTouset: *"... it's irrelevant in practice. There are bordering on zero real-world situations where someone should be choosing one of those over something like SHA-256 or BLAKE2b."* - I very much doubt this claim of irrelevance: both MD5 and SHA1 are used together in TLS 1.0 and TLS 1.1 to create the PRF, specifically SHA1 is used as HMAC in numerous TLS ciphers still considered safe, HMAC-SHA1 is the default PRF in PBKDF2, ... – Steffen Ullrich Oct 04 '18 at 05:39
  • TLS 1.1 was defined in 2006, 12 years ago. PBKDF2 was defined in 2000, 18 years ago. If you're implementing interop with existing systems, that's one thing. But nobody should be choosing to use these algorithms in modern systems. – Stephen Touset Oct 04 '18 at 19:31

1 Answers1

1

Since SHA1 has a larger digest of 160 bits, compared to MD5 having a digest of 128 bits, SHA1 is "less likely" to have collisions.

Both are insecure and are prone to collisions and length extension attacks, so SHA1 would take more time to break than MD5.

Icarus
  • 91
  • 1
  • 7