MD5 vs SHA1 vs SHA2 vs SHA3 – Compare Hashing Algorithms
Identifying the Differences Between MD5 vs SHA1 vs SHA2 vs SHA3
As the physical and digital worlds are coming together by the day, the need to protect our privacy and confidentiality is becoming more pivotal. Securing data is essential for everyone, including an organization, a person, or any digital entity.
In the world of digital security, hashing and encryption are two important protection structures.
Let’s keep encryption for another time and focus on hashing for today. According to CyberEdge, in 2020, 85% of the organizations were a victim of a successful cyber attack. In 2022, 85% of the organizations were victimized by a ransomware attack.
Hashing is used to protect everyone interacting with the web in one way or another. However, from the day hashing was brought into the mainstream till today, it has undergone several changes and upgrades.
When cybersecurity attackers up the ante, it becomes mandatory to upgrade the existing security structure. This leads us to the central topic of our discussion today, which is explaining and knowing the difference between MD5 vs SHA1 vs SHA2 vs SHA3.
What is Hashing and What is a Hash Function?
Hashing is a process whereby a string of characters is converted into another form. We map keys and values into the hash table with the help of a hash function. As a result, the given string of characters gets a new value generated with the help of a mathematical algorithm. The result is called a hash value or hash.
The string of characters, which is converted, is called a key. The best form of a hash function is when the key is converted with a one-way hash function. This means that the generated hash function cannot be converted back to reveal the actual value or key.
However, with time, the hackers developed systems to reverse engineer the hash function and reveal the original key. This is one of the reasons for upgrading the hash functions to make it impossible to deduce the original value from the hash value.
Hash functions are the types, or we can say different procedures used to generate the hash value. MD5, SHA1, etc., are examples of a hash function. SHA1, SHA2, and SHA3 are only three types of hash functions. There are others as well, including SHA 256, SHA 512, etc.
Where are Hash Functions Used?
One of the most uses of a hash function is to secure a password. When you create a password for an online account, it stores the password in the hash value. So, the password you entered has a unique hash value, which is not shared by any other hash value.
Hence, when you enter the password the second time, it will again generate a hash function. If the hash function created just now matches with the one created during the creation of the password, you would gain access to the account.
In essence, hashing is used to check and verify that the converted string of characters is not altered, edited, or tampered with. Because even the slightest change in the original string of characters will generate a new hash value.
And if the original and existing hash values do not match, that means someone has tried to alter the contents. The same principle applies when you want to check the authenticity of a document or file shared online.
Given that you have the expected hash value of a string of characters, you can check the hash value after receiving the file. If the hash values don’t match, that means the content of the file shared is altered or changed.
What is MD5?
To understand the difference between MD5 and SHA1 and SHA2 and SHA3, let’s start with getting the basics about them clear.
Message Digest-5 is a one-way cryptographic hashing algorithm. MD5 takes a string of any length converting it into a fixed hash value of 128-bit. While MD5 is known to have been broken in some instances, it is still widely used on a lot of transactions in public offices.
This hashing function is a successor to MD4 and was introduced in 1991 by Ronald Rivest.
For instance, it is used for validating the integrity of publicly shared files. It is also used to compute checksums for validating file transfers.
| Original Text: “If the hash values don’t match, that means the content of the file shared is altered or changed.” | MD5 Hash Value: 3e753cd611d9b398b8d868b3492e4cbe |
| Original Text: “When the hash values do not match, that means the content of the file shared is altered or changed.” | MD5 Hash Value: ff98627f01f58ac0f1ceed9e46869dba |
In both texts, notice the change in MD5 value when we replace “If” in the first sentence with “When” in the second sentence.
At present, the MD5 hash function is not considered secure. This was revealed in 2011 when a public organization cited a number of attackers against the MD5 hashes. In these attacks, the hackers were able to generate hash collisions in less than one minute.
More sophisticated attacks could do this in less than 10 seconds. Due to these anomalies, MD5 has been gradually phased out, and other better hashing functions have taken its place in the form of SHA1, SHA1, and SHA3.
Compare SHA1 vs SHA2 vs SHA3 Hashing Algorithms:
Secure Hash Algorithm 1 (SHA 1)
SHA1 was introduced by the National Security Agency of the USA. SHA1 takes the output and generates an output of 160-bits hash value. This hashing function replaced SHA0 and was first used in 1995.
SHA1 was a force to reckon with when it was presented, but after 2005, it was rendered insecure. Yes, there have been attacks to crack this algorithm as well, and some were successful.
Google submitted proof of collision by using the SHA1 algorithm. This means that Google proved that with SHA1 hashing, two different inputs generated the same output. This alone could hamper the integrity and security of the data shared by using this hashing function.
Post this proof, which was submitted in 2017, Google and other tech giants enabling web connections have stopped using this standard. Even the NIST asked federal agencies to stop using SHA1 in 2005 and start implementing SHA2 by the end of 2010.
| Original Text: “SHA1 was introduced by the National Security Agency of the USA” | SHA1 Hash Value: 48de5c355fd0707fd7011fc9d82fb2fc5b3a9f08 |
| Original Text: “SHA1 was launched by the National Security Agency of the USA” | SHA1 Hash Value: 580e20db0f524fd2057ce0ce019c8c52246273bc |
Secure Hashing Algorithm 2 (SHA 2)
From here, things start to get more complex, and according to the results, we can say more serious as well. The SHA2 algorithm came out in 2001. But this time, it was not a single type of hash function; rather, SHA2 has six different hash functions. These are;
- SHA-224
- SHA-256
- SHA-384
- SHA-512
- SHA-512/224
- SHA-512/256
The numbers at the end of SHA represent the hash length. Out of these six, SHA-256 is considered one of the most secure hashing functions. Even so, it is used in the majority of SSL certificates and even crypto transactions.
The additional hash length or the numbers you see towards the end increases security. Due to this, this hashing function has become resistant to collision and is supported by the majority of browsers we are using today.
| Original Text: “The SHA2 algorithm came out in 2001.” | SHA2 (256) Hash Value: 8f4f405af626f2276f55dbd04dbecf907cfd770954c18328dbf6638293cebe97 |
| Original Text: “The SHA2 algorithm was launched in 2001.” | SHA2 (256) Hash Value: deab10d29b6cfeccd5d71c0b673c7c331b35173e5cebc7aa0653047cf3e2a052 |
Secure Hashing Algorithm 3 (SHA 3)
SHA3 is an advanced version of the same hashing function, but it is also completely different from SHA1, SHA2, and MD5. This function is based on an innovative cryptographic system called Sponge System.
The name itself describes how SHA3 works. It takes the input, absorbs it like a sponge, and squeezes out the result. Even though SHA3 is considered better than previous versions, the NSA has not asked to start using and replacing it with SHA2.
SHA3 has four different hash functions;
- SHA3-224
- SHA3-256
- SHA3-384
- SHA3-512
Along with this, it also has two extendable output hash functions;
- SHAKE-128
- SHAKE-256
Compared to SHA2, SHA3 has relatively fewer implementation costs and is much faster than the previous versions.
| Original Text: “SHA3 has four different hash functions” | SHA3 (256) Hash Value: “393a1ffcf0a78e86caa8637427ac67f32edb7c7a861fb78ae6ff958ae082f675” |
| Original Text: “SHA3 includes four different hash functions” | SHA3 (256) Hash Value: “0060885342b014d5aa77a764d59e365891fd207f27a1b4b2253e0c40c78ffbcf” |
Compare MD5 vs SHA1 vs SHA2 vs SHA3 Hashing Algorithms
| Parameter | MD5 | SHA1 | SHA2 (224, 256, 384, & 512) | SHA3 (224, 256, 384, & 512) |
| Launch Year | 1992 | 1995 | 2001 | 2008 |
| Block Size | 512 bits | 512 bits | 512 bits 1024 bits | 1152 bits 1088 bits 832 bits 576 bits |
| Output (Hash Value or Message Digest) | 128 bits / 16 bytes 32 – hexadecimal digits | 160 bits / 20 bytes 40 – hexadecimal digits | 256 bits / 32 bytes 64 – hexadecimal digits 512 bits / 64 bytes 128 (hexadecimal digits) | 224 bits / 28 bytes 56 – hexadecimal digits 256 bits / 32 bytes 64 – hexadecimal digits 384 bits / 48 bytes 96 – hexadecimal digits 512 bits / 64 bytes 128 – hexadecimal digits |
| Construction System | Merkle–Damgård | Merkle–Damgård | Merkle–Damgård | Sponge (Keccak) |
| Possibility of Collision | High Possibility | Possible – Google found proof of collision in 2017 | No proof of collision has been found yet. | Susceptible to collision in squeeze attack. |
| Weakness | Susceptible to collision Slower performance | Has only one use case – password storage. Susceptible to collision Short key length | SHA 256 is slower than its previous versions. Softwares and browsers must be updated to implement SHA2. | Susceptible to collision |
| Is it Still in Use? | No | No | Yes | Yes |
| Utility or Applications | Data Encryption Verifying file integrity | TLS/SSL Certificate Verifying the Integrity of a file | Security application protocols Cryptographic transactions Digital certificates | Can replace SHA2, where necessary. |
From the table, we can conclude that, at present, SHA2 and its variants are the most secure form of hashing algorithms. On the other hand, MD5 and SHA1 are already compromised. Hence, they are discontinued from general usage.
With SHA2, there are several use cases and applications. It is also a fast performer, and we have not yet discovered any successful attacks on the SHA2 hashing algorithm.
The nature of collision resistance of any hashing function depends on its hash bits. More hash bits mean higher collision probability. So a hash value of 64 bits is less secure and more prone to collision than a hash value of 128 bits. By principle, we can say that a 256-bits value is less secure than 512 bits hash value.
Hence, going forward, if and when there is a collision-proof or a successful attack on the 256-bits hash value output, we can assume that switching to 512-bits will be a better option.
Conclusion
Hashing functions or algorithms are long been used to secure our online transactions and verify the integrity of the data. Today, we are not using MD5 and SHA1 hashing functions due to their visible vulnerabilities.
As a result, SHA2 and SHA3, along with their variants, are now in usage across the web. More than SHA3, SHA2 is widely popular and used in the majority of online systems. However, SHA3 is a more secure and fast performer than SHA2. It represents the supreme form of hashing functionality and may even become the go-to hashing function in the future.
Digitally Sign your Software Codes, Executables, and Applications and bind the publisher’s identity to the software with Comodo Code Signing Certificate at the lowest price of $210.99/yr.
