Encryption Algorithms

A few notes as we come across them on various encryption algorithms. Please note this isn’t intended to be an exhaustive or detailed list of everything, you should carry out your own research before selecting an encryption algorithm, don’t just blindly rely on comments like these here, they may be wrong or out of date!

Hashing algorithms to use

A cryptographic hash function can be used to prove that something is unchanged, they basically force a malicious user to do an impossible amount of work to fake a change they’d like to get past it.

SHA2

The SHA-2 family consists of six hash functions with digests (hash values) that are 224, 256, 384 or 512 bits: SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256.

Has the advantage that is hardware-accelerated on basically any modern hardware, so usually it’s the fastest. There are well-optimized implementations and they typically run acceptably fast unless you’re dealing with really large files (e.g. hundreds of gigabytes).

SHA256 is fast and gives the closest thing we have to a guarantee that even someone trying to cause a collision will not succeed.

SHA3 (Keccak)

A more modern hash than SHA256.

BLAKE2

Good

BLAKE3

A more modern hash than SHA256.

A good choice if working with huge files as it is a cryptographic hash that can run in parallel.

SHA1

Do not use, no longer cryptographically secure.

MD5

Do not use, no longer cryptographically secure

xxhash

Do not use, not intended to be cryptographically secure.

crc32

Do not use, not intended to be cryptographically secure.

Encryption Algorithms

AES

Very efficient computationally.
Symetric not asymetric which is better for computation power.
AES128 – fine at todays standards. Used by many password apps etc
AES256 – VStrong

Blowfish

Has resisted all attacks despite being quite old. However only has a 64bit block size (give it 64bits to encrypt at a time). This is considered too small these days. However has a slow key setup approach which whilst computationally intensive adds more security compared to other faster key setup methods.

MD5

MD5 is completely broken. Widely used and used for many web SSL security certificates. Has recently become vulnerable to attack due to weaknesses that we’re not intended by the original desingners, allowing a new form of attack whereby fake valid SSL certificates have been created appearing to have been signed by a root authority (i.e. thawte etc).
MD5 without a salt is easily cracked by rainbow tables. Many password apps use it to store a hash of the users master password – without a salt its rubbish and the rainbow tables can be used to look up the source password.
Using with a salt removes the rainbow tables reverse engineer method and makes the hash much better.

Replacements

  • For signing documents, sha2 (e. g. sha512)
RC4 Pseudo Random

Very good pseudo random generator widely used (e.g. used for SSL)
A “too-good-to-be-true” cipher. Brilliantly simple, modifying itself slowly but just enough to thwart attacks even though it does leak information about its state.
Its 25 years old now but its proved to be really simple and really good with current attacks being on the periphery of practicality.

RSA

768bits has been cracked so need to use 1024 or 2048 to be secure.

Spritz

A re-design of RC4. Very simple to implement. Can be done in Javascript.
https://www.schneier.com/blog/archives/2014/10/spritz_a_new_rc.html

SHA1

Was secure and a better algorithm to MD5 as long as it was salted. However it is now broken (2020-02) and can be reliably cracked, albeit with expensive hardawre.
SHA-1 provides only 80 bits of security

SHA2

SHA2 is the successor of SHA1. The SHA-2 family consists of six hash functions with digests (hash values) that are 224, 256, 384 or 512 bits: SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256. It works the same way than SHA1 but is stronger and generates a longer hash.

SHA-256

SHA-256 is the most popular hash function in the SHA-2 family at the time of writing. It provides 128 bits of security for digital signatures and hash-only applications
Considered: Good although fast to carry out on GPU’s. For password hashes bcrypt is preferred as it is more costly to crack as it can’t be run more efficiently on GPU’s.
Hash is a one way function – it cannot be decrypted back. This makes it suitable for password validation, challenge hash authentication, anti-tamper, digital signatures.

SHA-512

SHA-512 is the largest hash function in the SHA-2 family of hash functions. SHA-512 provides 256 bits of security to digital signatures and hash-only applications.
Considered: Good

Easy To Implement Encryption Algorithms

AES is complex and big. Steve Gibson @ Security Now has said he’s done it in assembler but you have to be really careful and even in C is hard to get right.

Spritz

A re-design of RC4 (which is brilliant). Very easy to implement in code. Can be done in Javascript.

USEFUL?
We benefit hugely from resources on the web so we decided we should try and give back some of our knowledge and resources to the community by opening up many of our company’s internal notes and libraries through mini sites like this. We hope you find the site helpful.
Please feel free to comment if you can add help to this page or point out issues and solutions you have found, but please note that we do not provide support on this site. If you need help with a problem please use one of the many online forums.

Comments

Your email address will not be published. Required fields are marked *