If I combine MD5 + SHA, am I right to say I have a super secure hash?

phproy

Hi guys,

Here is another session of cryptography discussion.

MD5 is unlikely to collide for 2 different hashes, not to say its impossible. Up to date, theres no one yet to be able to produce 2 different file/strings that have the same MD5 hash.

It is also known that SHA is more powerful, well its 160 bit, compared to MD5's 128 bit.

I was thinking if I use MD5 ad SHA in conjunction, will I get a way more unique hash?

e.g.

$hash = sha('apple').md5('apple');

mtmosier

Up to date, theres no one yet to be able to produce 2 different file/strings that have the same MD5 hash.

Actually...

It is also known that SHA is more powerful, well its 160 bit, compared to MD5's 128 bit.

While that's true, SHA's got it's own issues.

I was thinking if I use MD5 ad SHA in conjunction, will I get a way more unique hash?

Yes. I wouldn't say "super secure hash", as in your title, but definitely better than either alone.

Edit - I'm assuming the code you're using as an example is to validate files or that a string is correct, and not to, for example, hash passwords. By giving two hashes instead of one for a password you let the attacker choose which one they want to break, as they'd only need to break one.

laserlight

What are you using the hashing algorithms for?

phproy

laserlight,

I know that you are going to chime in coz this is your area of expertise....😃

Anyway I was going to use md5file to generate a hash to identify pornographic images that were uploaded to my image hosting script.
I wanted a facility for users to flag inappropriate images and send the hash back to the central server.

Other people can download hashes and use this database to easily identify inappropriate images.
Hope Im making sense.

e.g.

$hash_of_inappropriate_content = sha1_file($location).md5file($location);

Another question is that since SHA is sort of based on MD5, wouldnt it be redundant if I use em both?
its like attempting to use md5(md5(md5($string))) to make it 3 times more unique which is not the case.

mtmosier

Well, I can't claim any special expertise, but I'll respond anyway. If nothing else I do like to hear myself speak. (read my own posts?)

To the best of my knowledge, the odds of MD5 and SHA1 having a collision on the same file are minuscule, despite being related. If they did collide on similar input then there'd be little reason to use SHA1 over MD5.

If you want to avoid collisions that much perhaps you should look at a 512-bit hash, such as SHA-512 or Whirlpool. Heck, use those two in conjunction for that matter. If all you've got to work with is MD5 and SHA1 (say, because that's what's available easily), then concatenating the two is going to be better than using just one. Though honestly, I'm not sure why using just SHA1 isn't good enough for this purpose. 🙂

phproy

mtmosier,

Thanks for the input.
Just to let you know that you are not the only one whos going to enjoy reading the quoted post below.😃

Anyway yeah I would like to minimize collision while while maintaining performance.
never heard of SHA-512 but it sounds like its too hardcore and resource hungry, taking light years to complete one miserable hash. No, thanks to that. 😃

I wanted to use both MD5 and SHA1 because I can achieve way lower collision which still achieving almost the same performance as using either one.
At this point, I am wondering why don't developers use both instead of just one? Is it plain laziness,ignorance, lack of creativity or just that the reward (lower chance of collision ) is insignificant?

Originally posted by mtmosier
Well, I can't claim any special expertise, but I'll respond anyway. If nothing else I do like to hear myself speak. (read my own posts?)

To the best of my knowledge, the odds of MD5 and SHA1 having a collision on the same file are minuscule, despite being related. If they did collide on similar input then there'd be little reason to use SHA1 over MD5.

If you want to avoid collisions that much perhaps you should look at a 512-bit hash, such as SHA-512 or Whirlpool. Heck, use those two in conjunction for that matter. If all you've got to work with is MD5 and SHA1 (say, because that's what's available easily), then concatenating the two is going to be better than using just one. Though honestly, I'm not sure why using just SHA1 isn't good enough for this purpose. 🙂