15

PKCS#1 defines SHA1 as a default hash function and all implementations support this hash function and the mask generation functions based on SHA1. In some implementations you can change the hash function used for OAEP Padding.

Can a SHA1 hash be used with encrypting random data (symmetric encryption keys) or should another hashing method be used?

Are there known attacks or vulnerabilities?

What are the advantages of other hash functions?

Bob Ortiz
  • 6,234
  • 8
  • 43
  • 90
Bernhard
  • 253
  • 2
  • 4
  • Does Thomas's answer still valid in this case after the recent vulnerability discovery on SHA1 algorithm. https://shattered.it/ ? Details will be very appreciated. – cbj Mar 14 '17 at 17:12
  • 2
    There is no new vulnerability. There was a possible collision attack with effort 2^61, which has been known for a decade, and is already taken into account in my answer. The published collision used that method and confirmed that the method indeed worked, and indeed with the predicted cost of 2^61. From a cryptographic point of view, there is nothing new. – Thomas Pornin Mar 14 '17 at 17:20

1 Answers1

17

SHA-1, as a hash function, is known to be "slightly shaky". It is a 160-bit hash function (its output is a sequence of 160 bits); as such, it should offer 280 resistance to collisions, whereas it seems that its true resistance is closer to 261 or so.

However, OAEP does not ask much from its underlying hash function. It seems that collision resistance is not actually needed at all to ensure the security of the encryption system. See this article for details (it is a bit technical).

Bottom-line: we do not know of any attack that would work against RSA-OAEP by leveraging any weakness of SHA-1; we are not even sure whether such an attack can exist at all. In that sense, there is no known advantage, from a cryptographic point of view, in switching from SHA-1 to another hash function in the context of RSA-OAEP.

However, the current fashion is to shoot SHA-1 on sight and insist on switching to one of the SHA-2 functions (e.g. SHA-256 or SHA-512) systematically. Therefore, using SHA-256 is good for public relations, and will save you some time, because sticking to SHA-1 will require justifying yourself to a lot of people.

Note that SHA-256 has a larger output (256 bits), which imposes a lower limit on the size of the data that you will be able to encrypt. If using a 2048-bit RSA public key (256 bytes), the maximum message size with RSA-OAEP+SHA-1 will be 214 bytes (1712 bits), whereas it will be 190 bytes (1520 bits) for RSA-OAEP+SHA-256. If all you are encrypting are keys for symmetric encryption then this should not matter in practice.

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
  • I have a follow up question that I posted here: http://security.stackexchange.com/questions/126963/should-sha-1-be-used-with-pkcs-1 – Andrew Savinykh Jun 14 '16 at 04:30
  • Is the RSA-OAEP overhead always `2*(hash_size+1)` for example 42 bytes with SHA1 and 66 bytes with SHA256? Why the additional byte? I've been trying to find something that explains this in basic terms. – starfry Jun 23 '17 at 12:37
  • 1
    @starfry The overhead is always `2+2*hlen`. See [PKCS#1](https://tools.ietf.org/html/rfc3447#section-7.1); there is a figure. Basically, there must be room for a random seed (of length `hlen`), a hashed label (another `hlen` bytes), and two marking bytes to avoid padding ambiguities. – Thomas Pornin Jun 23 '17 at 13:53
  • @ThomasPornin Does the paper you reference prove that collision resistance isn't required? My inexpert reading of it suggests they couldn't prove it *is* needed, which is a different thing in my eyes. – Duncan Jones Aug 15 '19 at 07:34