86

I'm looking to renew an SSL (okay, TLS) wildcard certificate with a well-known service. I need to provide a CSR, which I have created using a 2048-bit key. I also need to choose a signature hash. The service offers three choices: SHA-256, SHA-384, and SHA-512. Of these, SHA-256 is the default.

This confuses me. Isn't a longer hash presumed to be always stronger? Is there a good reason I might want the smaller 256-bit signature hash over the larger 512 or is this likely just a UI mistake? Are there some applications that can't use 512 bit hashes yet?

Joel Coehoorn
  • 2,116
  • 1
  • 13
  • 14

2 Answers2

106

From a security perspective, it would be pretty pointless. In practical terms, SHA-256 is just as secure as SHA-384 or SHA-512. We can't produce collisions in any of them with current or foreseeable technology, so the security you get is identical.

From a non-security perspective, the reasons to choose SHA-256 over the longer digests are more easily apparent: it's smaller, requiring less bandwidth to store and transmit, less memory and in many cases less processing power to compute. (There are cases where SHA-512 is faster and more efficient.)

Third, there are likely compatibility issues. Since virtually no one uses certs with SHA-384 or SHA-512, you're far more likely to run into systems that don't understand them. There are probably fewer issues now than in the past, but again, you're buying yourself risk for no gain.

So, at the present time, there are no clear advantages to choosing SHA-384 or SHA-512, but there are obvious disadvantages. This is why SHA-256 is the universal choice for modern certs for websites.

Joel Coehoorn
  • 2,116
  • 1
  • 13
  • 14
Xander
  • 35,525
  • 27
  • 113
  • 141
  • For hash-with-RSA[padding] signature, the storage or transmission of the signature depends only on the key (modulus) and is unaffected by the hash. Compute-time may vary some, and for verifying (only) won't be rendered negligible by the modexp time, though as you note this difference could go either way. – dave_thompson_085 Oct 26 '19 at 01:44
71

The only real advantage that SHA-512 might have over SHA-256 is collision resistance, a term that in cryptography has a very narrow meaning. SHA-256 claims 128-bit collision resistance, SHA-512 claims 256-bit. If or when a practical quantum computer is built, we might need the 256-bit collision resistance.

Since SSL certificates typically have expiration dates in a relatively short term, it's just fine to get a SHA-256 certificate today, because it'll expire before a practical quantum computer is built (if that ever happens).

Apart from that:

  • SHA-256 outputs are shorter, which saves bandwidth.
  • Different hardware favors different functions. SHA-512 is generally faster on 64-bit processors, SHA-256 faster on 32-bit processors. (Try the command openssl speed sha256 sha512 on your computer.)
  • SHA-512/256 sits right in between the two functions—the output size and security level of SHA-256 with the performance of SHA-512—but almost no systems use it so far.
Luis Casillas
  • 10,181
  • 2
  • 27
  • 42
  • 7
    Even if QCs work as predicted and can compute a hash invocation as cheaply as a conventional computer, finding a collision would still be very expensive (It needs $2^{85}$ hash invocations, instead of $2^{128}$). And DJB even claims that there is no speedup at all in realistic cost models that consider the cost of RAM access circuitry. – CodesInChaos Jul 20 '17 at 10:56
  • 1
    This is the more complete answer. – Kyle Burkett Oct 22 '18 at 13:34