I have an Android 11 device and many of my apps and system apps use MD5withRSA or SHA1withRSA as signature algorithm by default.
Why should I take my apps SHA256withRSA or SHA512withRSA? Are there any advantages, if so what are they? Are there also performance and stability issues?
One should stop using MD5 and SHA-1 for digital signatures.
MD5's colliding messages can be found in less than a minute and there are online libraries to produce; corkami and hashclash. Also, SHA-1 is already shattered, that finding two colliding documents are no longer infeasible, and the attack is faster than the generic collision attack O(280). Even before the attack, it was removed by NIST s recommendation for the signatures.
Secure signature schemes require the hash of the message and this is first introduced by Rabin; he introduced the hash ( it was then called compression) to prove the security of their signature scheme that we call now the Rabin Signature Scheme. Some so-called it, hash-then-sign paradigm, however, it is better not. Since the hashing is part of it.
What is the danger of collisions in the digital signatures is this;
You should use at least SHA256 or SHA512. Apart from the generic collision resistance differences ( SHA256 has 128-bit and SHA512 has 256-bit collision resistance) and output size differences 256 to 512, they have a speed difference due to the fact that SHA256 is designed for 32-bit CPUs and SHA512 is designed for 64-bit CPUs. This can have an impact of around 20% speed difference (tested on 64-bit);
openssl speed -evp sha512 sha256
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes
sha512 21611.03k 70718.37k 124630.02k 221499.05k 246393.51k 251833.00k
sha256 29623.38k 65545.39k 190875.14k 159992.49k 170860.54k 210594.47k
There is another faster one, that is Blake2b ( another SHA3 finalist that Keccak won), also it has parallel version Blake3, and SHA3 also has parallelhash that can benefit from multiple cores. One can use them if available.
You can use both SHA256withRSA and SHA512withRSA, the difference is the collision resistance and the target CPU architecture.
512-bit is designed against the quantum attacks that Brassard et. al exhibited. It has cube-root attack that reduced the collision resistance of any 256-bit hash function to 85-bit security and 512 hash function to ~170-bit. Of course, the other costs are not considered (qbits and preparations). If you are not considering countermeasures against the Quantum attack, a secure hash function with an output 256-bit or more fine for you; choose SHA512 for 64 and SHA256 for 32-bit CPU, or simply choose SHA512 once for all.
note: Although the Chosen-Prefix collision attack on MD5 can accept different sized files the resulting sizes of the files must be the same due to the length padding of the MD constructions.
MD5 and SHA1 are no longer considered secure for cryptographic use due to collision attacks.
It is recommended to use SHA256 or SHA512 instead. Depending on your processor, either of them could be faster (although the difference in performance will barely have a real life impact).