The difference is in the length they generate.
crc32() gives 32 bit code
sha1() gives 128 bit code
md5() gives 160 bit code
is it right?? or Is there any more differences among them?
Asked
Active
Viewed 2.5k times
7
-
2You should mention what you want to do with those hash functions, hash functions have different purposes. If it is your intention to store passwords, keep in mind that none of these functions are appropriate, instead use a slow key-derivation function like BCrypt. – martinstoeckli Mar 28 '13 at 08:05
-
@martinstoeckli Oh yeah, I forgot about bcrypt :D Does that have a php implementation though? – Patashu Mar 28 '13 at 08:05
-
1@Patashu - Yes there is, but it is a bit tricky to use it, have a look at this [example](http://www.martinstoeckli.ch/php/php.html#bcrypt). – martinstoeckli Mar 28 '13 at 08:07
6 Answers
18
They each implement a different cryptographic hash function, and each hash function does generate a different sized hash. The main difference between the three functions you've shown here is that sha1 and md5 are actually meant to be cryptographically secure. crc32 (crc stands for cyclic redundancy check) function is not a crypto function and is meant to generate a hash that will be used to check the integrity of a file (mostly to determine if it was corrupted during download).
Just a side note: Please don't use md5 or sha1 for any real crypto work (such as hashing passwords). These are both terribly broken (just ask evernote or any of the other companies burned by using this old algorithm). Instead use the php crypt() function and use the SHA-256 or SHA-512 (better than 256), or blowfish. And always salt your hashes...
Mike D.
- 4,034
- 2
- 26
- 41
-
3Actually not even SHA-512 is appropirate to hash passwords, you should use a slow key-derivation function like `BCrypt` or `PBKDF2`. They have an adaptable cost factor which can be increased for future hardware. – martinstoeckli Mar 28 '13 at 08:55
4
I think not only the length differs, also they use different algorithm to encrypt the data.
Crypto usage in PHP is simple, but that doesn’t mean it’s free. First off, depending on the data that you’re encrypting, you might have reasons to store a 32-bit value in the database instead of the 160-bit value to save on space. Second, the more secure the crypto is, the longer is the computation time to deliver the hash value. A high volume site might be significantly slowed down, if frequent md5() generation is required.
Dipesh Parmar
- 27,090
- 8
- 61
- 90
-
-
2md5 is not the most secure - sha1 is more modern than md5, and md5 has been found to be breakable, e.g. find another message that hashes to a given md5 hash. – Patashu Mar 28 '13 at 08:03
-
@Patashu yes MD5 breakable and its cracked too...Bcrypt is not yet broken – Dipesh Parmar Mar 28 '13 at 08:06
-
@Dipesh Parmar Yes, bcrypt and related hashes are the best choice for passwords. If you don't have access to that, sha256 followed by sha1 as well as a salt on the password should be used. – Patashu Mar 28 '13 at 08:07
-
-
@Dipesh Parmar AES is not designed for hashing - use the right tool for the job. – Patashu Mar 28 '13 at 08:12
3
crc32 is not a hashing algorithm
crc32 generates "the crc32 checksum of str as an integer." - it's intended use is to quickly verify the integrity of something and widely used to detect accidental changes such as network transmission errors.
md5 and sha1 are hash algorithms
You are better off reading php's docs that cover examples:
Why are common hashing functions such as md5() and sha1() unsuitable for passwords? Hashing algorithms such as MD5, SHA1 and SHA256 are designed to be very fast and efficient. With modern techniques and computer equipment, it has become trivial to "brute force" the output of these algorithms, in order to determine the original input.
An md5 is 128-bit, a sha1 is 160-bit. In the question this is reversed.
A major difference between md5 and sha1 is that an example of a sha1 collision has yet to be found. I.e. if you use md5 for two different inputs, it's possible to get the same hash; with sha1 it's not. Other than that they implement different algorithms but, e.g., are both unsuitable for storing passwords despite being commonly used to do so.
-
1CRC is pretty much useless to check against tempering. Its intended purpose is to detect unintentional errors such as network transmission errors. Cryptographic hash functions are better suited against intentional tempering. – Egon Olieux Jun 17 '16 at 19:56
-
1
crc32() is NOT intended to be used for cryptographic purposes. Its purpose is that it produces a hash very very quickly, so you want to use it when that is your primary concern - you want a usually useful hash right away. It's used in networking equipment for this reason.
md5() and sha1() are both cryptographic hashing, meaning they intend to have very nice properties, such as it being very very hard to find a message that produces a certain hash given only what the hash value is. However, sha1 is more secure and more modern than md5. In fact, the use of md5 should be considered deprecated if you care about security.
Also remember to salt hashes of passwords by concatenating something extra with them, or something called a 'rainbow table' which is a big list of pre-hashed common passwords can be used to figure out what the hashes correspond to and hack user accounts.
Patashu
- 21,443
- 3
- 45
- 53
0
Those are called hash functions.
http://en.wikipedia.org/wiki/Hash_function - explains the different types of hash functions
They work completely differently internally.
Note: Don't use crc32 for encryption purposes. Its use is for quick hashing, it is not nearly as secure as sha1 or md5.
Nick Pickering
- 3,095
- 3
- 29
- 50
-
2They do NOT 'do the same thing' if security is a concern. crc32 makes no cryptographic guarantees, e.g. it's really unsafe to use for hashing passwords. – Patashu Mar 28 '13 at 08:02
-4
The major difference is the length of the hash generated.
CRC32 is, evidently, 32 bits,
sha1() returns a 128 bit value,
and md5() returns a 160 bit value.
It is important when avoiding collisions.
Nirav Ranpara
- 13,753
- 3
- 39
- 54