Moving to SHA256 has become an increasingly common topic ever since SHA-1 went through the bad news cycle of being vulnerable faster than brute-force. Even in cases where not relevant, such as authentication mechanisms (SCRAM), it feels like only a short time from now regulators will push a SHA-2 family as minimum requirement. For most people that means moving to a 256 bit key length (SHA256) sooner rather than later.
Will SHA256 cause a performance issue when replacing SCRAM-SHA-1? It’s hard to say, given that many variables are involved in testing, yet generally we expect a 50% performance change with 256 bit key length of SHA-2 compared with 160 bit key length of SHA-1.
Assuming proper construction a larger bit size means more possible combinations, which means strength through slowing down brute force attempts. A cryptographic hashing algorithm is only as great as its ability to make truly unique, non-guessable, hashes. So here’s a way for you to compare speeds:
ubuntu17:~$ openssl speed -multi 2 -decrypt sha1 sha256
The 'numbers' are in 1000s of bytes per second processed sha1 176979.32k 479049.54k 1017926.06k 1451719.34k 1652667.73k sha256 144534.98k 302692.57k 576607.91k 697034.07k 740136.28k
This is a Security Bloggers Network syndicated blog post authored by Davi Ottenheimer. Read the original post at: flyingpenguin