AES encyption: More secure than SHA1?

1149570 pts.
AES encryption
I know this is more of a curiosity but I wanted to get some expert opinions on this. I recently heard someone recommend stepping up from md5ing (not to SHA1) but to AES encrypting the password, which would use itself as the key. Does anyone have any recommendations on if that would be more or less secure?

Answer Wiki

Thanks. We'll let you know when a new response is added.


To store something which allows the server to verify a given password, but does not allow it to rebuild the password; the latter property is desirable, so that consequences of an illegitimate read access to the server database by an attacker remain limited.

So we want a one-way deterministic transform which converts a given password into the verification value. The transform shall be:

  • configurably slow, so as to thwart dictionary attacks;
  • distinct for every instance, to prevent parallel dictionary attacks, including precomputed tables (that’s what salts are about).

A single invocation of MD5 or SHA-1 fails on both accounts, since these functions are very fast, and not salted. Slowness can be done through nesting many invocations (thousands, possibly millions), and the salt can be injected “somewhere”, although there are good and bad ways to do it. PBKDF2 is a standard transform which does just that, and it is not bad at it (although bcrypt should be somewhat preferable).

However, MD5 and SHA-1 do at least one thing right: they were designed to be one-way. That’s hard to do; it is not even theoretically proven that one-way functions can really exist at all. Cryptographers around the world are currently involved in a competition to design a new, better one-way hash function.

So what your professor seems to recommend is to replace a function designed for one-wayness, with a function which was not designed for one-wayness. It does not correct anything about slowness and salting, but it removes the one good thing about MD5 and SHA-1. Moreover, AES is known to berelatively weak with regards to related-key attacks — that’s not a problem as long as AES is used for what it was meant to, i.e. encryption, but it becomes an important issue when it is subverted into a building block for a one-way hash function. It seems possible to build a secure hash function by reusing parts of the AES design, but it requires substantial reworking (see for instance Whirlpool and ECHO).

So do not use a homemade AES-based password hashing scheme; for that matter, do not use anything which is “homemade”: that’s a recipe for disaster. Security cannot be tested; the only known way to make a secure algorithm is to have hundreds of trained cryptographers look at it closely for a few years. You cannot do that by yourself. Even a lone cryptographer will not risk that.

Hope this helps.

Discuss This Question: 1  Reply

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • TomLiotta

    For passwords, SHA-1 hash is usually more useful than an encryption. Encryption has a direct implication of decryption; one-way hashing does not.

    It's been known to cryptanalists for a few years that SHA-1 is "broken". However, you need to understand their definition of "broken" before discarding a method. Most particularly in this case, it means that algorithms have been described that can break hashed values faster than "brute force". It doesn't necessarily mean that anyone today can run the algorithm against a specific, given hash value of an unknown plain-text and actually recover the plain-text from it (in any practical length of time).

    But it's also been known for even longer that SHA-1 isn't really cryptographically appropriate for long-term password storage anyway. Much stronger hashing algorithms have long been known. The perceived attraction of SHA-1 has been on its speed in generating its hash result, not so much in its ultimate security.

    If you need a fast hashing algorithm, SHA-1 works fine. If you need to hash a message to provide a hash digest, it's completely acceptable. It's even generally acceptable for hashing passwords. It just isn't as secure as alternatives.

    And hashing passwords shouldn't rely on absolute speed. You can almost always take a few more milliseconds for a password hash anyway. Essentially no one will ever notice the speed difference.

    But they definitely might notice if a reversible encryption is used.


    125,585 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: