SHA-2 and Bcrypt Encryption Algorithms (2024)

| Comparative Analysis for password encryption

Background Information: The X Company is evaluating their cryptographic usage for protecting passwords. The company previously used SHA-1 prior evidence being published of the it’s vulnerabilities. The X Company changed their encryption methods to Bcrypt until further research was conducted. This is brief outlines that research and examines the pros and cons of Bcrypt and SHA-2 encryption standards.

Introduction

The use of encryption helps to ensure confidentiality, integrity, and availability (CIA) of data and systems. Our customers rely on our information systems to conduct business, provide services, and ultimately impact the world through safer and more affordable medicine. Proper cryptographic technologies are needed to secure authentication systems such as e-commerce, cloud storage, and proprietary research. Propper use of technologies, processes, and procedures ultimately impact when, who, and how our systems are accessed. Attention is needed to conclude whether SHA-256 or Bcrypt best fits our needs as an encryption algorithm now and in the future. Due to the increase in cyber-attacks and data breaches, a re-evaluation is needed to ensure a resilient security posture.

Background Information

Prior to 2011, SHA-1 was used as the cryptographic system of choice to hash passwords, but SHA-1 was deemed insecure due to the collision vulnerability. A mathematical algorithm computes millions of computations to find a match or a collision to the SHA-1 hash. A switch was made to Bcrypt as it is not susceptible to this type of vulnerability. It is important to note that SHA-256 won’t be insecure just because SHA-1 was deemed insecure. SHA-256 was designed to be collision resistant by computing a larger hash value, which is more complex to compute matches. Collisions can occur with SHA-256 but are extremely hard to locate. There are a variety of encryption technologies that will continue to evolve due to computational power, and continuous research will be needed to provide the best mechanisms to protect sensitive and critical data.

Function of a Cryptographic Hash and History

Cryptographic Function

Hashing takes readable text or plaintext, applies a mathematical algorithm, and returns an unreadable text called ciphertext. Hashing is a one-way function, meaning that you can only hash plaintext to cipher text. As demonstrated in the figure below, the plaintext “Hello” is scrambled to create a fixed-length string of numbers and characters and returns the hash value or the ciphertext. (cloudflare)

Hashing passwords provides the privacy, security, data integrity and secure authentication of users and systems. Hashing passwords is a key component to protect the CIA of customers and proprietary data. Once a password has been hashed, it cannot be reverse engineered as it is a one-way function.

History of SHA Series

SHA stands for “secure hashing algorithm” and was designed for hashing digital signatures and certificates. SHA has matured over time to become more complex as computational power increases and vulnerabilities are found. SHA-2 has many variants, but SHA-256 is the most common and the one of interest. Research indicates that SHA-256 is more secure than previous versions, and it is recommended by National Institute of Standards and Technology (NIST) in place of previous versions. (Lowery)

Operating Principles

The use of cryptographic technology ensures that data is protected and unreadable as it is transmitted, stored, and processed. As computational power continues to increase, it enables brute-force attacks, which allows advisories to try all possible combinations until a hash match is found. (Fortinet) Hashing algorithms are also susceptible to Rainbow Table attacks, which is comparing large tables of pre-cracked hashes to find a match. It is imperative to continue innovating and implementing stronger cryptographic systems to fight against threat actors and the increase in computational power. The size of the returned hash is important. The more bits in a hash, the greater the security of the encryption process. (Pap) The increase hash size requires more resources, which in turn, is more expensive. There is a tradeoff between fast and less resource intensive encryption vs. slower and more secure encryption.

Comparative Analysis

There are two types of hashes: fast and slow. There are pros and cons to each, and a comparative analysis between the faster SHA-256 and the slower Bcrypt algorithm is outlined below.

SHA-256 Pros & Cons

· SHA-256 is faster than Bcrypt

· Implementation is cheaper as less computing power is needed to compute hash values

· Algorithm was not originally designed for password hashing

· Vulnerable to common attacks such as brute-force and rainbow table attacks

Bcrypt Details

Bcrypt has another component that needs to be explained to provide a detailed comparison. Alongside a given password, a salt (or a random bit of data) is added to the password before it runs through the hashing algorithm. (Scott) Salting increases password complexity as well as the time it takes for it to be cracked using brute force. It also limits Rainbow Table attacks. (Pap) Bcrypt was designed for password hashing and provides other components to increase the complexity of the hashed passwords. The diagram below illustrates how salting a password works in comparison to the previous diagram of an unsalted password. (Scott)

Bcrypt Pros and Cons

· Designed for password hashing

· Salting passwords increases the complexity, thus making them more secure

· More expensive to implement due to key distribution

· The hashing process is slower in comparison to SHA-256

Recommendations

The encryption algorithm that is recommended going forward for passwords is Bcrypt. Bcrypt has already been implemented and provides an increase in security. Bcrypt offers a variety of security implications such as salting among others. Moving forward, Bcrypt will provide strong password hashing and is scalable to meet the current and future demands. (Arias) The initial investment will pay dividends as it is secure and can be easily implemented by developers into future services and products. The technology in the Bcrypt algorithm and process limits attacks and makes it harder for attackers to compromise passwords. Bcrypt was not designed for encrypting large amounts of data. It is best implemented for passwords, however SHA-256 is better for large amounts of data because it is less costly and faster. There is not a “one size fits all” model for protecting data, but for encrypting passwords, Bcrypt is a robust and scalable technology that will ensure a resilient security posture.

References:

Arias, Dan. “Hashing in Action: Understanding Bcrypt.” Auth0, 25 Feb. 2021, https://auth0.com/blog/hashing-in-action-understanding-bcrypt/.

Cloudflare. “What Is Encryption? | Types of Encryption | Cloudflare.” What Is Encryption? | Types of Encryption, 2020, https://www.cloudflare.com/learning/ssl/what-is-encryption/.

Keromytis, D. “Bcrypt.” Check out the New USENIX Web Site., 1999, https://www.usenix.org/legacy/publications/library/proceedings/usenix99/full_papers/deraadt/deraadt_html/node22.html.

Lowery, Jeff M. “MD5 Vs Sha-1 vs SHA-2 — Which Is the Most Secure Encryption Hash and How to Check Them.” FreeCodeCamp.org, FreeCodeCamp.org, 27 Mar. 2020, https://www.freecodecamp.org/news/md5-vs-sha-1-vs-sha-2-which-is-the-most-secure-encryption-hash-and-how-to-check-them/.

Pap, Sylvia. “BCrypt Explained.” DEV Community, DEV Community, 5 Mar. 2020, https://dev.to/sylviapap/bcrypt-explained-4k5c.

Scott, Benjamin. “What Is a Password Salt?” NordPass, NordPass, 12 Aug. 2020, https://nordpass.com/blog/password-salt/.