Slashdot Mirror
Ask Slashdot: Is SHA-512 the Way To Go?
crutchy writes "When I was setting up my secure website I got really paranoid about SSL encryption, so I created a certificate using OpenSSL for SHA-512 encryption. I don't know much about SHA (except bits that I can remember from Wikipedia), but I figure that if you're going to go to the trouble (or expense) of setting up SSL, you may as well go for the best you can get, right? Also, what would be the minimum level of encryption required for, say, online banking? I've read about how SHA-1 was 'broken', but from what I can tell it still takes many hours. What is the practical risk to the real internet from this capability? Would a sort of rolling key be a possible next step, where each SSL-encrypted stream has its own private/public key pair generated on the fly, and things like passwords and bank account numbers were broken up and sent in multiple streams with different private/public key pairs? This would of course require more server grunt to generate these keys (or we could take a leaf from Google's book and just have separate server clusters designed solely for that job), but then if computing performance was a limiting factor, the threat to security of these hashes wouldn't be a problem in the first place."
(Continued below.)
"I guess with all security infrastructure, trust becomes a more important factor than technical abilities. Can I trust that my SSL provider hasn't been hacked (or at least snooped)? How do I know some disgruntled IT admin hasn't sold the private key of his company's root CA to the same organization that developed the conficker virus? It would certainly make for a more profitable payload. I've read some of Bruce Schneier's work (I'm subscribed to Cryptogram) and he tends to highlight the FUD that surrounds internet security, and I agree that there is a lot of FUD, but complete ignorance and blase attitude toward security can also be taken advantage of. Where is the middle ground?"
This will probably get marked flamebait, but I feel it needs to be said.
If you are working on something where you believe or you've been told this level of security is necessary, yet are at a "what's even out there" stage, you really need to bring someone with experience onto the team.
If this is just for a personal blog or something and you are just having fun with security, then by all means go for it. People are gonna tell you that you are insane, that plain ol` "out of the box on most distros" SSL is gonna be fine, but if you enjoy playing with this stuff then no harm throwing practicality (and your time) out the window and having fun.
I'll also note that the problem with implementing anything beyond SSL is the age old legacy problem. You can probably come up with a very secure scheme, but if no one's browser can handle it, you'll be playing with yourself!
Good question. I am in the same boat. I setup a home VPN and went through the same thought process in generating keys.
SHA-256 is fine. Any bugs in SHA-224/256/384/512 will likely be structural and if a bug is found it'll probably break of all of them.
Nothing wrong with using SHA-512, but it's not buying you 2^256 times extra security.
Not 42.
Read this book:
http://www.schneier.com/book-applied.html
Problem solved. You understand the basics of crypto, and can now make decisions!
Ask Sony what they used, then find something 10x stronger.
SHA-2 (of which SHA-512 is a part) isn't encryption, it's a hash function.
If you're going to work on cryptographic security or have even a passing interest in encryption, Schneier's Applied Cryptography is a great place to start.
Trolling is a art,
However I'm told that OpenSSL works a bit better.
I don't know much [...]
QFT. You won't have a secure website until you pay someone to handle this for you.
I don't know much about SHA, but I figure that if you're going to go to the trouble of setting up SSL, you may as well go for the best you can get, right?
If that's the way you feel, then yes, go for SHA-512. I think it is the heaviest NSA blessed hashing algorithm.
I've read about how SHA-1 was 'broken', but from what I can tell it still takes many hours.
Replace "hours" with "centuries". Or maybe more. Nobody has ever created a SHA-1 collision.
What is the practical risk to the real internet from this capability?
None for the near future. And CA certs expire after a year.
Would a sort of rolling key be a possible next step, where each SSL-encrypted stream has its own private/public key pair generated on the fly, and things like passwords and bank account numbers were broken up and sent in multiple streams with different private/public key pairs?
That would be ridiculous. There are valid concerns about SSL, but only regarding trusting CAs. The problem isn't the encryption itself, but the fact that you require a trusted avenue to exchange keys, and the CAs can't necessarily be trusted. The technical merits of AES and RSA and the SHA families are good.
SHA, which stands for Simply Hard Enough, has always been considered the successor to MD5.
As the numbers suggest, SHA1 5). SHA512 is formidable indeed, and no respectable website will go with anything less than SHA500.
However, there is always a balance between security and convenience, and it's important that you discover this for yourself and your users. If, for example, you find yourself with more than 500 users, you may want to bump up to SHA1024 to make sure you have enough room. Better yet, look into elliptic-curve algorithms that can be stretched to fit.
Also consider using Python instead of PHP.
As grub stated, SHA-512 isn't the encryption, that is part of the hashing. I would generally be more particular about the encryption algorithm used. Make sure you use something 128+ bit (preferably 256+ bit). Some functions, especially those covered from RFC 3268 would be preferred.
YOU'RE WINNER !
Another lame blog
Would a sort of rolling key be a possible next step, where each SSL-encrypted stream has its own private/public key pair generated on the fly
That's precisely how it works already, except that it's not just a public/private pair. Public key encryption is fairly slow, so instead of using it for the entire connection, the parties generate symmetric keys for a block cypher to handle the stream itself, and exchange them during handshake, those keys themselves encrypted by their (also generated) private keys.
SHA-512 is not "encryption" at all, it's a cryptographic hash function. As such, it has no bearing on the security of your data (i.e. SHA512 certificate does not make it harder for someone who intercepted your encrypted stream to decrypt it), but it makes MITM attack slightly less probable. In practice, even with SHA256, it is unbreakable for all practical purposes.
SHA-512 encryption
SHA-512 is a hash function, not a cipher.
if you're going to go to the trouble (or expense) of setting up SSL
What trouble and expense? TLS (SSL is obsolete) is only expensive if you need to get your certificates signed by a commercial CA i.e. if you are interacting with random people who are not affiliated with you or your organization. If you are only deploying TLS for internal purposes, just maintain your own internal CA and deploy your internal signing key to all of your organization's systems.
Also, what would be the minimum level of encryption required for, say, online banking?
AES-128 is perfectly reasonable here; it has a sufficient security margin for online banking and is nowhere near the weakest link in the security chain. If you happen to have extremely sensitive information and you need >30 years security, a more conservative cipher like MARS or Twofish might be appropriate (given the attacks on the AES-256 key schedule; in any case, 256 bit ciphers are recommended for >30 year security last I checked). Really though, any of the AES finalists are fine.
Can I trust that my SSL provider hasn't been hacked (or at least snooped)? How do I know some disgruntled IT admin hasn't sold the private key of his company's root CA to the same organization that developed the conficker virus?
CAs should not be trusted; the CA system is based on a typically bad assumption, which is that there are enough users who are aware of what it means for a CA to be untrustworthy to force the CAs to exercise appropriate security policies (or lose their business). Since only a tiny minority of Internet users even know what a CA is, and only a tiny minority of those people know how often CAs issue signatures for fraudulent certificates, the assumption does not hold. CAs are not trustworthy and should not be trusted.
I've read some of Bruce Schneier's work (I'm subscribed to Cryptogram) and he tends to highlight the FUD that surrounds internet security
You should take more time to read about cryptography. Confusing a hash function with a cipher is not a good indication that you have the minimum level of knowledge needed to understand what Schneier is saying.
Palm trees and 8
You might want to have a look at http://www.keylength.com/ (overview of all 'official' recommendations regarding protocols and minimal keylengths).
If you work for banks: take into account the Payment Card Industry standard (https://www.pcisecuritystandards.org/ - strictly speeking only valid for credit card handling systems) and look at national compliancy requirements ...
https://pangseh.com
Quite the opposite. The chances of someone coming up with something nontrivial that is more secure than SSL on their own are practically zero. Inventing your own cryptosystem is a sure-fire way to end up with something insecure. Don't do it.
To the original asker:
Calling SHA-512 (a cryptographically secure hash) "encryption" is your first clue that you need to either 1) calm down, learn about moderm crypto, about what all of those funky acronyms and bit sizes mean in practice, or 2) hire someone who does. There is no "shortcut". If you plan to use SSL, at the very least you need to know the difference between a cipher and a hash, and some vital information about the different choices that you can make.
And please, please, please don't invent workarounds, hacks, wrappers, tricks, or anything else on top of SSL or any other cryptosystem, like that multiple stream thing (and don't even think about implementing your own from scratch). These systems were (hopefully) designed by experts in cryptography who know the implications of their design decisions, which can be devastating for security if done wrong. They don't need wrappers or workarounds to stay secure, and they certainly don't need to be reinvented. "Shotgun cryptography" (throw every buzzword and algorithm in there, because more bits and more layers is more secure!!1) is exactly what made the PS3 a cryptographic laughingstock and gave everyone Sony's private keys. Don't make that kind of mistake. SSL works just fine as is, and you can almost certainly make it do whatever you actually need without having to hack around it.
I could write a few lines attempting to answer your questions about SHA-512, the SHA-1 attacks, etc., but I won't, because the questions are wrong to begin with. Start by understanding what you're asking first, then you'll be able to ask relevant questions. You don't need blind instructions that are ultimately going to lead you somewhere without really knowing where you're going; what you need to do is get a map and figure out where you are and where you want to go first.
On a similar note to this, since hashing can be defeated with rainbow tables, does anyone have any authoritative information on the state of rainbow table cracking? I just from a previous post that lulzboat cracked their passwords using rainbow tables, and looking through the password file, the passwords were substantially more complex than what I would use. Are rainbow tables at the state now where using special characters and numbers aren't good enough anymore? How long do we need to make our passwords? Does anyone like Bruce Schneier give guidance on this now?
Would a sort of rolling key be a possible next step,
So, a stream cipher?
Windows XP's crypto stack doesn't support any hash stronger than SHA-1, so if you have to worry about XP users, that's a big constraint.
Note that's for browsers/apps that use Windows native crypto stack. Browsers that include their own SSL implementation (Firefox and I believe Chrome too) can use whatever.
First of all, congratulations that you try to take security serious. Even though what I can tell from your questions is that any answer we could give you here would leave you with even more questions and very little enlightenment. A few very good books have already been recommended, and I'd recommend the same that was already said: Go read. Don't implement a security scheme, don't even plan it. Go read the books, teach yourself what's necessary to actually understand what you're doing and then go and plan your security.
On the danger of sounding patronizing, but that's simply as it is. It doesn't matter if you use MD5 or SHA-512 before you understand how to use them in a secure way. I gave the parallel of the steel door with paper walls above, so I won't repeat it, but security is always the security of the weakest part. If someone can bypass your secure entrance, the whole security is voided. I've seen too many rely on a "strong" hash only to see that the algo used was weak and allowed other ways of attacking. I can easily recommend anything Bruce Schneier wrote, he sure is one of the security gurus of our times and his books aren't as dry as many others on the subject. I'd start with the already mentioned "Applied Cryptography".
While we're at it, something I would also highly recommend is to implement a "fail well" strategy. Another thing I've seen many, many times ignored, and it's maybe the easiest way to improve security in a system, especially if the person responsible for it is not a security guru himself. The general idea is that, if (ok, when) security gets broken, the system should not instantly be fully accessible to the perpetrator. Try to compartmentize and contain the damage. Many times it is quite easy to do but ignored for simplicity's sake, like using the same database user (with admin privileges, of course) for different databases or using the same credentials for different systems. It's, IMO, the first step to more security and it can be easily implemented without a lot of knowledge of security because most of it is in the administrative field, not the technical one.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Reading between the lines I'm assuming SHA-512 is the signature algorithm to sign the key and the author is just confused in thinking it effects encryption when it just applies to the effectiveness of chain validation and therefore the systems resistance to Active-MITM.
If this assumption is correct the right answer is to use whatever algorithm the signer above you used as you are limited by them as the weakest link. You gain nothing by rolling the dice with a dependancy on multiple signature algorithms.
Even though certain attacks are available against some hash algorithms, I am unaware of anyone ever successfully attacking an SSL protected server in the wild by attacking the encryption, head on, not the hash function or the public key encryption or the symmetrical key encryption.
However the main issue is as you mentioned trust, which in this case is obtained with certificates.
When I browse to an SSL enabled web site over https, I trust the web site operator, I trust the company who signed the certificate proving he is who he says he is,
and I trust my browser to convey this information properly and give a good list of CA's. (I am ignoring non SSL related trust issues).
Note it is common for most site's certificate to only sign the server address and not the company name, note that this doesn't really tell you much about who is running the site.
Oh. My. God.
If you do not know the difference between a hash algorithm and a cipher algorithm, then STEP AWAY FROM THE SECURITY!
DIY crypto is a good idea like DIY brain surgery is.
Rolling your own crypto system is like rolling your own mercenary army. It feels really awesome and at first it's all running around in the woods with your camo and guns and FUCK YEAH WE RULE. But then you meet reality and it's all OMFG WE GOT PWNED. and ALSO WE'RE DEAD
If the geiger counter does not click, the coffee, she is not thick.
It sounds like you have an oversimplified idea of "security". Security is not a scalar property that increases with the number of bits in a hash or key. Security depends on your threats, and it's possible to be reasonably secure without the addition of any cryptography at all (although this will be the exception rather than the rule). Let's discuss security threats for a moment.
One threat is that of the eavesdropper. This is the classic threat from online shopping: "OMG, some hacker will see my CC number when I submit it to the shop." This threat can be defeated with encryption -- sort of. You don't need any kind of "certificate" to effect this level of security: you just need a key-sharing technique which defeats a passive eavesdropper. SSL/TLS has this, and it's independent of the number of bits in any hash, since that's a different part of the security puzzle.
Now the bad news: your CC number will still be compromised, despite your super-strong encryption. If you're using a malware-prone OS, then any malware on your system makes an end-run around the encryption. If you're using a public terminal, you need to be sure that it doesn't have keyloggers installed on it, either hardware or software. And even if your client-end computer isn't compromised, your CC number will be stored in a PCI-compliant database, where "PCI-compliant" means "this kind of thing gets compromised several times a week, leaking X thousand CC numbers in one go" for large values of X.
Encryption of the channel, in this case, provides security against the least convenient and least likely attack. You should probably encrypt the channel anyhow, but you simply can not achieve security, because most of the real threats lie outside your control.
Another threat is the impostor. This is where someone gets lured into going to BadGuy website which is dressed up as GoodGuy website. This is where public key certificates are supposed to help, and that's where you need to worry about how many bits there are in the hash. But if you're worried about the number of bits in the hash, or the kind of hash algorithm, then you're probably fussing over the smallest of problems. Certificates have a very limited lifespan, and so long as your current one isn't at the bottom of the pile, strength-wise, it's probably satisfactory for now.
The real problems that you face in this case are usually beyond your control. You can't create a self-signed certificate in general, because every browser on earth will throw up a warning (that 99% of users won't understand anyway) saying that the certificate can not be verified. You don't want that: you want the browser to do the "I'm secure now" thing, whatever that happens to be, visually. So you'll need to pay up for a certificate. Unfortunately, your clients must then be smart enough to pick the difference between your website with its "I'm secure now" indicator, and an exact copy of that website which lacks this indicator at a different URL, or one that has an "I'm secure now" indicator which doesn't match your identity. How smart are your clients?
If you're a really important target (e.g. Gmail), you have much bigger worries. You ask, "Can I trust that my SSL provider hasn't been hacked (or at least snooped)?", but the problem is much worse than this: you need to trust that every issuer of certificates on Earth hasn't been compromised, which you can't, because some of them have. When any certificate issuer is compromised, it's possible that a fake certificate has been generated for your identity, and someone else can set up a server which validates itself as "secure" for your domain name. There are browser add-ons in some cases that will raise a red flag when a "valid but previously unseen" certificate is shown, but then you're asking for even greater security expertise on the part of your end users to diagnose the situation.
So, in summary, step away from the key-generation software, and go back to square one. Think about your threat model, and whether any of your crypto-
proof, n. A demonstration that a conclusion is implied by certain premises and axioms.
They're secure, just read over their website. I mean they can't say it if it isn't true, right?
As most folks here have pointed out already, you are in over your head. First, you need to understand that the strength of the hash used to setup an SSL session isn't necessarily an indicator of the strength of the SSL session encryption. Your concern about server power isn't warranted as the strength of the cert used to start up the SSL session is negligible. My advice is to stick to standard methods and don't try to get inventive. You have much bigger things to worry about that the strength of your SSL cert. Like making sure everything else is secure and that you're not subject to things like SQL injection or stolen cookies that result from shoddy programming.
so I created a certificate using OpenSSL for SHA-512 encryption
Great, so now your clients have no real way of verifying the authenticity of your web site. If you intend to deal with the public, get a certificate from a reputable provider that typical browsers already trust. Self-signing is a sure sign of an amateur and usually people don't trust a website when the browser keeps nagging them that the certificate is not trusted.
"Can I trust that my SSL provider hasn't been hacked (or at least snooped)?"
Another clue that you need help. There is no such thing as an SSL provider. There are providers that sign certificates intended for specific (or general) purposes. What you do with them is your problem.
How do I know some disgruntled IT admin hasn't sold the private key of his company's root CA to the same organization that developed the conficker virus?
You don't. But keep in mind the risk of a compromised certificate is primarily the threat of someone else pretending to be you, such as a fake site or a man in the middle attack. If you're issuing certs to clients for authentication, the risk is that a compromised cert means someone else can pretend to be your client.
As correctly noted in your post trust is the real bottleneck. Hacked CA is a risk. Man-machine interaction on the end user side is much greater weakness. User can be fooled by SSL strip. User can believe that "legitsite.ucvgsuivuis.cn" is your site if it provides valid certificate for "*.ucvgsuivuis.cn". Social engineering can be used to make user skip warnings by browser. If users authenticate with certificate hackers are more likely to get the certificate by social engineering than by exploiting crypto weakness.
IMHO SSL is often not the problem. Most websites/webapps are hacked through badly configured and unpatched servers or through programming errors in the site itself. If you're concerned about security, make sure that your website/webapplication/cms is secure. OWASP is a good source for hints and tips. They even have a top-10 for this stuff. So, if SHA-512 is you're only problem, you're doing just fine.
the use of knowledge is highly overrated
If you are asking on here at that level of naivete, you are probably already compromised.
Ha, you want security and trust? Remember Ken Thompson's C Compiler Backdoor
Make sure you built your PC out of sillicon yourself! Otherwise, you have to rely on someone else's code:
ACM Classics: Reflections on trusting trust
http://cm.bell-labs.com/who/ken/trust.html
All security is about deterrence. As long as you're making your systems a less desirable target than others, you're doing enough. (There are some exceptions, e.g. those that are targeted for political reasons, who are going to be targeted no matter what. This may not apply to those.) Consider a bank vault: the classic example of real world security. The doors of modern bank vaults are so secure that it's generally easier to go through the wall of the vault than to try to "hack" the door. Technically, that wall's a security hole; someone could break in through it. But even though it's possible for someone to tunnel through a wall, it never really happens, because it's just too much trouble. There are easier ways to make a dishonest living. Computer security is the same way. It doesn't matter whether it would take a day or a week or ten thousand years to break encryption; as long as it's enough trouble that it makes you a bad target, it's enough. It's like what they say about escaping a bear: you don't have to outrun the bear, you just have to outrun your friend.
then give up because you're too stupid to understand crypto.
TLS providers are well behind the cryptographic state-of-the-art: SHA-1 is now known to have serious flaws but it's the highest any of the mainstream certificate providers use or accept (to their credit they have finally dumped MD5, but SHA-1 will only get worse). It is, at the moment, not feasible for anyone to collide your certificate, although perfectly possible for someone to create two colliding certificates of their own (although at this time I still haven't seen any SHA-1 collisions actually produced).
Really they should be on SHA-256 or SHA-512 already, and preparing to migrate to the SHA-3 function when it is selected next year (my own money's on Skein, and it has such a nice, parallelisable native hash tree format that even if it doesn't get selected as SHA-3, I'm probably going to use it regardless as long as it doesn't get broken). It may be that they're simply waiting for that: plus it's still actually very rare to see a TLS 1.2 exchange in the wild, and you need TLS 1.2 to even actually rely on any hash functions that aren't SHA-1.
It would be nice to see an authenticated encryption mode as well, and the key exchange is slow enough that people like Google are coming out with unofficial shortcut extensions. Greater elliptic curve use would also be preferred but the ecdsa code in OpenSSL is not well tested (the b curves, it turns out, even had a timing attack, which is surprising because OpenSSL is normally one of the better libraries for resisting those).
I have no idea why it moves so slowly...
... so I have no idea what you're talking about. SHA-512 is a cryptographic hash function, not a form of encryption.
The only place a hash function is used in SSL certificates is to verify the certificate. The primary purpose of that is for the client to identify your server; it in no way affects the strength of the encryption.
Don't get me wrong, identifying your server is important, too.
I'm surprised no one pointed out this link already: http://www.daemonology.net/blog/2009-06-11-cryptographic-right-answers.html
My first program:
Hell Segmentation fault
I am working for banks long years, here is a bit of security sights for you.
I remember how we deployed GOST encryption at a number of Russian banks, by saying "Hey, but AES (Rijndael) is seems to be better (at least more attacked and thus proven to be secure). You know what did they said? They said: if you are needed to nobody, then anyway nobody cares. But if somebody will need you, then nothing will help you ever.
The moral of the story above is: people are so much paranoid about SSL strength, yet it is OK that all your private information is known everywhere around? Got your credit card? Then I assure you that all your most important information is there in the database. For example, before you get a credit card in a City Bank, we will check you from your top to your bottoms and if you seems to be not reliable, you will not get a credit card. How do we know about you, you think? :-)
As of SSL strength: even 64 bit is impossible to decrypt, since your session lifetime is too short.
David A. Wheeler’s Page on Fully Countering Trusting Trust
http://www.dwheeler.com/trusting-trust/
Well, I guess you'll have to find a new reason to polish your tin foil hat.
I design and implement security systems for the transportation industry. From a theory perspective there's nothing I know that you couldn't learn yourself in 6-weeks of Safari Books Online. You don't have to build a crypto system, that's what OpenSSL is for.
You can use the OpenSSL CLI to do everything you need, CA authorities, certs, key generation etc... Unfortunately you'll need to trust other PKIs (i.e. Verisign), the point about a disgruntled admin selling a private key is exactly why some feel that internet security is inherently flawed.
RSA 2048 keys for digital signatures. ECC is a fine choice as well but a little harder to implement. Use AES-128/256-cbc for symmetric/hybrid encryption (e.g. TLS). On your question about different key pairs for various streams, they'll all be using shared secrets (i.e. content encryption keys) that are unique to that session. In TLS the asymmetric key is just used for the handshake (to share the secret so to speak). You don't really want/need the overhead of maintaining unique certificates for every institution. Best thing you can do for security is secure your keys at rest.
You can configure the RSA digital signature to use a SHA-2 512 hash. 256 is fine as well.
Is that in the way SSL is typically implemented the crypto is not the main weakness. In a typical SSL setup the client verifies the server is who it says it is is by looking at a certificate chain and checking that chain against a list of "trusted" roots. The server then verifies the client is who it says it is by requesting a password or other credentials be transmitted across the encrypted channel (in the https case this happens in the form of a http post followed by http cookies).
The problem comes that in typical implementations of SSL the list of trusted roots is HUGE and if the holders of ANY of those trusted roots can be compromised then a MITM attack can be mounted against your communications.
If you have control over both endpoints of an encrypted link you can make SSL far more secure by using your own root and making sure that is the ONLY root the client trusts.
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
I am reading Understanding Cryptography: A Textbook for Students and Practitioners. While a textbook, the materials are current and very readable for a layperson. The text might provide some background for your inquiry as the book specifically includes chapters on hashes, encryption types, and related materials. Again, the book is readable and, in my opinion, informative (plus it is current as a newer text).
SHA-1 has not been broken in the sense that forging a signature takes a few mere hours. Actually, the attack is about in the order of 2^51 minimum, and no successful collision has yet been found. Even then, it is not broken for many uses such as specific key generation functions or pseudo number generation functions - although it is worrysome for signature verification as used in SSL/TLS. Actually, many CA's (see the certificate store in your browser) still deploy SHA-1, even for extended validity certs. Personally, I'm slightly worried about the state of many (non-PC) browsers and CA's that don't support SHA-256, SHA-512 or derivatives.
If SHA-1 is ever broken in the sense that collisions can be calculated for pre-existing signatures, you'll certainly hear it in the news. All CA's and SSL/TLS sites will be vulnerable. Before that I would focus on getting the most secure server, configuring it safely and keeping it updated, making sure that nobody (except you and your server) get hold of the private key. Actually, the askers case, you might want to sub-contract that part.
but if no one's browser can handle it, you'll be playing with yourself!
Ahemm, English is not my first language, but I believe you mean "by yourself" ...? ;-)
- Jesper
My security clearance is so high I have to kill myself if I remember I have it...
First, SHA is hashing function that is used to create a 'fingerprint' of a certificate which is used in the certificate signing process. It is not encryption and has no relevance with respect to the 'strength' of the encryption.
SSL Certs contain several pieces of information:
1) A public key (which is paired with a private key only known to the owner of the certificate)
2) Usage information (what the certificate can be used for)
3) Issuer - indicates the certificate that was used to issue (i.e. sign) this certificate
4) Lots of other stuff (serial numbers, subject names, etc) that are used for a variety of purposes
So where is the encryption in SSL? There are two places that encryption shows up, neither of which have anything to do with the hash algorithm used to sign the certificate. The first is the public-private key pair. Only the public key is contained in the certificate. The paired private key is held by the certificate owner. With respect to encryption, the public-private key pair is used to periodically exchange a symmetric key which is used to encrypt the actual data sent over the connection. basically, the server creates a random symmetric key, encrypts it with the private key, sends the encrypted key to the client, who then decrypts it using the public key from the certificate. The client/server then uses that symmetric key to encrypt the session data. SSL/TLS has a protocol to periodically generate a new, random symmetric key so that over time a series of different keys are used to encrypt the session data.
So in terms of crypto-strength, the relevant factors are:
1) Public-Private crypto algorithm and key size (which is always RSA as far as I have ever seen with key sizes ranging from 1024 bits to 4096 bits - more bits is stronger, but much more expensive). This is used to protect the symmetric keys when they are exchanged over the wire.
2) Symmetric crypto algorithm and key size. This is negotiated between the client/server to find a commonly supported algorithm. AES is generally considered to be a good algorithm for the symmetric encryption, though some servers/clients still use 3-DES. Key size for AES is 128, 192 or 256 bits (again, more bits is better but more expensive).
The algorithms and key sizes are what impact the 'strength' or 'security' of the encryption.
So where does the hash function (such as SHA-512) show up? This is used in the generation of the signature of a certificate. In order to ensure that the contents of the certificate have not been tampered one generates a hash of the contents of the certificate and then that hash is signed using the private key from the issuing certificate. So hash functions are only relevant to the process of checking the certificate for tampering. MD5 should not be used for this process because there is a viable "collision attack" known for MD5. This means that if you have a message which you hash using MD5, there is a viable method for creating a slightly modified version of that message that will hash to the same value. So if one is using the hash to
Last time I checked, there was no viable collision attack for SHA-1. People have shown ways to make it easier than brute force, but it is still sufficiently hard as to be prohibitive. SHA-2 (of which SHA-512 is one example) does not yet have a known reduction for the collision attack.
What this means is that if you use MD5 to sign your certificate, I can create another certificate which contains a slightly modified version of your cert's information which will hash down to the same 'fingerprint' as yours when using MD5. This means that I can simply copy your cert's signature into my modified cert and the signature will still check out. I can now create a cert with my own information which will allow me to mascarade as you.
So what the hash algorithm impacts is whether an attacker can try to pretend to be you by compromising the certificate signature process. It does not impact the strength of the encryption itself.
I realise people like to talk about crypto but user authentication is much more pressing security problem and the weak link in all the recent attacks. Im not reading about X breaking X crypto instead I hear static passwords being gotten one way or another and all the crypto being bypassed. A friendly suggestion for your secure site would be to use 2FA dynamic passwords in as many places as you can preferably with mutual authentication capabilities to prevent MITM, further suggestions would be using Yubikeys or ShieldPass cards and I believe Verisign has a service but the former are much easier to implement and relatively cheap.
You: The numbers all go to 513 bits. Look, right across the board, 513, 513, 513 and...
h4x0r: Oh, I see. And most SSL goes up to 512 bits?
You: Exactly.
h4x0r: Does that mean it's more secure? Is it any more secure?
You: Well, it's one more secure, isn't it? It's not 512. You see, most blokes, you know, will be using SHA-512. You're on 512 here, all the way up, all the way up, all the way up, you're on 512 bits on your SSL key. Where can you go from there? Where?
h4x0r: I don't know.
You: Nowhere. Exactly. What we do is, if we need that extra push over the cliff, you know what we do?
h4x0r: Put it up to SHA-513.
You: 513. Exactly. One more secure.
h4x0r: Why don't you just make 512 more secure and make 512 be the top number and make that a little more secure?
You: [pause] These keys use 513 bits.
I want to delete my account but Slashdot doesn't allow it.