3

Are there any advantages in using Digest::SHA over Digest::SHA1 or vice versa? both seem to be maintained but I don't see a reason for Digest::SHA1 to even exist with the existence of Digest::SHA.

Evan Carroll
  • 78,363
  • 46
  • 261
  • 468
xenoterracide
  • 16,274
  • 24
  • 118
  • 243

2 Answers2

6

There is none, Digest::SHA1 is legacy, as is SHA1. Per the docs of Digest::SHA1:

In 2005, security flaws were identified in SHA-1, namely that a possible mathematical weakness might exist, indicating that a stronger hash function would be desirable. The Digest::SHA module implements the stronger algorithms in the SHA family.

It clearly references Digest::SHA. The implementation in Digest::SHA is a bit faster than Digest::SHA1 (per the docs of Digest.pm -- what you should probably be using anyway).

Algorithm      Size    Implementation                  MB/s
SHA-1          160     Digest::SHA v4.3.1              58.9
SHA-1          160     Digest::SHA1 v2.10              48.8

Digest is a factory for all modules in the Digest namespace, it prioritizes Digest::SHA over Digest::SHA1. You could even argue Digest::SHA1 is twice over deprecated, as it was replaced by Digest::SHA2.

I believe it probably useful to substantiate the term "deprecated" here. I simply mean that Digest::SHA1 isn't useful for non-SHA1 hashes that are still in the SHA family -- other distros can handle more.. Digest::SHA1 is also slower.. To the best of my knowledge it is still supported and has a stable release not all that long ago: Digest-SHA1-2.13 - 03 Jul 2010 - Gisle Aas

Evan Carroll
  • 78,363
  • 46
  • 261
  • 468
  • The ::SHA module included SHA-2 algorithms as well... but if you *are* still planning on using SHA-1 that's really not an argument one way other another. I looked at the docs and didn't see anything to suggest that Digest::SHA1 was legacy or deprecated. – xenoterracide Aug 06 '10 at 03:04
  • 1
    @xenoterracid, Wrong, it is still an argument. Do you want to have both of them loaded in memory because some other module wishes to implement a hash in the same family that isn't SHA1? Do you want to depend on a different distribution with open bugs being maintained, when it only supports a subset of the functionality of the newer one -- and at that **it does it slower**... – Evan Carroll Aug 06 '10 at 03:18
  • 2
    That's a better argument ;) as opposed to talking about the security flaws which may or may not be relevant depending on what you're using it for. – xenoterracide Aug 06 '10 at 03:33
  • 2
    Another big reason to pick `Digest::SHA` over `Digest::SHA1` is that the former is a core library (as of Perl 5.10.0), and the latter isn't (and never will be). – cjm Aug 06 '10 at 06:22
  • It’s worth mentioning that Digest::SHA1 is now dead. It was [removed from Debian Wheezy](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=594273), its package is no longer available. Other distros descending from Debian (e.g. Ubuntu) follow the same path. – Palec Aug 07 '14 at 12:00
0

Stuff that was written to use Digest::SHA1::sha1, or which (in a fit of silliness) does "Digest::$type"->new instead of Digest->new($type) might need Digest::SHA1. Other than that, Digest::SHA is preferred, and it will be used by default for Digest->new("SHA-1").

hobbs
  • 223,387
  • 19
  • 210
  • 288