Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

NIST to Retire 27-Year-Old SHA-1 Cryptographic Algorithm

The US National Institute of Standards and Technology (NIST) this week recommended that IT professionals replace the SHA-1 cryptographic algorithm with newer, more secure ones.

The US National Institute of Standards and Technology (NIST) this week recommended that IT professionals replace the SHA-1 cryptographic algorithm with newer, more secure ones.

The first widely used method of securing electronic information and in use since 1995, SHA-1 is a slightly modified version of SHA, or ‘secure hash algorithm’, the very first standardized hash function.

According to NIST, SHA-1 ‘has reached the end of its useful life’, given that the high computing capabilities of today’s systems can easily attack the algorithm.

“NIST is announcing that SHA-1 should be phased out by Dec. 31, 2030, in favor of the more secure SHA-2 and SHA-3 groups of algorithms,” the agency within the Department of Commerce announced.

Used as the foundation of numerous security applications, including validating websites, SHA-1 secures information by generating a hash – a short string of characters resulting from a complex math operation performed on the characters of a message.

While the original message cannot be reconstructed from the hash alone, a recipient can use the hash to check whether the original message has been compromised.

The main threat to SHA-1 is the fact that today’s powerful computers can create two messages that lead to the same hash, potentially compromising an authentic message – the technique is referred to as a ‘collision’ attack.

The cost of launching collision attacks against SHA-1 has decreased significantly in recent years, and tech giants such as Google, Facebook, Microsoft and Mozilla have taken steps to move away from the cryptographic algorithm. Certificate authorities stopped issuing certificates using SHA-1 as of January 1, 2017.

Advertisement. Scroll to continue reading.

NIST, which previously recommended that federal agencies stop using SHA-1 for creating digital signatures and for other operations threatened by collision attacks, will stop using SHA-1 by December 31, 2030.

By then, NIST will publish the Federal Information Processing Standard (FIPS) 180-5, a revision of FIPS 180 that removes the SHA-1 specification. It will also revise SP 800-131A and other publications to reflect SHA-1 withdrawal, and will create and publish a transition strategy for validating cryptographic modules and algorithms, as part of its Cryptographic Module Validation Program (CMVP).

“Modules that still use SHA-1 after 2030 will not be permitted for purchase by the federal government. Companies have eight years to submit updated modules that no longer use SHA-1. Because there is often a backlog of submissions before a deadline, we recommend that developers submit their updated modules well in advance, so that CMVP has time to respond,” NIST computer scientist Chris Celi said.

Related: NIST Releases New macOS Security Guidance for Organizations

Related: Is OTP a Viable Alternative to NIST’s Post-Quantum Algorithms?

Related: NIST Post-Quantum Algorithm Finalist Cracked Using a Classical PC

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.