Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

NIST to Retire 27-Year-Old SHA-1 Cryptographic Algorithm

The US National Institute of Standards and Technology (NIST) this week recommended that IT professionals replace the SHA-1 cryptographic algorithm with newer, more secure ones.

The US National Institute of Standards and Technology (NIST) this week recommended that IT professionals replace the SHA-1 cryptographic algorithm with newer, more secure ones.

The first widely used method of securing electronic information and in use since 1995, SHA-1 is a slightly modified version of SHA, or ‘secure hash algorithm’, the very first standardized hash function.

According to NIST, SHA-1 ‘has reached the end of its useful life’, given that the high computing capabilities of today’s systems can easily attack the algorithm.

“NIST is announcing that SHA-1 should be phased out by Dec. 31, 2030, in favor of the more secure SHA-2 and SHA-3 groups of algorithms,” the agency within the Department of Commerce announced.

Used as the foundation of numerous security applications, including validating websites, SHA-1 secures information by generating a hash – a short string of characters resulting from a complex math operation performed on the characters of a message.

While the original message cannot be reconstructed from the hash alone, a recipient can use the hash to check whether the original message has been compromised.

The main threat to SHA-1 is the fact that today’s powerful computers can create two messages that lead to the same hash, potentially compromising an authentic message – the technique is referred to as a ‘collision’ attack.

The cost of launching collision attacks against SHA-1 has decreased significantly in recent years, and tech giants such as Google, Facebook, Microsoft and Mozilla have taken steps to move away from the cryptographic algorithm. Certificate authorities stopped issuing certificates using SHA-1 as of January 1, 2017.

NIST, which previously recommended that federal agencies stop using SHA-1 for creating digital signatures and for other operations threatened by collision attacks, will stop using SHA-1 by December 31, 2030.

By then, NIST will publish the Federal Information Processing Standard (FIPS) 180-5, a revision of FIPS 180 that removes the SHA-1 specification. It will also revise SP 800-131A and other publications to reflect SHA-1 withdrawal, and will create and publish a transition strategy for validating cryptographic modules and algorithms, as part of its Cryptographic Module Validation Program (CMVP).

“Modules that still use SHA-1 after 2030 will not be permitted for purchase by the federal government. Companies have eight years to submit updated modules that no longer use SHA-1. Because there is often a backlog of submissions before a deadline, we recommend that developers submit their updated modules well in advance, so that CMVP has time to respond,” NIST computer scientist Chris Celi said.

Related: NIST Releases New macOS Security Guidance for Organizations

Related: Is OTP a Viable Alternative to NIST’s Post-Quantum Algorithms?

Related: NIST Post-Quantum Algorithm Finalist Cracked Using a Classical PC

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Funding/M&A

Twenty-one cybersecurity-related M&A deals were announced in December 2022.

Management & Strategy

Microsoft making a multiyear, multibillion dollar investment in the artificial intelligence startup OpenAI, maker of ChatGPT and other tools.