The US National Institute of Standards and Technology (NIST) says it’s time to retire Secure Hash Algorithm-1 (SHA-1), a 27-year-old weak algorithm used in security applications.
“We recommend that anyone relying on SHA-1 for security migrate to SHA-2 or SHA-3 as soon as possible,” said NIST computer scientist Chris Celi, in a canned statement on Thursday.
As soon as possible isn’t necessarily all that soon: NIST says you should be rid of SHA-1 from your software and systems by December 31, 2030. Meanwhile, the tech industry has largely moved on already.
SHA-1 is among seven hash algorithms approved for use in the Federal Information Processing Standard (FIPS) 180-4. By the end of 2030, FIPS 180-5, the next revision of government’s hash standard, will no longer include SHA-1 as a supported specification
NIST intends to update SP 800-131A and other relevant NIST publications to reflect the retirement of SHA-1. In addition, it’s looking to publish a transition strategy for validating cryptographic modules and algorithms.
A SHA-1 hash is made by mapping a message of arbitrary length to a fixed-length message digest consisting of 160 bits, typically represented by 40 hexadecimal digits. For example, the message “password” results in the SHA-1 digest 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8
.
Hashes are not supposed to be reversible but simple message inputs like “password” can be pre-computed and put in lookup tables, which makes it trivial to derive dictionary-stored input messages from corresponding hash digests, assuming they’re unsalted – combined with an additional value for enhanced security.
NIST deprecated SHA-1 in 2011 and disallowed its use in digital signature creation and verification with limited exceptions in 2013 as a result of a theoretical collision attack described in 2005 that became practical in 2017 [PDF].
A collision attack is when two input messages produce the same hash value as output. For applications like digital signatures or file checksums, you don’t want collisions because they violate security assumptions about uniqueness. It’s suboptimal when a legitimate program and a malicious program share the same hash value.
By 2015, companies like Facebook, Google, Microsoft, and Mozilla were already planning to distance themselves from SHA-1. By 2017, the major web browsers stopped recognizing SHA-1 certificates but it took a while for the rest of the industry to catch up.
Despite its known weakness, SHA-1 has shown up in recent years propping up legacy applications and providing shoddy password storage. Microsoft finally got around to dropping SHA-1 from the Windows update process in August 2020.
Even if it’s not actively used much, SHA-1 remains widely available. NIST’s Cryptographic Algorithm Validation Program, which validates cryptographic algorithms for vendors, includes 2,272 cryptographic modules validated in the past five years that still support SHA-1.
These modules, the building blocks of cryptographic systems, do not necessarily use SHA-1 but they support it. So companies incorporating any of these modules in their products should be looking for revised versions that exclude the outdated algorithm. And the makers of these modules cannot sit idly by either since the Feds require cryptographic modules to be validated every five years.
Celi explains that modules still using SHA-1 after 2030 will be ineligible for purchase by the federal government. Having eight years to submit an update may seem like more than enough time, but Celi warns there may be a backlog of submissions as the deadline nears. Developers wishing to avoid a potential validation delay should submit revised code sooner rather than later. ®