The US National Institute of Standards and Technology (NIST) says it’s time to phase out Secure Hash Algorithm-1 (SHA-1), a 27-year-old weak algorithm used in security applications.
“We recommend that anyone who relies on SHA-1 for security reasons transition to SHA-2 or SHA-3 as soon as possible,” NIST Computer Scientist Chris Celi said in a canned statement Thursday.
As fast as possible isn’t necessarily as fast: NIST says you should remove SHA-1 from your software and systems by December 31, 2030. In the meantime, the technology industry has already largely evolved.
SHA-1 is one of the seven hash algorithms approved for use in Federal Information Processing Standard (FIPS) 180-4. By the end of 2030, FIPS 180-5, the next revision of the government hash standard, will no longer include SHA-1 as a supported specification
NIST intends to update SP 800-131A and other relevant NIST publications to reflect the retirement of SHA-1. In addition, it intends to publish a transition strategy for validating cryptographic modules and algorithms.
A SHA-1 hash is created by mapping a message of any length to a fixed-length message digest consisting of 160 bits, typically represented by 40 hexadecimal digits. For example, the message “password” yields the SHA-1 digest
Hashes are not intended to be reversible, but simple message inputs like “password” can be precomputed and inserted into lookup tables, making it trivial to derive dictionary-stored input messages from corresponding hash digests, provided they are unsalted — combined with added value for added security .
NIST deprecated SHA-1 in 2011 and banned its use in creating and verifying digital signatures with limited exceptions in 2013 as a result of a theoretical collision attack described in 2005 that became practical in 2017 [PDF].
A collision attack occurs when two input messages produce the same hash value as output. For applications like digital signatures or file checksums, you don’t want collisions because they violate security assumptions about uniqueness. It is not optimal for a legitimate program and a malicious program to use the same hash value.
As early as 2015, companies such as Facebook, Google, Microsoft and Mozilla planned to distance themselves from SHA-1. Major web browsers stopped recognizing SHA-1 certificates by 2017, but it took a while for the rest of the industry to catch up.
Despite its well-known weaknesses, SHA-1 has proven to be a backbone for legacy applications and a shoddy password store in recent years. Microsoft finally managed to remove SHA-1 from the Windows update process in August 2020.
While not in much active use, SHA-1 remains widely available. NIST’s Cryptographic Algorithm Validation Program, which validates cryptographic algorithms for vendors, includes 2,272 cryptographic modules that have been validated over the past five years and still support SHA-1.
These modules, the building blocks of cryptographic systems, don’t necessarily use SHA-1, but they do support it. Therefore, companies that integrate any of these modules into their products should look for revised versions that exclude the outdated algorithm. Nor can the manufacturers of these modules sit idly by as the Feds require cryptographic modules to be validated every five years.
Celi explains that modules still using SHA-1 after 2030 can no longer be purchased by the federal government. Having eight years to submit an update might seem like more than enough time, but Celi warns that there could be a backlog of submissions as the deadline nears. Developers who want to avoid a potential validation delay should submit revised code sooner rather than later. ®
https://www.theregister.com/2022/12/16/nist_sets_sha1_retirement_date/ NIST gives time on SHA-1, sets deadline of 2030 • The Register