NIST calls to retire 27-year-old SHA-1 Cryptographic Algorithm
"We recommend that anyone relying on SHA-1 for security migrate to SHA-2 or SHA-3 as soon as possible." This is part of a statement released by a representative from the National Institute of standards and Technology (NIST). The Agency is calling for IT professionals to phase out the cryptographic algorithm that is now over 25 years old in favour of more secure SHA-2 and SHA-3 algorithms.
SHA-1 is an upgraded version of the SHA algorithm and became the first widely used method of securing electronic information in 1995. However, with the continued advancements in computing technologies, SHA-1 is no longer viable as it can easily be compromised using modern computers.
NIST has set Dec 31st as the official deadline to retire the obsolete cryptographic algorithm. After that FIPS 180-5, the next revision of government's hash standard will come out and it will not include SHA-51 as a supported specification. NIST will also update their SP 800-131A and other related NIST publications to reflect the retirement of SHA-1.
SHA-1 will be remembered as the foundation for a number of security applications. It works by performing complex maths operations on the data that needs to be secured and then generating a new string of characters called a hash.
This process is usually not reversible, meaning you can't use the hashed string to figure out the original message. That is unless someone creates a list of common messages and their corresponding digests in advance. They can then use this list - called a "lookup table - to find out what the original message was.
That said, the biggest threat to SHA-1 and the reason it is being retired is that the modern computers can create two messages that lead to the same hash, potentially compromising an authentic message. This is known as collision attack and in 2011, it resulted in NIST disallowing federal agencies from using the algorithm in the creation of digital signatures.
The good news is that a huge segment of the tech industry has already moved on from SHA-1. Facebook, Google, Microsoft, and Mozilla were the first to retire the algorithm and by 2017 no major browser was supporting SHA-1 certificates. Still the algorithm remains popular in a number of applications.
However according to the new directive modules still using SHA-1 after 2030 will be ineligible for purchase by the federal government. And 7 years may seem like a lot to migrate but NIST computer scientists, Chris Celi advises organisations to act now to avoid deadline rush.
“Modules that still use SHA-1 after 2030 will not be permitted for purchase by the federal government. Companies have eight years to submit updated modules that no longer use SHA-1. Because there is often a backlog of submissions before a deadline, we recommend that developers submit their updated modules well in advance, so that CMVP has time to respond,” Celi said.