NIST Finally Retires SHA-1, Kind Of (2024)

December 15, 2022

2 Min Read

Source: optimarc via Shutterstock

It is time to retire SHA-1, or the Secure Hash Algorithm-1, says the US National Institute of Standards and Technology (NIST). NIST has set the date of Dec. 31, 2030 to remove SHA-1 support from all software and hardware devices.

The once-widely used algorithm is now easy to crack, making it unsafe to use in security contexts. NIST deprecated SHA-1 in 2011 and disallowed using SHA-1 when creating or verifying digital signatures in 2013.

"We recommend that anyone relying on SHA-1 for security migrate to SHA-2 or SHA-3 as soon as possible," NIST computer scientist Chris Celi said in a statement.

SHA-1 was among the seven hash algorithms originally approved for use in the Federal Information Process Standards (FIPS) 180-4. The next version of the government's standard, FIPS 180-5, will be final by the end of 2030 -- and SHA-1 will not be included in that version. That means after 2030, the federal government will not be allowed to purchase devices or applications still using SHA-1.

Developers need to make sure their applications don't use any components that support SHA-1 by that time. While it may seem like plenty of time to make updates, developers need to submit the applications to be certified as meeting FIPS requirements. It's better to get verified and recertified earlier rather than later, as there may be a backlog of revised code to review, NIST said.

"By completing their transition before December 31, 2030, stakeholders – particularly cryptographic module vendors – can help minimize potential delays in the validation process," NIST said.

Along with updating FIPS, NIST will revise NIST Special Publication (SP) 800-131A to reflect the fact that SHA-1 has been withdrawn, and will publish a transition strategy for validating cryptographic modules and algorithms.

SHA-1 has been on its way out for years. Major web browsers stopped supporting digital certifications based on SHA-1 in 2017. Microsoft dropped SHA-1 from Windows Update in 2020. But there are still legacy applications that support SHA-1.

While hashing is supposed to be one-way and not reversible, attackers have taken SHA-1 hashes of common strings and stored them in lookup tables, making it trivial to launch dictionary-based attacks.

Also, collision attacks – initially described as a theoretical attack in 2005 – became more practical in 2017. While individual strings produce unique hashes most of the time, the collision attack creates a situation where two different messages generate the same hash value, allowing attackers to use a different string to crack the hash.

FAQs

NIST Finally Retires SHA-1, Kind Of? ›

NIST Finally Retires SHA-1, Kind Of NIST Finally Retires SHA-1, Kind Of. SHA-1 was deprecated in 2011. NIST has set the hashing algorithm's final retirement date to Dec. 31, 2030.

Read On ›

Why do you think SHA-1 was retired? ›

The main threat to SHA-1 is the fact that today's powerful computers can create two messages that lead to the same hash, potentially compromising an authentic message – the technique is referred to as a 'collision' attack.

Discover More Details ›

What replaces SHA-1? ›

As such, it is recommended to remove SHA-1 from products as soon as possible and instead use SHA-2 or SHA-3. Replacing SHA-1 is urgent where it is used for digital signatures.

What are the obsolete hashing algorithms? ›

Both the SHA-1 and MD5 methods are deprecated, and should no longer be used for hashing.

See Details ›

What is the latest version of SHA? ›

SHA-3 (Secure Hash Algorithm 3) Family of Algorithms. SHA-3 is the latest addition to the SHA family. Developed via a public competition promoted by NIST, it's part of the same standard while being completely different from MD5, SHA-1 and SHA-2.

Find Out More ›

Is SHA-1 deprecated in NIST? ›

NIST has set the date of Dec. 31, 2030 to remove SHA-1 support from all software and hardware devices. The once-widely used algorithm is now easy to crack, making it unsafe to use in security contexts. NIST deprecated SHA-1 in 2011 and disallowed using SHA-1 when creating or verifying digital signatures in 2013.

Tell Me More ›

Why is SHA-1 weak? ›

In 2005, researchers demonstrated a collision attack against SHA1 that showed it was possible to create two distinct input messages that produced the same hash value. As a result, SHA1 was officially declared insecure by the National Institute of Standards and Technology (NIST) in 2011.

Show Me More ›

Why is MD5 no longer considered a reliable hashing algorithm? ›

Vulnerabilities: The MD5 algorithm has long been considered insecure for cryptographic purposes due to significant vulnerabilities. Researchers have demonstrated practical collision attacks against MD5, which allows for the creation of different inputs that produce the same hash value.

Explore More ›

What is the hardest hashing algorithm? ›

To the time of writing, SHA-256 is still the most secure hashing algorithm out there. It has never been reverse engineered and is used by many software organizations and institutions, including the U.S. government, to protect sensitive information.

Is there a better algorithm than SHA-256? ›

SHA-256 is a secure algorithm and is the most widely used. It is computed with 32-bit words. SHA-512 offers better security than SHA-256, but it is not widely used as of now. It is computed with 64-bit words.

Show Me More ›

Is SHA better than AES? ›

In summary, AES and SHA-256 serve different cryptographic purposes. AES is used for encryption and decryption to protect data confidentiality, while SHA-256 is used for hashing to ensure data integrity and authenticity. Both play essential roles in modern cryptography and security protocols.

Read The Full Story ›

Why is Sha-3 not used? ›

SHA-3 has been criticized for being slow on instruction set architectures (CPUs) which do not have instructions meant specially for computing Keccak functions faster – SHA2-512 is more than twice as fast as SHA3-512, and SHA-1 is more than three times as fast on an Intel Skylake processor clocked at 3.2 GHz.

See Details ›

Why is SHA-2 better than SHA-1? ›

SHA-1 offers weak security as it sometimes gives the same digest for two different data values, owing to its limited bit-length and therefore possible hash combinations, while SHA-2 produces a unique digest for every data value as a large number of combinations are possible in it (2^256 possible combinations for a 256- ...

Get More Info Here ›

How was SHA-1 broken? ›

Google publicly broke one of the major algorithms in web encryption, called SHA-1. The company's researchers showed that with enough computing power — roughly 110 years of computing from a single GPU for just one of the phases — you can produce a collision, effectively breaking the algorithm.

What are the risks of SHA-1? ›

The primary vulnerability of SHA-1 is its collision resistance, which means that it is possible to find two different messages that produce the same hash value.

Is SHA-1 old? ›

SHA-1, whose initials stand for “secure hash algorithm,” has been in use since 1995 as part of the Federal Information Processing Standard (FIPS) 180-1. It is a slightly modified version of SHA, the first hash function the federal government standardized for widespread use in 1993.

View Details ›

What is the difference between SHA-1 and SHA-2? ›

SHA-1 offers weak security as it sometimes gives the same digest for two different data values, owing to its limited bit-length and therefore possible hash combinations, while SHA-2 produces a unique digest for every data value as a large number of combinations are possible in it (2^256 possible combinations for a 256- ...