Jump to content
  • Goodbye SHA-1: NIST Retires 27-Year-Old Widely Used Cryptographic Algorithm

    alf9872000

    • 497 views
    • 2 minutes
     Share


    • 497 views
    • 2 minutes

    The U.S. National Institute of Standards and Technology (NIST), an agency within the Department of Commerce, announced Thursday that it's formally retiring the SHA-1 cryptographic algorithm.

     

    SHA-1, short for Secure Hash Algorithm 1, is a 27-year-old hash function used in cryptography and has since been deemed broken owing to the risk of collision attacks.

     

    While hashes are designed to be irreversible – meaning it should be impossible to reconstruct the original message from the fixed-length enciphered text – the lack of collision resistance in SHA-1 made it possible to generate the same hash value for two different inputs.

     

    In February 2017, a group of researchers from CWI Amsterdam and Google disclosed the first practical technique for producing collisions on SHA-1, effectively undermining the security of the algorithm.

     

    "For example, by crafting the two colliding PDF files as two rental agreements with different rent, it is possible to trick someone to create a valid signature for a high-rent contract by having him or her sign a low-rent contract," the researchers said at the time.

     

    The cryptanalytic attacks on SHA-1 prompted NIST in 2015 to mandate federal agencies in the U.S. to stop using the algorithm for generating digital signatures, timestamps, and other applications that require collision resistance.

     

    According to NIST's Cryptographic Algorithm Validation Program (CAVP), which curates a list of approved cryptographic algorithms, there are 2,272 libraries that have been accredited since January 2018 and still support SHA-1.

     

    Besides urging users relying on the algorithm to migrate to SHA-2 or SHA-3 for securing electronic information, NIST is also recommending for SHA-1 be entirely phased out by December 31, 2030.

     

    "Modules that still use SHA-1 after 2030 will not be permitted for purchase by the federal government," NIST computer scientist Chris Celi said. "Companies have eight years to submit updated modules that no longer use SHA-1."

     

    Source


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...