September 23, 2023

NIST has set the date of Dec. 31, 2030, to remove SHA-1 support from all software and hardware devices.

NIST deprecated SHA-1 in 2011 and disallowed using SHA-1 when creating or verifying digital signatures in 2013. Since it became weak and easy to crack candidates.

SHA-1 was among the seven hash algorithms originally approved for use in the FIPS 180-4. The next version of the government’s standard, FIPS 180-5, will be final by the end of 2030. SHA-1 will not be included in that version. That means after 2030, the federal government will not be allowed to purchase devices or applications still using SHA-1.

Advertisements

Developers need to make sure their applications don’t use any components that support SHA-1 by that time. Though the timeline is so long, developers need to submit the applications to be certified as meeting FIPS requirements.

NIST Special Publication (SP) 800-131A will also get a revision to reflect the fact that SHA-1 has been withdrawn and will publish a transition strategy for validating cryptographic modules and algorithms.

Major web browsers stopped supporting digital certifications based on SHA-1 in 2017. Microsoft dropped SHA-1 from Windows Update in 2020. But there are still legacy applications that support SHA-1.

While hashing is supposed to be one-way and not reversible, attackers have taken SHA-1 hashes of common strings and stored them in lookup tables, making it trivial to launch dictionary-based attacks.

Advertisements

It’s been widely lead to collision attacks. Individual strings produce unique hashes most of the time, the collision attack creates a situation where two different messages generate the same hash value, allowing attackers to use a different string to crack the hash.

Leave a Reply

%d bloggers like this: