Bye Bye SHA-1 ! NIST set to retire it
NIST has set the date of Dec. 31, 2030, to remove SHA-1 support from all software and hardware devices.
NIST deprecated SHA-1 in 2011 and disallowed using SHA-1 when creating or verifying digital signatures in 2013. Since it became weak and easy to crack candidates.
SHA-1 was among the seven hash algorithms originally approved for use in the FIPS 180-4. The next version of the government’s standard, FIPS 180-5, will be final by the end of 2030. SHA-1 will not be included in that version. That means after 2030, the federal government will not be allowed to purchase devices or applications still using SHA-1.
Developers need to make sure their applications don’t use any components that support SHA-1 by that time. Though the timeline is so long, developers need to submit the applications to be certified as meeting FIPS requirements.
NIST Special Publication (SP) 800-131A will also get a revision to reflect the fact that SHA-1 has been withdrawn and will publish a transition strategy for validating cryptographic modules and algorithms.
Major web browsers stopped supporting digital certifications based on SHA-1 in 2017. Microsoft dropped SHA-1 from Windows Update in 2020. But there are still legacy applications that support SHA-1.
While hashing is supposed to be one-way and not reversible, attackers have taken SHA-1 hashes of common strings and stored them in lookup tables, making it trivial to launch dictionary-based attacks.
It’s been widely lead to collision attacks. Individual strings produce unique hashes most of the time, the collision attack creates a situation where two different messages generate the same hash value, allowing attackers to use a different string to crack the hash.