It is time to retire SHA-1, or the Secure Hash Algorithm-1, says the US National Institute of Standards and Technology (NIST). NIST has set the date of Dec. 31, 2030 to remove SHA-1 support from all software and hardware devices.
The once-widely used algorithm is now easy to crack, making it unsafe to use in security contexts. NIST deprecated SHA-1 in 2011 and disallowed using SHA-1 when creating or verifying digital signatures in 2013.
"We recommend that anyone relying on SHA-1 for security migrate to SHA-2 or SHA-3 as soon as possible," NIST computer scientist Chris Celi said in a statement.
SHA-1 was among the seven hash algorithms originally approved for use in the Federal Information Process Standards (FIPS) 180-4. The next version of the government's standard, FIPS 180-5, will be final by the end of 2030 -- and SHA-1 will not be included in that version. That means after 2030, the federal government will not be allowed to purchase devices or applications still using SHA-1.
Developers need to make sure their applications don't use any components that support SHA-1 by that time. While it may seem like plenty of time to make updates, developers need to submit the applications to be certified as meeting FIPS requirements. It's better to get verified and recertified earlier rather than later, as there may be a backlog of revised code to review, NIST said.
"By completing their transition before December 31, 2030, stakeholders – particularly cryptographic module vendors – can help minimize potential delays in the validation process," NIST said.
Along with updating FIPS, NIST will revise NIST Special Publication (SP) 800-131A to reflect the fact that SHA-1 has been withdrawn, and will publish a transition strategy for validating cryptographic modules and algorithms.
SHA-1 has been on its way out for years. Major web browsers stopped supporting digital certifications based on SHA-1 in 2017. Microsoft dropped SHA-1 from Windows Update in 2020. But there are still legacy applications that support SHA-1.
While hashing is supposed to be one-way and not reversible, attackers have taken SHA-1 hashes of common strings and stored them in lookup tables, making it trivial to launch dictionary-based attacks.
Also, collision attacks – initially described as a theoretical attack in 2005 – became more practical in 2017. While individual strings produce unique hashes most of the time, the collision attack creates a situation where two different messages generate the same hash value, allowing attackers to use a different string to crack the hash.