Updated on 2022-12-19
Owing to the evolving security standards, NIST has set a timeline to remove the support for the SHA-1 algorithm from all hardware and software devices. The agency recommends switching to SHA-2 or SHA-3 for securing electronic information. Read more: NIST Transitioning Away from SHA-1 for All Applications
Updated on 2022-12-16: NIST retires SHA-1
US NIST has announced the formal retirement of the SHA-1 cryptographic algorithm and has asked IT professionals, companies, and software vendors to replace it with SHA-2 or SHA-3 and phase it out by the end of 2030. Read more: NIST Retires SHA-1 Cryptographic Algorithm
Overview: NIST Retires SHA-1 Cryptographic Algorithm, Slowly
The US National Institute of Standards and Technology (NIST) has retired the SHA-1 cryptographic algorithm, which was introduced more than 25 years ago. NIST recommends that organizations should migrate to SHA-2 or SHA-3 by the end of the 2030 calendar year.
Note
- SHA-1 has known weaknesses and various PoC attacks have already been released taking advantage of SHA-1. However, remember that removing SHA-1 from legacy software will first of all take time, and secondly, depending on the use case, SHA-1 may not be a huge problem for some software. The 2030 deadline was implemented not because SHA-1 will all for sudden fail horribly in 2030 but because this is the earliest reasonable deadline for such a major change.
- While SHA-1 has been cryptographically nullified since 2017, moving away from it requires active steps. You’re going to have to identify all the services which are still using it and move them to at least SHA-2. There are some easy wins here, e.g., update the certificate and reconfigure any certificate authorities to not use SHA-1; all certificates will have aged out well before 2030. Also stop publishing SHA-1 checksums so the issue isn’t perpetuated.
- Since collision attacks against SHA-1 were made real in 2017, waiting 13 years overall to ban government buying of a known compromised algorithm is too long. An earlier deadline with a defined waiver process now is a much better approach than pushing it out 8 years from now.
- Attacks against SHA-1 have been known for over 17 years. Replacement algorithms for SHA-1 have been available for well over a decade. Why not leverage the recent USG mandate to inventory assets [susceptible to quantum computer attack], to identify and replace SHA-1 with SHA-3 in the next year or two.
- Collisions are fundamental and inevitable. While collision attacks can be demonstrated, they are not cheap and do not appear “in the wild.” That said, replacing SHA-1 with more robust algorithms, while not urgent, is efficient.
Read more in
- NIST Retires SHA-1 Cryptographic Algorithm
- NIST Finally Retires SHA-1, Kind Of
- NIST says you better dump weak SHA-1 … by 2030
- NIST retires an early cryptographic algorithm
Alex Lim
Alex Lim is a certified IT Technical Support Architect with over 15 years of experience in designing, implementing, and troubleshooting complex IT systems and networks. He has worked for leading IT companies, such as Microsoft, IBM, and Cisco, providing technical support and solutions to clients across various industries and sectors. Alex has a bachelor’s degree in computer science from the National University of Singapore and a master’s degree in information security from the Massachusetts Institute of Technology. He is also the author of several best-selling books on IT technical support, such as The IT Technical Support Handbook and Troubleshooting IT Systems and Networks. Alex lives in Bandar, Johore, Malaysia with his wife and two chilrdren. You can reach him at [email protected] or follow him on Website | Twitter | Facebook
