[Information] SHA1 deprecation

Discussion in 'Chit Chat' started by QuantumBug, Feb 29, 2016.

  1. QuantumBug

    QuantumBug MDL Developer

    Mar 7, 2012
    #1 QuantumBug, Feb 29, 2016
    Last edited: Mar 1, 2016
    Can admin please move this somewhere more, appropriate? Please.

    What is SHA-1?:

    Introduced by the NSA in 1995 as part of the digital signature algorithm, the Secure Hash Algorithm (SHA-1) serves as a cryptographic hash function which is 160 bits (20 bytes) in size and consists of 40 hexadecimal characters. It's structure is defined by the Merkle-Damgård construction.

    Now it's time for everyone to stop using this weak hash function.

    Why must I stop using it?:

    SHA-1 serves as a check for anything digital. It's used as a fingerprint for certificates and it can also be used to match one file to another, or plain text to prove a said "file" has not been maliciously edited.

    Recently with computing enhancements a collision attack can be produced matching fingerprints for two completely different messages, this can then be exploited to create deceptive digital signatures allowing hackers to break encrypted communications, or even go as far making a maliciously edited file appear legitimate.

    What can I do?:

    Move to another hash function before it's too late, once SHA-1 has been completely broken any services that use this algorithm could be compromised by a remote attacker. It's suggested SHA-1 is so weak it could be reversed in as little as three months now crackers know this information. Be it a black hat, grey hat or white hat the information always goes public so administrators and developers are forced to upgrade their security.

    1. I personally recommend mitigating to SHA-2 or SHA-3
    2. Update to SHA-2 SSL (Older platforms may not support the SHA-2 or SHA-3 hash function)
    3. Developers should not use SHA-1 for self checks anymore


    The Secure Hash Algorithm 3 was created by a group of independent researchers and is part of the SHA family. Unfortunately I don't know much about SHA-3, but you can always read the Wiki page.

    Some bed time reading:

    Symantec: Transition from SHA-1 to SHA-2
    Microsoft: SHA-1 deprecation update
    Google: Gradually sunsetting SHA-1

    Wikipedia: Checksum, SHA-1, SHA-2, SHA-3.

    Discussion welcome from all on how to help others enhance their security.
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...