NIST retires SHA-1 cryptographic algorithm

The National Institute of Standards and Technology (NIST) has decided to discontinue the SHA-1 algorithm after nearly 30 years, due to cryptographic vulnerabilities. “The SHA-1 algorithm, one of the first widely used methods of protecting electronic information, has reached the end of its useful life,” said NIST.

The secure hash algorithm has become increasingly targeted by sophisticated malware since its inception in 1995.

NIST states that other approved hash functions are already available, and the transition away from SHA-1 will be completed by December 31, 2030. “NIST will transition away from the use of SHA-1 for applying cryptographic protection to all applications by December 31, 2030,” according to a new press release.

“Today’s more powerful computers can create fraudulent messages that result in the same hash as the original, potentially compromising the authentic message,” it said. “These ‘collision’ attacks have been used to undermine SHA-1 in recent years.”

NIST’s plan is outlined in three steps ahead of the December 31, 2030 deadline:

  • Publish FIPS 180-5 (a revision of FIPS 180) to remove the SHA-1 specification,
  • Revise SP 800-131A and other affected NIST publications to reflect the planned withdrawal of SHA-1, and
  • Create and publish a transition strategy for the Cryptographic Module Validation Program (CMVP) and the Cryptographic Algorithm Validation Program (CAVP).

Cryptographic module vendors, stakeholders and vendors are encouraged to begin their transition period now, as the vulnerabilities for SHA-1 will only increase.

Standards organizations, validation testing laboratories, government agencies, and other stakeholders will be able to work with NIST to complete the transition.


Discover more from Cybersecurity Careers Blog

Subscribe to get the latest posts sent to your email.