The SHA-1 hash algorithm has been retired by NIST (National Institute of Standards and Technology), an official U.S. government body, that now recommends anyone still using it to upgrade to newer and stronger ciphers like SHA-2 and SHA-3.
First published in 1995 by NIST, the SHA-1 cipher became one of the most widely used tools for encrypting sensitive data online, including user passwords, documents, messages, and more.
Encryption is a “structured scrambling” of data to prevent unauthorized individuals from reading it, allowing only those holding a valid decryption key to access it.
For example, VPN programs and secure instant messaging apps use end-to-end asymmetric encryption involving a public and a private key to scramble network traffic data and messages, respectively, addressing the risk of man-in-the-middle attacks.
Wikipedia
Even if a threat actor manages to snoop on the data channels of these apps, they won’t be able to decipher the captured data, and so the breach won’t have any adverse effect.
The problem with encryption algorithms is that they can be broken, and one way to do this is by employing raw computer power to guess the decryption key.
For strong enough ciphers, attempting to break them using modern-day processors is impractical, but older algorithms can be easily brute-forced.
Until 2005, the SHA-1 was generally considered secure “against well-funded opponents,” but as of 2010, organizations were already moving to newer and more robust algorithms.
In 2017, all major web browsers stopped accepting SHA-1 SSL certificates, while Microsoft stopped issuing SHA-1-based code signature certificates in 2020.
NIST Gradual Retirement
NIST has been using SHA-1 since 1995 as part of the FIPS 180-1 standard but proceeded to deprecate its use in 2011, and two years later, it decided to disallow its use for digital signatures.
Today, the agency announced that SHA-1 should be completely phased out from all critical systems by December 31, 2030, giving all Federal agencies eight years to adjust to the new requirement.
“As today’s increasingly powerful computers are able to attack the algorithm, NIST is announcing that SHA-1 should be phased out by Dec. 31, 2030, in favor of the more secure SHA-2 and SHA-3 groups of algorithms.”
“Today’s more powerful computers can create fraudulent messages that result in the same hash as the original, potentially compromising the authentic message. These “collision” attacks have been used to undermine SHA-1 in recent years.”
– NIST
After 2030, Federal Government agencies will be forbidden from purchasing software products or code modules still using SHA-1.
Some even criticize the agency for giving the state too large of a time margin to implement the new security requirement, leaving sensitive data at risk.
People should keep in mind that the same will happen with algorithms considered secure today, so leaked data that’s encrypted, like hashed passwords in data dumps, may be very easily deciphered in the near future.
This fear is further fueled by the rise of quantum computers, which are expected to be several times more powerful than conventional processors we use today, and capable of breaking “unbreakable” ciphers in mere seconds.
Data of Customer Management Service ‘SevenRooms’ Leaked Online
Hi RP,
This article goes some way to answering my question asked earlier to day in your previous article.
Thank you.
From a regulatory point of view, would a law that says, firstly, an organisation should not store unnecessary PII; and secondly where storing the PII is necessary it must be encrypted, go a long way to resolve this matter of frequent data breaches? (I am assuming that all or most breaches of data are occurring where the data is stored in plain text.)
I personally think that would help, but the big problem is all of the data being collected and shared with third parties, which themselves can be hacked. This opens up a mess. I like Australia’s new laws for fines and not paying ransomware groups, that should hopefully help the situation, but perhaps not. The hackers could just sell the data to other hackers, rather than trying to extort the company. Sorry, no easy solutions.