[cryptography] Should Sha-1 be phased out?

Michael Kjörling michael at kjorling.se
Thu Oct 15 15:50:01 EDT 2015

On 14 Oct 2015 13:39 -0400, from kevinsisco61784 at gmail.com (Kevin):
> http://www.networkworld.com/article/2990801/sha-1-hashing-algorithm-could-succumb-to-75k-attack-researchers-say.html

To answer the question in the subject line: SHA-1 is already being
phased out, particularly in areas where collision resistance matters.
Just like MD5, there are still situations in which SHA-1 provides a
fully adequate level of security even _if_ finding collisions was
actually easy, and there are mitigative strategies that can be used to
make finding useful collisions much harder (such as using multiple
hash algorithms in tandem, or iterative hashing). A major use for even
a cryptographic hash algorithm where collisions can be found
reasonably easily is as a compression function for password hashing.

With the above said, new designs that need collision resistance should
obviously use more secure hash algorithms, and even more than that,
should probably plan ahead for when _those_ algorithms reach the end
of their useful life and allow for a migration strategy. SSL/TLS
certificates allow for a migration strategy, which is why the fact
that we no longer trust previously MD5 and now SHA-1 doesn't
immediately break everything.

For SHA-1 sunsetting, see for example [1], [2], both of which are over
a year old. SHA-1 is on schedule to be sunset for TLS certificates at
the end of 2016; the major browsers don't consider SHA-1 based
certificates which are valid after 1 Jan 2017 to be trustworthy, which
with the one-year commonly selected validity period of CA-signed
certificates means we are only a few months away from starting to see
this in practice. It's possible that this schedule is overly
optimistic in light of recent events, but even so, that's moving SHA-1
from basically ubiquitous to actually untrusted in two and a half
years, which is already quite fast. It would seem likely to me that
accelerating the sunset of SHA-1 at this point would cause massive
disruption, considering that people probably are making plans based on
the announced dates.

 [1]: https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/

 [2]: https://googleonlinesecurity.blogspot.com/2014/09/gradually-sunsetting-sha-1.html

Michael Kjörling • https://michael.kjorling.semichael at kjorling.se
OpenPGP B501AC6429EF4514 https://michael.kjorling.se/public-keys/pgp
                 “People who think they know everything really annoy
                 those of us who know we don’t.” (Bjarne Stroustrup)

More information about the cryptography mailing list