NIST Retires Decades-Old Secure Hash Algorithm

The National Institute of Standards and Technology has retired a cryptographic algorithm that was used for security applications such as website validation.

Secure Hash Algorithm 1 became part of the Federal Information Processing Standard in 1995 and remained active despite the emergence of more sophisticated threats from more powerful computers. It works by performing complex mathematical operations on messages to produce a hash and using that to identify if a message was compromised.

One danger of using SHA-1, according to NIST, is that it might be inefficient in protecting critical processes like digital signature creation. The agency also hinted that the algorithm might not be able to stop attacks that use more sophisticated computers to create fraudulent messages that recreate the original hash.

NIST decided to retire SHA-1 because of vulnerabilities that it said made future use inadvisable. SHA-1 will be replaced with more secure algorithms from the SHA-2 and SHA-3 groups by Dec. 31, 2030, FedScoop reported.

Chris Celi, a computer scientist at NIST, said the federal government will no longer allow the purchase of modules that still use SHA-1 after 2030. Celi added that companies can use the time to submit updated modules that do not use the retired algorithm.

NIST plans to publish a revision to FIPS and other publications affected by SHA-1’s retirement. The agency is also considering creating a transition strategy for validating cryptographic modules and algorithms before the end of 2030.

NIST’s decision to retire SHA-1 follows the White House’s issuance of aggressive deadlines for agencies to develop post-quantum cryptography strategies amid concerns that adversaries can use cryptography to crack traditional encryption techniques.