RIP SHA-1: Hashing algorithm nears death as developers pull support

open source
(Image credit: Shutterstock)

Two open-source Secure Shell libraries have pulled support for the Secure Hash Algorithm 1 (SHA-1), used for the past 20 years to verify the integrity of software, digital signatures and other data, due to longstanding security concerns.

According to a report by Ars Technica, developers using the OpenSSH and Libssh libraries will no longer be able to access SHA-1 for digitally signing their encryption keys from this week.

The announcement was made in the form of release notes and a code update published by OpenSSH and libssh, confirming for many the end of SHA-1. 

SHA-1, a cryptographic hash function first developed in 1995, is used for producing hash "digests," each 40 hexadecimal characters long. The digests are meant to be distinct for every message, file and function. 

Any string of text or data will, in theory, produce a unique SHA-1 hash. So the input "password" results in the hash output "5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8". 

But the input "Password," with a capital P, gives us the far different output "8BE3C943B1609FFFBFC51AAD666D0A04ADF83C9D".

While SHA-1 has proven useful to many, researchers have shown how it can be leveraged by cyber criminals for creating forged digital signatures.

In 2005, it was demonstrated that with enough computing power, one could find two different inputs that resulted in the same SHA-1 output -- a hash "collision." That means an attacker of relatively modest means could spoof a cryptographic signature using SHA-1.

This year has certainly signalled the end of the road for SHA-1. In January, researchers identified a new collision attack that cost only $45,000. 

That was a "chosen-prefix" attack, which is very serious because it means that it's possibly to modify an existing input yet still end up with the same SHA-1 hash -- a potential boon to forgers, crooks and malicious hackers crooks everywhere. An attacker could use this method to tamper with a document or software in a way that would pass SHA-1-based integrity checks.

Better alternatives out there

In its explanation for removing SHA-1, OpenSSH referenced this research: “It is now possible to perform chosen-prefix attacks against the SHA-1 algorithm for less than USD$50K. For this reason, we will be disabling the 'ssh-rsa' public key signature algorithm by default in a near-future release.”

OpenSSH went on to point out that there are better alternatives out there, including RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. It added: “These algorithms have the advantage of using the same key type as "ssh-rsa" but use the safe SHA-2 hash algorithms. 

“These have been supported since OpenSSH 7.2 and are already used by default if the client and server support them.”

TOPICS

Nicholas Fearn is a freelance technology journalist and copywriter from the Welsh valleys. His work has appeared in publications such as the FT, the Independent, the Daily Telegraph, The Next Web, T3, Android Central, Computer Weekly, and many others. He also happens to be a diehard Mariah Carey fan!

Latest in Online Security
An open lock depicting a data breach
Half a million teachers hit in major data breach with SSNs, financial data and more exposed — what to do now
Green skull on smartphone screen.
Malicious Android apps with 60 million installs bombarding phones with ads and phishing attacks — how to stay safe
Malware
Dangerous new password-stealing trojan automatically reinstalls itself on infected PCs
An FBI agent typing on a computer
FBI issues warning to millions of Americans to avoid these websites that can steal your passwords and banking info
How to delete TikTok
TikTok has rolled out a vital new security feature — here's how to use it
A hacker typing quickly on a keyboard
New MassJacker malware is hijacking digital wallets to steal large sums from users
Latest in News
back of Iris Pixel 9a
Google Pixel 9a pre-orders delayed due to 'component quality issue' — here's when you can get one
An open lock depicting a data breach
Half a million teachers hit in major data breach with SSNs, financial data and more exposed — what to do now
Sony A95K QD-OLED TV in front of windows in a living room
This new TV breakthrough looks like a game-changer for OLED TVs
Apple iPhone 16 & 16 Plus hands-on.
Forget USB-C — a truly portless iPhone just got the all-clear from the EU
Samsung Galaxy Z Flip 6 features on outer cover display
Samsung Galaxy Z Flip FE may arrive 'months' after the Z Flip 7 — here's why
ExpressVPN logo above mobile devices
ExpressVPN lays off undisclosed number of employees