Secure Hash Algorithm 1
(also SHA-1)
Secure Hash Algorithm 1 definition
Secure Hash Algorithm 1 is a cryptographic hash function that produces a 160-bit (20-byte) hash value, commonly represented as a 40-character hexadecimal number.
SHA-1 was used in various security protocols, including TLS and SSL, PGP, SSH, and IPsec. Over time, cryptographic researchers identified potential vulnerabilities in the algorithm — the most significant being the “collision attack,” where two different sets of data produce the same hash value.
Many organizations recommended transitioning from SHA-1 to stronger hash functions like SHA-256 (part of the SHA-2 family).
See also: cryptographic algorithm, cryptographic hash function, SSL encryption, PGP encryption
History of Secure Hash Algorithm 1
SHA was designed by the National Security Agency (NSA) and published by the National Institute of Standards and Technology (NIST) in 1993. This original version is now often referred to as SHA-0.
In 1995, NIST released a revised version of the algorithm, now known as SHA-1, which fixed a weakness identified in SHA-0. SHA-1 produced a 160-bit (20-byte) hash value.
Due to its endorsement by NIST, SHA-1 became a standard component in a wide range of security applications and protocols, including the Digital Signature Algorithm (DSA) as specified in the Digital Signature Standard (DSS), TLS, SSL, PGP, SSH, IPsec, and more.
In 2000, researchers began raising theoretical concerns about potential vulnerabilities in SHA-1. In 2005, cryptanalysts discovered practical collision vulnerabilities, showing that SHA-1 was weaker than previously thought.
By 2017, the first practical collision for SHA-1 was demonstrated by a team from Google Research and the CWI Institute in Amsterdam. This was the breaking point, cementing the understanding that SHA-1 should not be used for security-critical applications.
Despite its weaknesses for cryptographic uses, SHA-1 is still used in some security critical applications where its vulnerabilities are less relevant.