It’s time to replace SHA-1 certificates

It has been 20 years since SHA-1, the world’s most used encryption method, was released.

SHA-1 is an encryption method developed by the National Security Agency of the United States and is considered a federal information processing standard for the Government of that country. The method of output of SHA-1 produces a 160 bits (20 bytes) secure hash value, equivalent to an hexadecimal number of 40 digits long.

In 2005 were published two investigations in which big vulnerabilities in this mechanism were demonstrated. It happens that the hashes have a natural enemy called “collisions”. Collisions are the possibility of encountering an identifier that is notunique, i.e. that a same SHA-1 represent two different incoming data flows through brute force attacks.

By definition, we could say that there is 1 chance in 1208925819614629174706176 (280) of generating collisions in SHA-1. However, at the beginning of 2005, a group of Chinese researchers reduced the number of attempts to 269. Finally, researches of the Macquarie University of Australia were able to reduce it to 252 (about 2000 times faster than expected).

As a result, the CA/Browser Forum recommended in 2011 start to leave SHA-1 as soon as possible. In fact, the Government of the United States stopped using this mechanism in 2010.

About SHA-2