NIST makes a hash of SHA-1 ban

Summary:The National Institute of Standards and Technology has declared that "SHA-1 shall not be used for digital signature generation after December 31, 2013." So why are they still using it?

Three years ago in January, 2011, NIST (the National Institute of Standards and Technology) issued NIST Special Publication 800-131A, setting forth rules and recommendations for the use of certain cryptographic standards. They've just been caught violating one of those rules themselves.

It is normal in cryptography that the newest and most secure standards will, before too long, become old and less secure. Therefore we must advance, slowly but continuously, to newer standards which, for a time, are at least impractical to break.

One of the most basic features in modern cryptography is the cryptographic hash function. It is an algorithm which takes a block of data as input and generates from it a value, known as a hash or digest, of a certain size. In a good hash function there is no way to tell anything about the data from the hash and even a small change in the input data will cause the hash to be substantially different. But eventually clever research and raw computing horsepower tend to uncover weaknesses in these algorithms.

Not too long ago the standard in hashes was MD-5, but not anymore. For years it has been compromised. The next generation hash, the dominant one in use today, is SHA-1, created by NIST. No genuine, practical attacks have yet been demonstrated publicly for SHA-1, but theoretical attacks have been shown and the writing is on the wall. So three years ago, in Special Publication 800-131A, NIST declared that "SHA-1 shall not be used for digital signature generation after December 31, 2013."

After that date (which, if you haven't noticed, was over a month ago), SHA-2 or better must be used. SHA-2 uses basically the same hash algorithm as SHA-1, but with larger hash sizes: SHA-1 uses a 160-bit hash; SHA-2 can use hash sizes of 224, 256, 384, or 512 bits. There is a new SHA-3 endorsed by NIST, but it's far too early to expect people to have implemented it.

So on Tuesday Netcraft, an Internet research company, noticed that NIST.gov itself has 2014-dated SSL certificates using SHA-1 hashes. This may seem like hypocrisy or at least a mistake, but the fact is that almost nobody uses SHA-2 in certificates yet. Not NIST, not VeriSign, not nobody.

A few months ago  Microsoft announced the end of support for SHA-1 in code signatures  — but not until 2016. At or around the same time they made other announcements about the deprecation of other older crypto standards.

I don't want to get too down on  NIST, which hasn't had it easy as of late . Clearly the absence of real world weaknesses in SHA-1 has dampened the motivation to move beyond it. But it's not like they couldn't. NIST bought the most recent certificates from VeriSign, and VeriSign does allow for SHA-2 with RSA in their certificates.

Of course, it's better if we (meaning all of us) get on with the business of moving on from SHA-1, even if there are no immediate problems. But who's going to go to even the mild trouble of trying something different if even NIST won't do so to follow their own rules? Maybe they know something we don't?

nist.gov.cert.moz

Topics: Security

About

Larry Seltzer has long been a recognized expert in technology, with a focus on mobile technology and security in recent years. He was most recently Editorial Director of BYTE, Dark Reading and Network Computing at UBM Tech. Prior to that he spent over a decade consulting and writing on technology subjects, primarily in the area of sec... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.