NIST makes a hash of SHA-1 ban

The National Institute of Standards and Technology has declared that "SHA-1 shall not be used for digital signature generation after December 31, 2013." So why are they still using it?

Three years ago in January, 2011, NIST (the National Institute of Standards and Technology) issued NIST Special Publication 800-131A, setting forth rules and recommendations for the use of certain cryptographic standards. They've just been caught violating one of those rules themselves.

It is normal in cryptography that the newest and most secure standards will, before too long, become old and less secure. Therefore we must advance, slowly but continuously, to newer standards which, for a time, are at least impractical to break.

One of the most basic features in modern cryptography is the cryptographic hash function. It is an algorithm which takes a block of data as input and generates from it a value, known as a hash or digest, of a certain size. In a good hash function there is no way to tell anything about the data from the hash and even a small change in the input data will cause the hash to be substantially different. But eventually clever research and raw computing horsepower tend to uncover weaknesses in these algorithms.

Not too long ago the standard in hashes was MD-5, but not anymore. For years it has been compromised. The next generation hash, the dominant one in use today, is SHA-1, created by NIST. No genuine, practical attacks have yet been demonstrated publicly for SHA-1, but theoretical attacks have been shown and the writing is on the wall. So three years ago, in Special Publication 800-131A, NIST declared that "SHA-1 shall not be used for digital signature generation after December 31, 2013."

After that date (which, if you haven't noticed, was over a month ago), SHA-2 or better must be used. SHA-2 uses basically the same hash algorithm as SHA-1, but with larger hash sizes: SHA-1 uses a 160-bit hash; SHA-2 can use hash sizes of 224, 256, 384, or 512 bits. There is a new SHA-3 endorsed by NIST, but it's far too early to expect people to have implemented it.

So on Tuesday Netcraft, an Internet research company, noticed that itself has 2014-dated SSL certificates using SHA-1 hashes. This may seem like hypocrisy or at least a mistake, but the fact is that almost nobody uses SHA-2 in certificates yet. Not NIST, not VeriSign, not nobody.

A few months ago  Microsoft announced the end of support for SHA-1 in code signatures  — but not until 2016. At or around the same time they made other announcements about the deprecation of other older crypto standards.

I don't want to get too down on  NIST, which hasn't had it easy as of late . Clearly the absence of real world weaknesses in SHA-1 has dampened the motivation to move beyond it. But it's not like they couldn't. NIST bought the most recent certificates from VeriSign, and VeriSign does allow for SHA-2 with RSA in their certificates.

Of course, it's better if we (meaning all of us) get on with the business of moving on from SHA-1, even if there are no immediate problems. But who's going to go to even the mild trouble of trying something different if even NIST won't do so to follow their own rules? Maybe they know something we don't?