Hashing out encryption

"Hash Functions: Practical Implications of Recent Analytic Results"

Federal agencies have been put on notice that National Institute of Standards and Technology officials plan to phase out a widely used cryptographic hash function known as SHA-1 in favor of larger and stronger hash functions such as SHA-256 and SHA-512.

The change will affect many federal cryptographic functions that incorporate hashes, particularly digital signatures, said William Burr, manager of NIST's security technology group, which advises federal agencies on electronic security standards.

"There's really no emergency here," Burr said. "But you should be planning how you're going to transition — whether you're a vendor or a user — so that you can do better cryptography by the next decade."

Hashing is used to prevent tampering with electronic messages. A hash is a numerical code generated from a string of text when a message is sent. The receiving system checks it against a hash it creates from the same text, and if they match, the message was sent intact.

Speaking at a recent meeting of the federal Public Key Infrastructure Technical Working Group at NIST, Burr said some critics have questioned the security of the government-developed SHA-1 after some researchers managed to break a variant of the SHA-1 hash function last year.

But Burr said no complete implementation of the SHA-1 function has been successfully attacked. "SHA-1 is not broken," he said, "and there is not much reason to suspect that it will be soon." But advances in computer processing capability make it prudent to phase out SHA-1 by 2010, he said.

Burr said other widely used hash functions such as MD5 are vulnerable to attack and their use should be discontinued. "If by some chance you are still using MD5 in certificates or for digital signatures, you should stop," he said.

Featured

  • Defense
    Essye Miller, Director at Defense Information Management, speaks during the Breaking the Gender Barrier panel at the Air Space, Cyber Conference in National Harbor, Md., Sept. 19, 2017. (U.S. Air Force photo/Staff Sgt. Chad Trujillo)

    Essye Miller: The exit interview

    Essye Miller, DOD's outgoing principal deputy CIO, talks about COVID, the state of the tech workforce and the hard conversations DOD has to have to prepare personnel for the future.

  • innovation (Sergey Nivens/Shutterstock.com)

    VA embraces procurement challenges at scale

    Steve Kelman applauds the Department of Veterans Affairs' ambitious attempt to move beyond one-off prize-based contests to combat veteran suicides more effectively.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.