NIST says agencies should begin move to stronger hashing tools

The National Institute of Standards and Technology is urging agencies to begin migrating away from the flawed SHA-1 hashing algorithm in favor of stronger algorithms.

A family of Secure Hashing Algorithms has been approved under Federal Information Processing Standard 180-2 for federal use to create a secure message digest—or a hash—of digital documents. Any alterations in the document will result in a different hash, so it can be used to time stamp, sign or otherwise authenticate a document. Like any cryptographic function, an algorithm’s strength lies in its ability to resist attacks from increasingly powerful computers, and SHA-1 has been around since 1994.

Researchers reported last year that they had broken SHA-1 for some functions, prompting concern about its continued use.

“Due to advances in computing power, NIST already planned to phase out SHA-1 in favor of the larger and stronger hash functions (SHA-224, SHA-256, SHA-384 and SHA-512) by 2010,” NIST said at that time, and advised agencies to “develop plans on a timely basis for an orderly transition.”

NIST strengthened its recommendation Wednesday, saying “federal agencies should stop using SHA-1 for digital signatures, digital time stamping and other applications that require collision resistance as soon as practical.”

After 2010, SHA-1 can be used only for hash-based message authentication codes, key derivation functions and random number generators.

“Regardless of use, NIST encourages application and protocol designers to use the SHA-2 family of hash functions for all new applications and protocols,” NIST said.

About the Author

Connect with the GCN staff on Twitter @GCNtech.

Featured

  • FCW Perspectives
    tech process (pkproject/Shutterstock.com)

    Understanding the obstacles to automation

    As RPA moves from buzzword to practical applications, agency leaders say it’s forcing broader discussions about business operations

  • Federal 100 Awards
    Federal 100 logo

    Fed 100 nominations are now open

    Help us identify this year's outstanding individuals in federal IT.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.