The U.S. National Institute of Standards and Technology (NIST), an agency within the Department of Commerce, announced Thursday that it's formally retiring the SHA-1 cryptographic algorithm.
While hashes are designed to be irreversible – meaning it should be impossible to reconstruct the original message from the fixed-length enciphered text – the lack of collision resistance in SHA-1 made it possible to generate the same hash value for two different inputs.
In February 2017, a group of researchers from CWI Amsterdam and Google disclosed the first practical technique for producing collisions on SHA-1, effectively undermining the security of the algorithm.
"For example, by crafting the two colliding PDF files as two rental agreements with different rent, it is possible to trick someone to create a valid signature for a high-rent contract by having him or her sign a low-rent contract," the researchers said at the time.
The cryptanalytic attacks on SHA-1 prompted NIST in 2015 to mandate federal agencies in the U.S. to stop using the algorithm for generating digital signatures, timestamps, and other applications that require collision resistance.
According to NIST's Cryptographic Algorithm Validation Program (CAVP), which curates a list of approved cryptographic algorithms, as many as 2,272 libraries accredited since January 2018 still support SHA-1.
Besides urging users relying on the algorithm to migrate to SHA-2 or SHA-3 for securing electronic information, NIST is also recommending for SHA-1 be entirely phased out by December 31, 2030.
"Modules that still use SHA-1 after 2030 will not be permitted for purchase by the federal government," NIST computer scientist Chris Celi said. "Companies have eight years to submit updated modules that no longer use SHA-1."