A shockwave reverberated throughout the data security community earlier this year when a team of Chinese researchers exposed a flaw in the 10-year-old Secure Hashing Algorithm, or SHA-1, which has long served as the official standard for creating and verifying digital signatures. The National Institute of Standards and Technology (NIST) is considering the matter, though the group’s John Kelsey said that it is likely to involve other organizations should it adopt a new standard. While the vulnerability discovered is still only of theoretical value, that is likely to change as computing speeds increase. NIST is considering both an update to SHA-1 and scrapping the standard altogether and undertaking the long process of testing and selecting a replacement. There is some concern that SHA-1 variants could be susceptible to the same vulnerabilities as the current version. Hash algorithms collect all manner of data and produce a unique fingerprint, which is supposed to be altered completely if even a single letter is changed. The vulnerability arises when a hacker can replicate a fingerprint, which is called a hash collision, that could enable a criminal to drain a bank account or sign a contract on someone else’s behalf. Should NIST opt to replace SHA-1, hundreds of protocols in use by Web browsers, remote logins, and VPNs, among others, would have to be restructured to embrace the new standard. While its decision in the immediate future is uncertain, NIST has declared its intentions to abandon SHA-1 by 2010 at the latest.
Read more here.