The Secure Hash Algorithms (SHA) is a hashing algorithm that is used to encrypt data. It's essential for any online business to understand what SHA is, how it works, and the different types available.
What is SHA Encryption?
The Secure Hash Algorithms (SHA) are a family of cryptographic hash functions published by the National Institute of Standards and Technology (NIST) as a U.S. Federal Information Processing Standard (FIPS). SHA encryptions are used for a variety of methods including to hash data, certificate files, and other cryptographic purposes including in cryptocurrencies like bitcoin. These hashing algorithms help secure the backbone of modern internet infrastructure.
The most common SHA function families that you will encounter are SHA-1 and SHA-2:
SHA-1 is a 160-bit hash function that evolved out of work done on the MD5 algorithm. Originally, the SHA-1 hash was created by the National Security Agency (NSA) to be part of their Digital Signature Algorithm. However, cryptographic weaknesses were discovered in SHA-1, and the standard was no longer approved for most cryptographic uses after 2010. As SHA-1 no longer meets today’s cybersecurity standards, SHA-2 has become the most used SHA function.
SHA-2 was developed shortly after the discovery of cost-effective brute force attacks against SHA-1. It is a family of two similar hash functions, with different block sizes, known as SHA-256 and SHA-512. The primary difference between SHA-256 and SHA-512 is the word size; SHA-256 uses 32-byte words whereas SHA-512 uses 64-byte words. There are also modified versions of each standard, known as SHA-224, SHA-384, SHA-512/224, and SHA-512/256. The most commonly used SHA function today is SHA-256, which allows for plenty of protection at current computer processing levels. SHA-2 has a Merkle–Damgård structure with Davies–Meyer compression function.
Beyond these more well-known options there are two other SHA variant families that you may encounter, SHA-0 and SHA-3:
SHA-0 is what we now call the basic version of the 160 bit or 20-byte long hash function, which was published back in 1993 under the name SHA algorithm. Use of the hash function was stopped very shortly after it was published due to the discovery of a major flaw, and after further development of the underlying theory, SHA-1 came to fruition.
SHA-3 is the SHA encryption technique that is growing the most quickly currently. It differs from other SHAs by using Keccak, a recently developed hash function. The length supported is the same as SHA-2 but significant differences remain. What makes SHA-3 different is its overall structure as it is based on a wide range of random function generation, which typically supports all random permutations, thereby allowing inputting or absorbing, as it is called, of any amount of data presented and outputting or squeezing the presented data. Doing so provides an output that is effectively pseudorandomized, and in theory more secure.
SHA-1 vs SHA-2: What Is the Difference?
The difference between SHA-1 and SHA-2 lies in the “length” or the “number of bits” that the message digest (hashed content) contains for any given input. Thus, the more the number of bits the digest has, the more difficult it is to break it using the brute force tactics that forced evolution beyond SHA-1. SHA-2 produces a 256-bit digest while the SHA-1 function produces a 160-bit digest for the same input. Due to this difference, SHA-1 offers weaker security as it sometimes gives the same digest for two different data values, while SHA-2 produces a unique digest for every data value as a large number of combinations are possible in it (2^256 possible combinations for a 256-bit function).
How Is SHA Encryption Used?
SHAs are widely used in security protocols and applications, including transport layer security (TLS), secure socket layer (SSL), digital signatures, S/MIME email certificates, PGP, and IPsec. This type of encryption is often required by law for specific US government applications like protecting sensitive data. And browser vendors, such as Google, Microsoft, or Mozilla, have started to recommend the use of SHA-3 and stop the usage of the SHA-1 algorithm.
One of the most important uses for SHAs are within SSL/TLS protocol as they are used as the hashing algorithm for digital signatures.
SSL and TLS are cryptographic protocols designed to provide a secure communication channel between clients and servers over the internet. TLS/SSL certificates are a type of X.509 certificate that are used to validate the identity of a server to a browser.
The intention behind having this type of certificate is not just to provide authentication but also to establish the identity of the remote server with which the client browser communicates. It contains the details of the web server and the key files associated with it. Certificates must contain the DNS information and not have expired to be properly accepted and create a SSL/TLS session without any security errors.
How Does SHA Encryption Work?
SHA, as the name suggests, is a hashing algorithm. Every piece of data ran through the algorithm produces a unique hash that cannot be duplicated by any other piece of data. The resulting digital signature is also unique as it depends on the hash that’s generated out of the data. For the case of the actual communication, symmetric cryptography is used, where the same key that hashes or encrypts data is used to decrypt it. This allows for the reveal of the public key without compromising the private key.
Most hashing algorithms are based upon the original MD4 hashing algorithm and thus share a similar method of operation.
The basic process behind hashing of any type– convert the input, or original message, into binary then perform a set of simple functions that operate through basic standard transistor and bus processes such as AND, XOR, NOT, Rotate and OR. The resulting hash value is a hexadecimal that is unique but meaningless. Having to perform those simple functions to properly hash a data input is part of the reason that Application Specific Chips (ASICS) can be designed that optimize hashing.
In the case of SHA-256 hashing, newly created chips have been specifically designed to increase the speed of creating a hash from an input. In the use case of bitcoin mining, this means you can calculate more hashes per second allowing for a greater chance of gaining the mined reward.
Is SHA Secure?
SHA-1 (Secure Hash Algorithm 1) dates back to 1995 and has been known to be vulnerable to theoretical attacks since 2005. The U.S. National Institute of Standards and Technology has banned the use of SHA-1 by U.S. federal agencies since 2010, and digital certificate authorities have not been allowed to issue SHA-1-signed certificates since Jan. 1, 2016, although some exemptions have been made.
However, despite these efforts to phase out the use of SHA-1 in some areas, the algorithm is still used fairly widely in a variety of areas including the validation of:
- credit card transactions
- electronic documents
- email PGP/GPG signatures
- open-source software repositories
- software updates
These exemptions present increased risk for exposure, so significant pressure has been applied to eventually move them to a more secure standard. Many browsers, such as Google Chrome, started marking any SHA-1 signed certificates as unsafe to visitors.
SHAs are, by definition, secure. However, the level of security associated with each type has increased over time as a new iteration has been developed. As we have discussed, SHA-0 has more exposed vulnerabilities than SHA-1, which has more exposed vulnerabilities than SHA-2. This trend will continue into the future as the arms race between attackers and defenders of sensitive data continues.
Which SHA Should I Use?
In order to protect the encryption of your users, you should always use the SHA that is best suited for the project that you are working on. These days, those most likely come from the SHA-2 family but there are use cases for most types. All SHA certificates are not compatible with every server so having not only an understanding of your use case needs but also your equipment is essential to creating a secure environment.
The product version of different popular servers necessary to be compatible with SHA-2 digital certificates can be found below:
- Apache Server: 2.0.63+
- IBM HTTP Server: 8.5 (Bundled with Domino 9)
- Java-based products: Java 1.4.2+
- Mozilla: NSS Based Products 3.8+
- Oracle WebLogic: 10.3.1+
As mentioned previously, SHA-256 is the most commonly used SHA function currently. However, as computer processing advances, SHA-256 will become more vulnerable to attack, similar to its previous incarnations. Making sure that you are aware of the most recent updates to the Secure Hash Algorithms is the best way to properly encrypt data without risk exposure.