Why SHA-1 is Deprecated

A Collision Waiting to Happen

SHA-1 (Secure Hash Algorithm 1) was published by NIST in 1995 and became the dominant hash function for digital signatures, TLS certificates, and version control systems like Git. For over a decade, it was considered unbreakable. However, theoretical weaknesses were identified as early as 2005, and in 2017, Google and CWI Amsterdam executed the first practical SHA-1 collision: two completely different PDF files that produced the identical hash output.

A collision means an attacker can craft a malicious file that has the exact same hash as a legitimate file. In certificate signing, this allows an attacker to forge a trusted certificate. In software distribution, a poisoned binary could pass integrity checks. The computational cost of the 2017 attack was approximately 110 GPU-years, equivalent to roughly $110,000 in cloud computing at the time, well within the budget of nation-states and criminal organizations.

All major browsers stopped trusting SHA-1 certificates by 2017. NIST formally deprecated SHA-1 for digital signatures in 2011 and recommended full retirement by 2030. Modern systems must use SHA-256 or SHA-3 as minimum replacements. Git, which still uses SHA-1 internally for commit hashes, has been gradually transitioning to SHA-256 to prevent repository poisoning attacks.

Everyday Example

Imagine a wax seal used to prove a royal letter is authentic. For years, nobody could forge the seal. Then a clever counterfeiter discovered a technique to create a perfect replica using common materials. Even though the forgery technique requires expensive equipment, any wealthy adversary can now fake the king's letters. The kingdom must immediately switch to a completely new, more complex seal design that the counterfeiter's technique cannot replicate.

The Deep Mathematics

SHA-1 produces a 160-bit digest. The theoretical collision resistance is 2⁸⁰ operations (Birthday Bound). The SHAttered attack exploited differential path analysis in SHA-1's compression function, reducing the collision complexity to approximately 2⁶³ operations. This is feasible with modern GPU clusters. The attack constructs two distinct message blocks M and M' such that the intermediate hash states converge after processing crafted differential perturbations through the 80-round Feistel-like compression structure.