This is why it may come as a surprise that all the major browser developers appear to be unanimous in the idea that SHA-1 should be abandoned completely in favor of its bigger brother, SHA-2. Why is everyone suddenly determined to phase it out by 2017, and why couldn’t both of them coexist?
In order to understand SHA, we have to look into the process and purpose behind hashing as a practice. A hash is a string that represents a particular asset but doesn’t substitute it. In simpler terms, unlike most cryptographic algorithms, you can hash a sentence but you cannot “un-hash” it. The only way this is useful is if the destination server doesn’t necessarily need to know the content of the data. Instead, it only needs to compare the hash of your input with the hash inside its database and authenticate you when both of them match. This is why hashes are so useful when storing account passwords; the server doesn’t need to know your actual password to authenticate you into a site.
Why Is SHA-1 Being Abandoned Then?
If hashes are so difficult to reconstruct into actual data, then why is it that everyone is in such a hurry to phase it out of existence? All of it has to do with hardware.
You see, a hash can be “hacked” if someone can stumble upon input that produces the hash that coincides with the value that a server has in storage. If your account password has the hash b27263b7466a56b1467822108f5487422d054bbb, a hacker only needs to find another piece of text (it doesn’t necessarily have to be your password) that could create that exact combination when it is hashed. It used to be extremely expensive to acquire the kind of hardware that could do this within a reasonable amount of time. In the year 2015, however, this could all be done with the help of a cluster of GPUs. As hardware becomes more powerful and cheaper, it will be so inexpensive to solve SHA-1 that even small-time hackers and enthusiasts could feasibly do this.
To do away with the problems that have plagued SHA-1, SHA-2 has been created as a family of cryptographic algorithms with the purpose of making life extraordinarily difficult for well-to-do hackers. Since browsers and hosts will stop using SHA-1 certificates, the cost of hacking an account through the above-mentioned method would be astronomical. SHA-2 uses a maximum of 512 bits in its output, giving it the space it needs to ensure that any attempt to decipher and reproduce the string would take an unreasonable amount of time. Of course, this algorithm will also be broken at some point in the future and will eventually be replaced by another one that can continue the fight.
For the foreseeable future, however, SHA-2 will remain the champion of the Internet.
How many more years do you think SHA-2 will remain in the ring? Are browser developers right in their decision to phase out its predecessor?