Securing information is rising in importance for organizations worldwide. Using outdated technology is extremely risky, yet many organizations continue to do so because of legacy systems that don’t allow them to upgrade, lack of resources and time to upgrade, or they are simply unaware. The commonly used SHA-1 algorithm is a perfect example of an obsolete encryption standard that should have been completely phased out long ago. So why are people talking about it today?
With over a decade of warnings about the security vulnerabilities of SHA-1, and deprecation by The National Institute of Standards and Technology (NIST) in 2011, many organizations have since phased out use of this older hash algorithm. For those remaining organizations who haven’t migrated away from SHA-1, Google’s recent public announcement of the first SHA-1 collision should motivate them to abandon this algorithm completely.
Hash algorithms are widely used for a variety of functions including authentication and digital signatures. With file transfers, the algorithm was typically utilized to verify the integrity of sent messages. Using SHA-1, files are compressed into a 160-bit message digest or hash file which is calculated both before and after transmission. On receipt, the two hash values (or signatures) for that transmission are checked to ensure the data has remained intact, as long as both values still match. If the hash values don’t match, the file was likely compromised at some point along the way.
Having two different messages that produce the same hash value should be almost impossible. However, advancements in technology and computational power since the introduction of SHA-1 have exposed its vulnerabilities. With last week’s announcement, Google has proven that systems using SHA-1 can be fooled into thinking a signature is valid when it’s not by producing the same cryptographic hash with two different files. By publicizing their work, this legacy algorithm has been rendered obsolete and insecure.
If you are still using SHA-1 to verify the integrity of file transfers, you should know that it is no longer considered a safe or secure method. Bottom line, if you still use SHA-1, it should be transitioned to a more secure standard as soon as possible.
If you’re looking to replace SHA-1, an obvious alternative would be SHA-2. The SHA-2 algorithm is a family of hash functions with values of 224, 256, 384 or 512 bits, thus providing stronger security with longer message digests. The more complex algorithms generate more potential hash combinations than were possible with SHA-1 which make the SHA-2 algorithm extremely difficult to break using today’s technology.
GoAnywhere MFT fully supports the SHA-2 algorithm for secure file transfers over SFTP and FTPS. In addition, GoAnywhere is Drummond Certified for AS2 file transfers and successfully met all requirements for the optional AS2 secure hashing algorithm 2 (SHA-2) tests.