SHA-1: What It Is & How It's Used for Data Verification

SHA-1 is a commonly used cryptographic hash function

What to Know

  • Secure Hash Algorithm 1 (SHA-1) is a kind of algorithm used to verify data authenticity.
  • Password authentication and file verification are examples of its uses.
  • A special calculator can find the SHA-1 checksum of text or a file.

This article examines what SHA-1 means and how and why it's used, plus how to generate SHA-1 checksums.

What Is SHA-1?

SHA-1 (short for Secure Hash Algorithm 1) is one of several cryptographic hash functions.

It's most often used to verify a file has been unaltered. This is done by producing a checksum before the file has been transmitted, and then again once it reaches its destination.

The transmitted file can be considered genuine only if both checksums are identical.

Picture of Einstein's general theory of relativity

David Silverman / Getty Images News / Getty Images

History and Vulnerabilities of the SHA Hash Function

SHA-1 is only one of the four algorithms in the Secure Hash Algorithm (SHA) family. Most were developed by the US National Security Agency (NSA) and published by the National Institute of Standards and Technology (NIST).

SHA-0 has a 160-bit message digest (hash value) size and was the first version of this algorithm. Its hash values are 40 digits long. It was published under the name "SHA" in 1993 but wasn't used in many applications because it was quickly replaced with SHA-1 in 1995 due to a security flaw.

SHA-1 is the second iteration of this cryptographic hash function. This one also has a message digest of 160 bits and sought to increase security by fixing a weakness found in SHA-0. However, in 2005, SHA-1 was also found to be insecure.

Once cryptographic weaknesses were found in SHA-1, NIST made a statement in 2006 encouraging federal agencies to adopt the use of SHA-2 by the year 2010, and it was officially deprecated by NIST in 2011. SHA-2 is stronger than SHA-1, and attacks made against SHA-2 are unlikely to happen with current computing power.

Not only federal agencies, but even companies like Google, Mozilla, and Microsoft have all either began plans to stop accepting SHA-1 SSL certificates or have already blocked those kinds of pages from loading.

Google has proof of a SHA-1 collision that renders this method unreliable for generating unique checksums, whether it's regarding a password, file, or any other piece of data. You can download two unique PDF files from SHAttered to see how this works. Use a SHA-1 calculator from the bottom of this page to generate the checksum for both, and you'll find the value is the exact same even though they contain different data.

SHA-2 and SHA-3

SHA-2 was published in 2001, several years after SHA-1. It includes six hash functions with varying digest sizes: SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, and SHA-512/256.

Developed by non-NSA designers and released by NIST in 2015, is another member of the Secure Hash Algorithm family, called SHA-3 (formerly Keccak).

SHA-3 isn't meant to replace SHA-2 like the previous versions were meant to replace earlier ones. Instead, it was developed just as another alternative to SHA-0, SHA-1, and MD5.

How Is SHA-1 Used?

One real-world example where SHA-1 may be used is when you're entering your password into a website's login page. Although it happens in the background without your knowledge, it may be the method a website uses to securely verify that your password is authentic.

In this example, imagine you're trying to log in to a website you often visit. Each time you request to log on, you're required to enter your username and password.

If the website uses the SHA-1 cryptographic hash function, it means your password is turned into a checksum after you enter it in. That checksum is then compared with the checksum that's stored on the website that relates to your current password, whether you haven't changed your password since you signed up or if you just changed it moments ago. If the two match, you're granted access; if they don't, you're told the password is incorrect.

Another example where this hash function may be used is for file verification. Some websites will provide the checksum of the file on the download page so that when you download it, you can check the checksum for yourself to ensure that the downloaded file is the same as the one you intended to download.

You might wonder where a real use is in this type of verification. Consider a scenario where you know the SHA-1 checksum of a file from the developer's website, but you want to download the same version from a different website. You could then generate the SHA-1 checksum for your download and compare it with the genuine checksum from the developer's download page.

If the two are different, it not only means the file's contents aren't identical, but there could be hidden malware in the file, the data could be corrupted and cause damage to your computer files, the file isn't anything related to the real file, etc.

However, it could also just mean that one file represents an older version of the program than the other, since even that little of a change will generate a unique checksum value.

You may also want to check that the two files are identical if you're installing a service pack or some other program or update, because problems occur if some of the files are missing during installation.

SHA-1 Checksum Calculators

A special kind of calculator can be used to determine the checksum of a file or group of characters.

For example, SHA1 Online is a free online tool that can generate the SHA-1 checksum of any group of text, symbols, and/or numbers. It will, for example, generate this pair:


That same website has the SHA1 File Checksum tool if you have a file instead of text.

Was this page helpful?