What Is SHA-1?

Definition of SHA-1 and How It's Used to Verify Data

Picture of Einstein's general theory of relativity
© David Silverman / Getty Images News / Getty Images

SHA-1 (short for Secure Hash Algorithm 1) is one of several cryptographic hash functions.

SHA-1 is most often used to verify that a file has been unaltered. This is done by producing a checksum before the file has been transmitted, and then again once it reaches its destination.

The transmitted file can be considered genuine only if both checksums are identical.

History & Vulnerabilities of the SHA Hash Function

SHA-1 is only one of the four algorithms in the Secure Hash Algorithm (SHA) family.

Most were developed by the US National Security Agency (NSA) and published by the National Institute of Standards and Technology (NIST).

SHA-0 has a 160-bit message digest (hash value) size and was the first version of this algorithm. SHA-0 hash values are 40 digits long. It was published as the name "SHA" in 1993 but wasn't used in many applications because it was quickly replaced with SHA-1 in 1995 due to a security flaw.

SHA-1 is the second iteration of this cryptographic hash function. SHA-1 also has a message digest of 160 bits and sought to increase security by fixing a weakness found in SHA-0. However, in 2005, SHA-1 was also found to be insecure.

Once cryptographic weaknesses were found in SHA-1, NIST made a statement in 2006 encouraging federal agencies to adopt the use of SHA-2 by the year 2010. SHA-2 is stronger than SHA-1 and attacks made against SHA-2 are unlikely to happen with current computing power.

Not only federal agencies, but even companies like Google, Mozilla, and Microsoft have all either began plans to stop accepting SHA-1 SSL certificates or have already blocked those kinds of pages from loading.

Google has proof of a SHA-1 collision that renders this method unreliable for generating unique checksums, whether it's regarding a password, file, or any other piece of data.

You can download two unique PDF files from SHAttered to see how this works. Use a SHA-1 calculator from the bottom of this page to generate the checksum for both, and you'll find that the value is the exact same even though they contain different data.

SHA-2 & SHA-3

SHA-2 was published in 2001, several years after SHA-1. SHA-2 includes six hash functions with varying digest sizes: SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, and SHA-512/256.

Developed by non-NSA designers and released by NIST in 2015, is another member of the Secure Hash Algorithm family, called SHA-3 (formerly Keccak).

SHA-3 isn't meant to replace SHA-2 like the previous versions were meant to replace earlier ones. Instead, SHA-3 was developed just as another alternative to SHA-0, SHA-1, and MD5.

How Is SHA-1 Used?

One real-world example where SHA-1 may be used is when you're entering your password into a website's login page. Though it happens in the background without your knowledge, it may be the method a website uses to securely verify that your password is authentic.

In this example, imagine you're trying to login to a website you often visit. Each time you request to log on, you're required to enter in your username and password.

If the website uses the SHA-1 cryptographic hash function, it means your password is turned into a checksum after you enter it in. That checksum is then compared with the checksum that's stored on the website that relates to your current password, whether you haven't changed your password since you signed up or if you just changed it moments ago. If the two match, you're granted access; if they don't, you're told the password is incorrect.

Another example where the SHA-1 hash function may be used is for file verification. Some websites will provide the SHA-1 checksum of the file on the download page so that when you download the file, you can check the checksum for yourself to ensure that the downloaded file is the same as the one you intended to downloaded.

You might wonder where a real use is in this type of verification. Consider a scenario where you know the SHA-1 checksum of a file from the developer's website but you want to download the same version from a different website. You could then generate the SHA-1 checksum for your download and compare it with the genuine checksum from the developer's download page.

If the two are different then it not only means that the file's contents are not identical but that there could be hidden malware in the file, the data could be corrupted and cause damage to your computer files, the file isn't anything related to the real file, etc.

However, it could also just mean that one file represents an older version of the program than the other since even that little of a change will generate a unique checksum value.

You may also want to check that the two files are identical if you're installing a service pack or some other program or update because problems occur if some of the files are missing during installation.

See How to Verify File Integrity in Windows With FCIV for a short tutorial on this process.

SHA-1 Checksum Calculators

A special kind of calculator can be used to determine the checksum of a file or group of characters.

For example, SHA1 Online and SHA1 Hash are free online tools that can generate the SHA-1 checksum of any group of text, symbols, and/or numbers.

Those websites will, for example, generate the SHA-1 checksum of bd17dabf6fdd24dab5ed0e2e6624d312e4ebeaba for the text pAssw0rd!.

See What Is a Checksum? for some other free tools that can find the checksum of actual files on your computer and not just a string of text.