What Is a Secure Hash Algorithm?

A secure hash algorithm, often known simply as an “SHA,” is a hashing algorithm that is considered cryptographically secure. In general, hashing functions are used to sort and organize digital data into smaller, more categorized packets. Algorithms are the programs that drive the functions, and the security of these algorithms matters insofar as it controls how easily the data can be unlocked and rearranged. How secure things need to be usually depends on the circumstances. Many software and code developers want impenetrable algorithms because their methods of sorting topics and drawing connections is proprietary, and they’re using it to make money. In other cases the data itself is highly sensitive, as is often the case with things like medical records or certain government documents. The actual mechanics of SHAs tend to be very complicated, and at least some degree of technical savvy is usually required to fully grasp how they work and how they’re developed. Like most things technological, there’s been an upward evolution in development, too; earlier models have largely been replaced, and newer, more secure designs are almost constantly being introduced.

The modern digital landscape contains hundreds of millions of data points, all of which occupy a web of interconnectedness and points in common, both across websites and in the social sphere when it comes to messages and postings generated by users. Hashing is one way to amalgamate data that is similar or related such that it forms something of a compendium or a smaller, more inter-related “web within a web.” Secure hashing algorithms seek to do this organizing in an efficient and secure way.

The original data, once hashed by an SHA, typically cannot be reconstructed without a tremendous amount of computing power. Secure algorithms are often used in combination with other algorithms to authenticate messages, including digital signatures.

Some network routers and firewalls implement SHAs directly in their hardware. This allows data packets to be authenticated with limited impact on throughput. Specially designed software is another option, including many open source implementations. For instance, the US National Institute of Standards and Technology (NIST) and the Canadian Communications Security Establishment (CSE) jointly run the Cryptographic Module Verification Program (CMVP). This official program certifies the correct operation of secure algorithm implementations for sensitive applications.

The US government has standardized at least six secure hash algorithms. SHA-0 and SHA-1 were the earliest models developed in the 1990s. The SHA-2 series developed in the 2000s included SHA-224, -256, -384 and -512. These are designed such that two documents with different contents generally produce two unique sets of hash values, which is really helpful in terms of avoiding hash collisions.

The SHA-0 algorithm, first published in 1993 by the NIST, was quickly discontinued after a significant weakness was found. It was replaced by SHA-1 in 1995, which includes an extra computational step that addresses the undisclosed problems of SHA-0. Both algorithms hash a message of up to 2⁶⁴-1 bits into a 160-bit "digest." Both utilize a block size of 512 bits and a word size of 32 bits in their operation.

SHA-1 is used in some common Internet protocols and security tools. These include IPsec, PGP, SSL, S/MIME, SSH and TLS. SHA-1 is also typically used as part of the protection scheme for unclassified government documents. Some parts of the private sector utilize this algorithm for certain sensitive information as well. It was formally retired from general government use in 2010, however.

SHA-224, -256, -384 and -512 were published by the NIST between 2001 and 2004. These four algorithms, also known as the SHA-2 family, are generally more robust than SHA-1. SHA-224 and SHA-256 utilize the same block, word and maximum input message sizes as SHA-1. In contrast, SHA-224 produces a 224-bit digest, while SHA-256 creates a 256-bit digest. SHA-384 and SHA-512 increase the block size to 1024 bits, the word size to 64 bits, and the maximum input message length to 2¹²⁸-1 bits. The digest produced by SHA-384 is 384 bits long, while the SHA-512 digest contains 512 bits.

Like SHA-0 and SHA-1, the SHA-2 family was designed by the US National Security Agency (NSA). Although serious flaws have not been publicly disclosed in SHA-2, NIST has opened a competition to develop the next secure hash algorithm. This new algorithm, to be called SHA-3, is likely to be chosen from a collection of public entries. It is expected to be a new design, not based on the existing algorithms.