What Is the Difference Between SHA and SHA-1 Encryption?

By Ellis Davidson

SHA is an acronym for Secure Hash Algorithm, an encryption standard invented by the National Security Agency and published by the National Institutes of Standards and Technology. The original SHA algorithm was found to have weaknesses in its encryption methods, and was replaced with SHA-1 for stronger security.

Secure Hash Algorithm

SHA is a cryptographic hash function. A hash function takes an initial unencrypted text, called the plaintext, and produces a theoretically unique number that constitutes the encrypted message. SHA creates a 160-bit number, which is a number between 0 and 1.46 x 10^48. It is not possible for this number to be guaranteed unique for all possible plaintext messages, as the number of such messages is theoretically infinite, but the odds are approximately 2^80, or 1.21 x 10^24, against two messages producing the same encrypted result. If this does occur, this is called a collision. A collision provides a mathematical attack on an encryption algorithm, making it possible for a cryptographer to decrypt the plaintext.

SHA-0 and SHA-1

After its publication, flaws in the original SHA algorithm were discovered that allowed for a cryptographic attack to produce hash collisions, severely weakening its effectiveness. A revised SHA version, SHA-1, was developed that created the same 160-bit results without the original flaws in the algorithm. The original SHA was retroactively renamed SHA-0 to distinguish between its use and SHA-1 usage.

Changes in SHA-1

The original flaws in SHA-0 have never been published, as these flaws provide a toolkit for any attacker attempting to decrypt a message using SHA-0 encryption. The only public information about the weaknesses in the original algorithm indicates that hash collisions are more likely than from random chance when using SHA-0, and that collisions using the unpublished method are eliminated when using SHA-1. As SHA-1 and SHA-0 produce mathematical results of the same length, SHA-1 can be used as a drop-in replacement in computer software for the original SHA-0 algorithm without requiring major rewrites in the rest of the software.

SHA-2 and SHA-3

SHA-1 has been found to be more robust than SHA-0, but leaves room for improvement. A mathematical analysis of SHA-1 results demonstrated a method by which SHA-1 encryption could by broken 2,000 times faster than would be theoretically possible by checking all 10^48 possible combinations of its output. As an ideal cryptographic algorithm prevents decryption speed improvements of this kind, the SHA-2 algorithm both avoids this attack and increases the possible hash size to 512-bit, or 1.34 x 10^154. SHA-3, a still-more powerful encryption algorithm, is currently in development.