I read that SHA-1 is being retired from the FIPS 180-2 standard.
Apparently there are weaknesses in SHA-1 that led to this decision. Can anyone elaborate on the basis for that decision? Are there implications for the use of SHA-1 in commercial applications?
My real questions are:
Interested in mainstream platforms: .NET, Java, C/C++, Python, Javascript, etc.
Sha1, Sha0, md4 and md5 have all been found to be insecure over the past few years. The problem is that if an attacker can generate 2 different messages that produce the same resulting hash, this is called a collision. This causes a lot of problems for PKI's, password management, file integrity checks and more. Currently sha1 only provides 2^52 bits of security which is within reach of attackers. Where as SHA-256 (smallest member of the sha2 family) is provides 2^256 bits.
All platforms should have a SHA-256 implementation, although not all of them are native. In PHP you have to use the mhash extension. Its rather baffling that some platforms don't provide secure hash functions, I honestly believe its because they don't care about secuirty. In the case of PHP I know for a fact that they don't care about secuirty.
Currently there is nothing wrong with SHA-2 and it has a very large margin of safety. You can use SHA-512 if you are really paranoid. Sha-3 will be out in 2012, you should patch whatever you can with sha-2 like your PASSWORDS, and then move to SHA-3 when you can but SHA-512 will be good for a VERY long time.
Windows Vista and later supports SHA-2 in the Microsoft Enhanced RSA and AES Cryptographic Provider for CryptoAPI, and the .NET Framework has supported SHA-2 since .NET 1.1.
Most platforms now support the SHA-2 family. However, SHA-1 is still used in many applications, like SSL, and will be in use for a while.
A competition for "SHA-3" is well underway. It might be reasonable to jump from SHA-1 to the new SHA-3 standard when it arrives.