SHA-1

SHA-1 (for Secure Hash Algorithm 1) is a cryptographic hashing algorithm developed by the NSA that transforms a variable-size data entry into a fixed 160-bit fingerprint (40 hexadecimal characters). This fingerprint is designed to be unique and deterministic: the same entry will always produce the same hash, this ensures the integrity of the initial data (a file or a message).

The SHA-1 algorithm takes a string of data and runs it through several processing steps (bit additions, chunking, logical operations, and rotations). The algorithm uses non linear functions, here are the 3 main ones:

$$ C(x,y,z) = (x \wedge y) \vee (\lnot x \wedge z) \\ P(x,y,z) = x \oplus y \oplus z \\ M(x,y,z) = (x \wedge y) \vee (x \wedge z) $$

With $ x,y,z $ portions of string to encode or fixed values among 0x67452301, 0xEFCDAB89, 0x98BADCFE, 0x10325476, 0xC3D2E1F0 (and others)

These operations are designed so that any change in the input results in a significant change in the fingerprint, making it difficult to predict the outcome.

As encryption is a hashing based on nonlinear functions, there is no decryption method. This means that to retrieve the password corresponding to a sha-1 hash, there is no choice but to try all possible passwords!

Technically, this operation would take several thousand years, even on the most powerful computers in the world. However, the list of passwords used in real life is more restricted, and it becomes possible to precalculate the most likely fingerprints.

dCode uses its word databases (10 million potential passwords) to speed up this processing. However, if the password is rare, or combined with salting, it will probably not be found.

The hash is composed of exactly 40 hexadecimal characters among 0123456789abcdef.

More rarely the hash is stored as a 20-byte binary string.

The database search can be complicated by inserting a salt to the word. The salt is usually a prefix or a suffix. Indeed, if it is already difficult but possible to precalculate the fingerprints of all the words, it becomes even more difficult to precalculate with all possible prefixes and suffixes.

Another (not recommended) variant is DOUBLE SHA1, that consists in applying SHA1 twice (the first time on the original string, then the second time on the computed hash).

A rainbow table is a database of words with all the pre-computed hashes and stored in order to accelerate and be able to parallelize the calculations of fingerprints.

List of magic SHA-1 hashes:

Bonus magic SHA-1 like string that can also be evaluated at 0: 0e00000000000000000000081614617300000000 or 0e00000000000000000000721902017120000000

The SHA-1 algorithm was widely used before security flaws limited its use in contexts requiring high security.

In 2017, a team of researchers from Google and CWI Amsterdam publicly demonstrated a practical SHA-1 collision, named SHAttered here

These flaws allow an attacker to create two different messages with the same hash, bypassing the integrity guarantees offered by the hash function.

More robust algorithms such as SHA-256 or SHA-3 are now recommended.

SHA1 stands for Secure Hash Algorithm (version 1)

SHA1 was proposed by the National Security Agency in 1995.