News

SHA-1 hash function should not be used

Date: 2019.05.28



Due to information concerning the weaknesses of the SHA-1 algorithm (SHA-160), since July 1, 2018, we do not recommend using this hash function algorithm for signatures. A hash function of at least SHA-256 should be used for signatures and electronic seals. As a qualified trust service provider, KIR is not responsible for signatures made using the SHA-1 hash function.

We recommend extreme caution when verifying signatures submitted in the past using the SHA-1 hash function. Now-familiar attacks cause the danger of creating a hash function value corresponding to the hash function value from an actual signature, which will be identical to the modified content of the document written.

To verify the signatures received, we recommend using signature verification applications that provide information about the hash function algorithm used for signing. With this information, you can decide whether to accept or reject a given signature.

As regards the time-stamping service, KIR does not accept time-stamp requests signed using the SHA-1 function and containing a document shortcut generated with the use of the SHA-1 hash function.

Our clients: