Let’s talk about SHA1 vs SHA2 — or SHA-1 vs SHA-2, as you may more frequently see them written.
For some of you, when you hear “SHA,” you may think of the dark, physical manifestations of negative emotions from a popular online game (World of Warcraft). For others who aren’t major MMORPG players, you likely think of SHA-1 and SHA-2 hash algorithms.
Technically, both are right. But the SHA we’re going to be talking about is the one relating to hashing.
What is a SHA and What Does It Have to Do with Hashing?
In a word? Everything. SHA stands for “secure hashing algorithm.” A hashing algorithm is a mathematical function that takes data and condenses it down to a brief series of numbers and/or letters. Unlike encryption, which can be decrypted from cyphertext back to its original text, a hash is a one-way cryptographic function.
The Difference Between SHA1 and SHA2 Certificates
So, when we talk about signing algorithm SHA 1 or SHA 2, what’s the difference between them and which is better? Basically, SHA-1 and SHA-2 are two different variations of the SHA algorithm, and both were created by the U.S. government. And, as you can likely guess, SHA-2 is the newer of the two algorithms.
Yeah, the “1” and the “2” in the names kind of gives those points away, right?
Anyhow, although they’re two variations of the same algorithm, they do have some technical differences worth mentioning, though.
Breaking Down the Values: SHA1 vs SHA2
SHA-1 is a 160-bit (20 byte) hash that is represented by a 40-digit hexadecimal string of numbers. SHA-2, on the other hand, is a family of six different hash functions that generate hash values of varying lengths — 224, 256, 384, or 512 bits. However, it’s important to note that these other hash functions are not as frequently seen as the 256-bit. For example, the 224-bit variety isn’t strong enough for publicly trusted SSL certificates, and its big brother, the 512-bit variation isn’t widely supported by software. The most popular SHA2 algorithm is SHA256.
It’s like the example of the three little bears: SHA-224 is baby bear, and SHA-512 is papa bear. The first is too small and the latter is too large.
Mama bear, SHA-256? She’s just right. Yeah, moving on.
The basic difference between SHA1 and SHA512 is the length of hash values generated by both algorithms – SHA1 has a 160-bit hash value while SHA512 has a 512-bit hash value. Therefore, making SHA512 a much more secure algorithm.
SHA-2 is what you’re going to find with all end user SSL/TLS certificates. However, you’ll see in some cases that some intermediate certificates may still use SHA-1. However, this is not an exploitable vulnerable so CAs are switching intermediates to SHA-2 as the SHA-1 certificates expire.
Unlike SHA-1, SHA-2 has not been compromised and likely will remain so for at least the next few years.
Let’s finish up with a side-by-side comparison of SHA1 vs SHA2:
SHA-1 | SHA-2 | |
Years During Which the Algorithm Was Considered the Industry Standard | 2011-2015 | Since 2016 |
Other Names | N/A | SHA-256, SHA-256 Bit |
How Many Possible Hashing Combinations Does It Have? | 2160 | 2256 Possible Combinations |
Single Hash or Family of Algorithms Hash Values | Single Hash: 160-bit | Family of Hash Functions —224, 256, 384, and 512 |
Purchase a DV SSL Certificate & Save Up to 88%!
We offer the best discount on all types of Domain Validation SSL Certificates (DV SSL). We offer certificates from the leading CAs, including Comodo CA, Sectigo, Thawte, GeoTrust, and RapidSSL with DV certificates starting as low as $5.45 per year.