---
title: "SHA-1 — AP Cybersecurity Definition & Exam Guide"
description: "SHA-1 is a cryptographic hash function that turns data into a fixed 160-bit fingerprint. Learn why it's broken, how it differs from MD5 and SHA-256, and how it shows up on the AP Cybersecurity exam."
canonical: "https://fiveable.me/ap-cybersecurity/key-terms/sha-1"
type: "key-term"
subject: "AP Cybersecurity"
unit: "Unit 5"
---

# SHA-1 — AP Cybersecurity Definition & Exam Guide

## Definition

SHA-1 (Secure Hash Algorithm 1) is a cryptographic hash function that converts any input into a fixed 160-bit (40-character hex) output, used to verify data integrity. It's now considered broken because researchers found practical collisions, so it's been replaced by SHA-256.

## What It Is

SHA-1 is a **[cryptographic hash function](/ap-cybersecurity/key-terms/cryptographic-hash-function "fv-autolink")**. Feed it any amount of data, a [password](/ap-cybersecurity/unit-1/suspicious-website-logins/study-guide/zppDvyHLHIUFzT3MNwAN "fv-autolink"), a file, a whole movie, and it spits out a fixed-length 160-bit value (40 hexadecimal characters). That output is sometimes called a digest or a fingerprint. The same input always produces the same output, and even a tiny change to the input completely scrambles the result.

Here's the key thing about hashing versus encryption: hashing is a **one-way** process. You can't run SHA-1 backward to recover the original data, which is exactly why it's used to check integrity rather than to hide information you'll need later. If two files produce the same SHA-1 digest, they're supposed to be identical. The problem is that researchers proved you *can* deliberately craft two different inputs that hash to the same value (a [collision](/ap-cybersecurity/unit-4/authentication/study-guide/8fehxw1s1LZlYi1K3rm7 "fv-autolink")), which means SHA-1 no longer guarantees integrity. That's why it's deprecated and replaced by SHA-256.

## Why It Matters

SHA-1 lives in **[Unit 5](/ap-cybersecurity/unit-5 "fv-autolink"): Securing Applications and Data**, specifically **Topic 5.3, Protecting Stored Data with Cryptography**. It supports **[AP Cybersecurity](/ap-cybersecurity "fv-autolink") 5.3.A**, explaining how cryptography protects data. The broader point of EK 5.3.A.1 is that cryptography's job is to hide and protect information, and a cryptographic algorithm defines a repeatable process. SHA-1 is your concrete example of a hashing algorithm, the family that protects *integrity* (proving data hasn't changed) rather than *confidentiality* (keeping data secret). Knowing SHA-1's weakness teaches a bigger AP lesson: cryptographic algorithms have lifespans, and once an attack is practical, you migrate to a stronger standard.

## Connections

### [Cryptographic hash function (Unit 5)](/ap-cybersecurity/key-terms/cryptographic-hash-function)

SHA-1 is one specific member of this larger family. The family rule is one-way, fixed-length output that changes drastically if the input changes even slightly. Learn the general concept first, then SHA-1 is just a named instance of it.

### [SHA-256 (Unit 5)](/ap-cybersecurity/key-terms/sha-256)

[SHA-256](/ap-cybersecurity/key-terms/sha-256 "fv-autolink") is SHA-1's stronger successor, producing a 256-bit digest instead of 160 bits. It's the algorithm that replaced SHA-1 once SHA-1 collisions became practical, so think of them as old version and current version of the same idea.

### [Collision resistance (Unit 5)](/ap-cybersecurity/key-terms/collision-resistance)

This is the property SHA-1 lost. A [hash](/ap-cybersecurity/key-terms/hash "fv-autolink") function is collision resistant when nobody can find two different inputs with the same digest. SHA-1's downfall is the textbook example of what happens when collision resistance breaks.

### [AES (Unit 5)](/ap-cybersecurity/key-terms/aes)

AES (EK 5.3.B.1) is the contrast that makes hashing click. AES is two-way [encryption](/ap-cybersecurity/key-terms/encryption "fv-autolink") you reverse with a key to get your data back, while SHA-1 is one-way with no key and no way back. Same unit, opposite jobs.

## On the AP Exam

Expect SHA-1 to show up in multiple-choice questions about hashing versus encryption and about data integrity. A common stem describes verifying that a downloaded file wasn't tampered with and asks which tool fits, the answer points to a hash like SHA-1 or SHA-256, not an encryption algorithm like AES. You should be able to state that hashing is one-way, that SHA-1 produces a fixed 160-bit output, and that SHA-1 is no longer secure because collisions exist. No released FRQ uses SHA-1 verbatim, but the integrity-versus-confidentiality distinction it illustrates is exactly the kind of reasoning Topic 5.3 questions reward.

## SHA-1 vs MD5

MD5 and SHA-1 are both older, now-broken hash functions, which is why people mix them up. The quick difference is output size: MD5 produces a 128-bit digest, SHA-1 produces a 160-bit digest. Both have known collision attacks and both have been replaced by SHA-256. If a question asks for the larger, slightly newer one of the two, that's SHA-1.

## Key Takeaways

- SHA-1 is a cryptographic hash function that turns any input into a fixed 160-bit (40 hex character) output.
- Hashing like SHA-1 is one-way, so unlike AES encryption you cannot reverse it to recover the original data.
- SHA-1 is used to verify data integrity, not to keep data secret.
- SHA-1 is considered broken because researchers found practical collisions, meaning two different inputs can produce the same digest.
- SHA-256 replaced SHA-1, producing a longer 256-bit digest that is far more collision resistant.

## FAQs

### What is SHA-1 in AP Cybersecurity?

SHA-1 is a cryptographic hash function that takes any input and produces a fixed 160-bit digest used to check whether data has changed. It appears in Unit 5, Topic 5.3, as an example of how cryptography protects stored data.

### Is SHA-1 still secure?

No. SHA-1 is considered broken because researchers demonstrated practical collisions, two different inputs producing the same hash, which destroys its integrity guarantee. It has been replaced by SHA-256.

### How is SHA-1 different from AES?

SHA-1 is a one-way hash that protects integrity and cannot be reversed, while AES is two-way encryption that uses a key to scramble and later unscramble data for confidentiality. They solve opposite problems even though both fall under cryptography in Unit 5.

### What's the difference between SHA-1 and MD5?

Both are older, now-broken hash functions, but MD5 produces a 128-bit digest and SHA-1 produces a longer 160-bit digest. Both have known collisions and have been replaced by SHA-256.

### Can you decrypt SHA-1?

No, because SHA-1 isn't encryption, it's hashing. Hashing is one-way by design, so there's no key and no way to run it backward to recover the original input.

## Related Study Guides

- [5.3 Protecting Stored Data with Cryptography](/ap-cybersecurity/unit-5/protecting-stored-data-with-cryptography/study-guide/pVI6SOT7HBVhSMIqKTXG)

## Structured Data

```json
{"@context":"https://schema.org","@graph":[{"@type":"LearningResource","@id":"https://fiveable.me/ap-cybersecurity/key-terms/sha-1#resource","name":"SHA-1 — AP Cybersecurity Definition & Exam Guide","url":"https://fiveable.me/ap-cybersecurity/key-terms/sha-1","learningResourceType":"Concept explainer","educationalLevel":"AP® / High School","about":{"@id":"https://fiveable.me/ap-cybersecurity/key-terms/sha-1#term"},"audience":{"@type":"EducationalAudience","educationalRole":"student"},"dateModified":"2026-06-15T18:59:30.411Z","isPartOf":{"@type":"Collection","name":"AP Cybersecurity Key Terms","url":"https://fiveable.me/ap-cybersecurity/key-terms"},"publisher":{"@type":"Organization","name":"Fiveable","url":"https://fiveable.me"}},{"@type":"DefinedTerm","@id":"https://fiveable.me/ap-cybersecurity/key-terms/sha-1#term","name":"SHA-1","description":"SHA-1 (Secure Hash Algorithm 1) is a cryptographic hash function that converts any input into a fixed 160-bit (40-character hex) output, used to verify data integrity. It's now considered broken because researchers found practical collisions, so it's been replaced by SHA-256.","url":"https://fiveable.me/ap-cybersecurity/key-terms/sha-1","inDefinedTermSet":{"@type":"DefinedTermSet","name":"AP Cybersecurity Key Terms","url":"https://fiveable.me/ap-cybersecurity/key-terms"},"educationalAlignment":[{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP Cybersecurity Unit 5, Topic 5.3, LO 5.3.A"},{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP Cybersecurity Unit 5, Topic 5.3, LO 5.3.B"}]},{"@type":"FAQPage","mainEntity":[{"@type":"Question","name":"What is SHA-1 in AP Cybersecurity?","acceptedAnswer":{"@type":"Answer","text":"SHA-1 is a cryptographic hash function that takes any input and produces a fixed 160-bit digest used to check whether data has changed. It appears in Unit 5, Topic 5.3, as an example of how cryptography protects stored data."}},{"@type":"Question","name":"Is SHA-1 still secure?","acceptedAnswer":{"@type":"Answer","text":"No. SHA-1 is considered broken because researchers demonstrated practical collisions, two different inputs producing the same hash, which destroys its integrity guarantee. It has been replaced by SHA-256."}},{"@type":"Question","name":"How is SHA-1 different from AES?","acceptedAnswer":{"@type":"Answer","text":"SHA-1 is a one-way hash that protects integrity and cannot be reversed, while AES is two-way encryption that uses a key to scramble and later unscramble data for confidentiality. They solve opposite problems even though both fall under cryptography in Unit 5."}},{"@type":"Question","name":"What's the difference between SHA-1 and MD5?","acceptedAnswer":{"@type":"Answer","text":"Both are older, now-broken hash functions, but MD5 produces a 128-bit digest and SHA-1 produces a longer 160-bit digest. Both have known collisions and have been replaced by SHA-256."}},{"@type":"Question","name":"Can you decrypt SHA-1?","acceptedAnswer":{"@type":"Answer","text":"No, because SHA-1 isn't encryption, it's hashing. Hashing is one-way by design, so there's no key and no way to run it backward to recover the original input."}}]},{"@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"AP Cybersecurity","item":"https://fiveable.me/ap-cybersecurity"},{"@type":"ListItem","position":2,"name":"Key Terms","item":"https://fiveable.me/ap-cybersecurity/key-terms"},{"@type":"ListItem","position":3,"name":"Unit 5","item":"https://fiveable.me/ap-cybersecurity/unit-5"},{"@type":"ListItem","position":4,"name":"SHA-1"}]}]}
```
