SHA1 VS RSA: what's the difference between them?

Fundamentally different.

SHA1 is a hash algorithm, which is a one way function, turning an input of any size into a fixed-length output (160 bit in this case). A cryptographic hash function is one for which it should not be possible to find two inputs giving the same output except by brute force (for instance, with a 128-bit function you should need to try on average 2^64 message to find such a "collision" due to something called the birthday paradox - Google it for more).

In fact for SHA1 this is no longer the case - the algorithm is (in cryptographic terms at least) broken now, with a collision attack described by Xiaoyun Wang et al that beats a classic birthday attack. The SHA2 family is not broken, and a process is underway by NIST to agree on a SHA3 algorithm or family of algorithms.

Edit - Google have now generated and published an actual SHA1 collision.

RSA is an asymmetric encryption algorithm, encrypting an input into an output that can then be decrypted (contrast a hash algorithm which can't be reversed). It uses a different key for encryption (the public one) than for decryption (the private one). This can therefore be used to receive encrypted messages from others - you can publish your public key, but only you with the private key can then decrypt the messages that have been encrypted with it.

If you reverse the keys for RSA, it can be used to generate a digital signature - by encrypting something with your private key, anyone can decrypt it with the public key and, if they are sure the public key belongs to you, then they have confidence that you were the one who encrypted the original. This is normally done in conjunction with a hash function - you hash your input, then encrypt that with your private key, giving a digital signature of a fixed length for your input message.


Answers before are already sufficient explanations. But i think you ask this question just because SHA and RSA often come out together.So let me explain why.

First,keep in mind that

RSA is not efficient, but SHA is.

Suppose you download Windows 7, and want to make sure if it's original Windows 7 from Microsoft. If Microsoft just encrypts Windows 7 by RSA, it will takes a really long time to do that we can't stand it at all. So Microsoft uses SHA1 on Windows 7 and generates a 160 bits long data. And then Microsoft sign this 160 bits long data with RSA (use its private key).

Then, all you need to do is that make sure your public key is from Microsoft. And then use SHA1 to generate a 160 bits long data too. And then use public key of RSA to decrypt the signature of Microsoft. Then you just compare the two 160 bits long data to see if they match.


SHA1 is a hashing algorithm (Document and certification signing) while RSA is an encryption/decryption algorithm (Secure communications).