The SHA1 (Secure Hash Algorithm 1) cryptographic hash function is used togenerate hashes for verifying the authenticity of thedigital content. Despite a decade of warnings about thelack of security and the availability of better and stronger alternatives, SHA1 remains a widely used hash function apparently, no longer.SHA1 is now officially dead
SHA1 hashing function was designed by the National Security Agency (NSA) and its algorithm was first published in 1995. Cryptoanalysts first found theoretical flaws in the algorithm in 2005 that could be used to break SHA1 via collision attacks. The function was then officially deprecated in 2011 due to security weaknesses demonstrated in various analyses and theoretical attacks.However, it remainswidely used despite repeated warnings.
Security researchers at the CWI institute in Amsterdam working with Google Research have now made sure that the hashing function will finally (and hopefully) die. The team wrote a paper demonstrating they have found a faster way to compromise theSHA-1 algorithm. The research team called it “the first practical technique for generating a collision.”What’s a collision attack
Collision attacks are used to describe when an attacker generates afile that has the same SHA1 hash of another, legitimate file. This means two different files or messagesproduce the same cryptographic hash, allowing an attacker to deceive a system into accepting a malicious file in place of the legitimate file without raising any suspicions.
“Our work shows that it is now practical to find collisions for SHA1 and that thus it is not secure to use for digital signatures, file integrity, and file identification purposes,” Marc Stevens, the security researcher said. “Everyone should migrate to safe standards before real-world attacks happen, not after. Note that attacks can only get better and faster, computational power only becomes cheaper, and attackers have the uncanny ability to be more creative in exploiting vulnerabilities than common expectations.”No need to panic right now
While Googlemade major waves in the cryptography world by breaking one of the major algorithms in web encryption today, the attack requires immense computational power. “This attack required over 9,223,372,036,854,775,808 SHA1 computations,” the research team said. “This took the equivalent processing power as 6,500 years of single-CPU computations and 110 years of single-GPU computations.”
Another reason you shouldn’t panic is becausecertificates to HTTPS-protected websites aren’t affected. As reported earlier in January, certificate authorities are no longer allowed to rely on SHA1 to sign TLS certificates. This means your browser will show you that scaryred warning sign if you visit a website that is still using SHA-1.
Since Google isn’t the only one with enough computing power, it should be said out loud that it is unlikely that the company is the first one to crack SHA1, considering the computing power government agencies have access to. Google is hoping that their making the process public (in 90 days) will prompt the industry to move to safer options.
“We hope that our practical attack against SHA-1 will finally convince the industry that it is urgent to move to safer alternatives such as SHA-256,” researchers wrote. “It’s more urgent than ever for security practitioners to migrate to safer cryptographic hashes such as SHA-256 and SHA-3.”
After 90 days, Google will disclose exactly how they broke one of the most widely used hashing functions. Once it is out in the wild, anyone with enough computing power will be able to break it, essentially making the algorithm insecure and obsolete.
More details on this can be found here .