Quantcast
Channel: CodeSection,代码区,网络安全 - CodeSec
Viewing all articles
Browse latest Browse all 12749

Google shatters SHA-1, but don’t worry the Internet is still working

$
0
0

Google shatters SHA-1, but don’t worry the Internet is still working

Whole areas of modern computing rely on the concept of certain things being “computationally infeasible” including encryption. “Computationally infeasible”meansmean that certain mathematical operations are logically possible, however to actually perform them you need lots of time (like years) and lots of computing power.

But sometimes shortcuts can be found which speed up the these calculations. In the field of encryption these shortcuts are known as weaknesses, as they reduce the amount of time need to perform the calculations and therefore make them morecomputationally feasible not infeasible.

The news today is that Google has found more new weakness in the SHA-1 hashing algorithm which means that it can create fake hashes.

The SHA-1 hashing algorithm is a way of producing a unique identifier for any given block of data, typically a file or an encryption certificate. That SHA-1 hash is a bunch of numbers, like this:

44e63796bb58db4a79268f625c95e1c212837602

So if I download a file from the Internet I can check that the download is good by comparing the SHA-1 hash of the file I have downloaded with the hash published on the website. If they match then I know that the file I have and the published file are the same. If the file was different, even by one single character then the SHA-1 hash would be differentand I would know that something has gone wrong.

The same principle applies to encryption. We all use https:// secure sites every day, not only for online banking or for online shopping, but alsofor searches on Google or for accessing our email. It stops third parties from snooping at our search requests or from stealing credit card details.

See also:

How does encryption work? Gary explains

September 13, 2016

When you connect to a https:// site the web browser needs to know that it really has connected to the right site and not a fake site setup by cybercriminals. TheTLS protocol used for https:// checks a site’s authenticity by asking for its certificate. The browser then checks the certificate to see if it is genuine. That check uses hashes like SHA-1.

Essentially what happens is that the certificate is digitally signed by a third party, known as a Certificate Authority (CA) and to ensure that the certificate is the same as the one verified by the CA then a hash is used. In other words, if you see a certificate with this hash then it is good.

So, if you can create a fake certificate that has the same hash as a good certificate then web browsers all over the world will be tricked into accepting the fake certificate.

See also:

How does public key cryptography work? Gary explains

October 4, 2016

Up until a few years ago the hash algorithm used to confirm the digital signature was SHA-1, butsince 2016 all the certificate authorities stoppedissuing SHA1-based certificates and the major web browsersstarted towarn users whenaccessing secure sites that use SHA-1.


Google shatters SHA-1, but don’t worry the Internet is still working

What Google has managed to do is create two PDF files with exactly the same SHA-1 hash. This could theoretically be extended to web site certificates. There is however a minor catch, although Google managed to create these two hashes, it took the equivalent of 6500 CPU years and 100 GPU years to do it. So while you or I won’t be making fake SHA-1 hashes any time soon, this amount of computing power isn’t beyond the reach of nation states.

Google has released a comprehensive research paper (PDF) about its work, however it has decided to wait 90 days before releasing source code.


Google shatters SHA-1, but don’t worry the Internet is still working

In order to prevent this attack from active use, Google hasadded protections into Gmail and GSuite that detects its newcollision technique. It has also launched a free detection system to the public.

It isn’t only the web security that is affected but any other systems that uses SHA-1 like Git and some backup solutions. Google’s recommendation is that everyone using SHA-1migrates to safer cryptographic hashes such as SHA-256 and SHA-3.


Viewing all articles
Browse latest Browse all 12749

Trending Articles