Advertisment

Google researchers break into widely used SHA-1 encryption

author-image
CIOL Writers
New Update
d f b b a b e f a e

One of the most common cryptography - SHA-1 - that has been in use since 1995 for colossal amount data like software source code, emails, PDFs, website certificates, etc, is now completely unsafe.

Advertisment

Google security researchers made major waves in the cryptography world, when they completed the first real-world collision attack against the SHA-1 (Secure Hash Algorithm 1) hash function, producing two different PDF files with the same SHA-1 signature.

It took two years and nine quintillions SHA-1 computations, 6,500 years of CPU time, and 110 years of GPU time for the researcher's team to create the collision. According to Google, it was one of the largest computations ever completed. The team is made up of Marc Stevens, Elie Bursztein, Pierre Karpman, Ange Albertini, and Yarik Markov.

"Today, 20 years after of SHA-1 was first introduced, we are announcing the first practical technique for generating a collision," the research team said.

Advertisment

Though the latest achievement suggests that the algorithm will be discontinued as soon as possible, SHA-1 has been known to be vulnerable since 2005. In 2010, the U.S. National Institute of Standards and Technology had banned the use of SHA-1 by U.S. federal agencies, and in January 2016, the digital certificate authorities were banned from issuing an SHA-1-signed certificate. However, the algorithm is still used to validate credit card transactions, electronic documents, email PGP/GPG signatures, open-source software repositories, backups and software updates.

SHA-1 is basically used to calculate an alphanumeric series that helps to maintain files and data with cryptographic representation. This digest or digital signature is supposed to be unique and non-reversible. However, if two files have the same hash function, "then it is considered cryptographically broken because digital fingerprints generated with it can be forged and cannot be trusted."

Google said in a blog post, "Moving forward, it’s more urgent than ever for security practitioners to migrate to safer cryptographic hashes such as SHA-256 and SHA-3. In order to prevent this attack from active use, we’ve added protections for Gmail and GSuite users that detect our PDF collision technique. Furthermore, we are providing a free detection system to the public."

Starting this month, Google Chrome will mark SHA-1-signed HTTPS certificates as unsafe with version 56.

google