The writing has been on the wall for SHA-1 for quite some time. The cryptographic hash has been around over a decade now, but organizations have started to move away from it as more sophisticated options became available (SHA-256, SHA-3, etc). Back in 2013, researchers published theoretical approach to generating a collision. Now with the help of Google’s computation grunt and additional resources, were able to actually generate a collision in the wild.
At least right now, the requirements are pretty steep, you won’t be making collisions with a Raspberry Pi any time soon. The two-phase approach taken by the researches required about 6,500 years of CPU compute and 110 years of GPU grunt. But in perspective, that’s 100,000 times faster than a brute force attack. For a sophisticated actor, the compute involved is trivial if they really want to break it any, once a method is out there.
Since it’s Google, the blog post has some delightful graphics and a full PDF of the process, so make sure to check that out. What I like to see though is that the major browser manufacturers are on top of this. Chrome, Firefox, IE/Edge, and Safari/Webkit all previously announced plans to block SHA-1 certificates by mid-2017. The real concerns is when the next big hack of passwords come out. Hopefully we won’t see an equivalent repeat of Yahoo storing passwords in MD5 a decade after it was thoroughly broken.
Moral of the story: You should have already planned to move away from SHA-1 years ago, and now there’s no excuse to keep using it.
From the Google Security Blog:
Today, 10 years after of SHA-1 was first introduced, we are announcing the first practical technique for generating a collision. This represents the culmination of two years of research that sprung from a collaboration between the CWI Institute in Amsterdam and Google. We’ve summarized how we went about generating a collision below. As a proof of the attack, we are releasing two PDFs that have identical SHA-1 hashes but different content.
- In Defense of Facebook’s “Protect” - February 15, 2018
- Tom Lyon – IT Origins - February 15, 2018
- Do You Want to Build a Cloud? Gestalt IT Rundown: February 14, 2018 - February 14, 2018
- AI and Machines That Think They Can Think - February 14, 2018
- Docker for Home Automation - February 13, 2018
- The Cheapest PC Is Now More Expensive and Worse - February 13, 2018
- What’s Next for Infrastructure in a Post-Meltdown Reality? - February 13, 2018
- The IT Differentiation Dilemma – The On-Premise IT Roundtable - February 13, 2018
- Silent Keyboards, a Talk with Jack Daniel, and Cisco LIVES in Gestalt News 18.7 - February 12, 2018
- The Sound of Silence: MX Board Silent Review - February 12, 2018