The writing has been on the wall for SHA-1 for quite some time. The cryptographic hash has been around over a decade now, but organizations have started to move away from it as more sophisticated options became available (SHA-256, SHA-3, etc). Back in 2013, researchers published theoretical approach to generating a collision. Now with the help of Google’s computation grunt and additional resources, were able to actually generate a collision in the wild.
At least right now, the requirements are pretty steep, you won’t be making collisions with a Raspberry Pi any time soon. The two-phase approach taken by the researches required about 6,500 years of CPU compute and 110 years of GPU grunt. But in perspective, that’s 100,000 times faster than a brute force attack. For a sophisticated actor, the compute involved is trivial if they really want to break it any, once a method is out there.
Since it’s Google, the blog post has some delightful graphics and a full PDF of the process, so make sure to check that out. What I like to see though is that the major browser manufacturers are on top of this. Chrome, Firefox, IE/Edge, and Safari/Webkit all previously announced plans to block SHA-1 certificates by mid-2017. The real concerns is when the next big hack of passwords come out. Hopefully we won’t see an equivalent repeat of Yahoo storing passwords in MD5 a decade after it was thoroughly broken.
Moral of the story: You should have already planned to move away from SHA-1 years ago, and now there’s no excuse to keep using it.
From the Google Security Blog:
Today, 10 years after of SHA-1 was first introduced, we are announcing the first practical technique for generating a collision. This represents the culmination of two years of research that sprung from a collaboration between the CWI Institute in Amsterdam and Google. We’ve summarized how we went about generating a collision below. As a proof of the attack, we are releasing two PDFs that have identical SHA-1 hashes but different content.
- Is the Private Cloud Dying? - December 8, 2017
- Postpone Inbox Procrastination - December 7, 2017
- Congruity360: A Confluence of Services - December 7, 2017
- Eyvonne Sharp – IT Origins - December 7, 2017
- Blockchain and the UN - December 6, 2017
- Drobo 5N2 Review: A Need, Not A Want - December 6, 2017
- The Gen-Z Consortium: A Blade By Any Other Name? - December 5, 2017
- Failed Startups – The On-Premise IT Roundtable - December 5, 2017
- The CLI on Death’s Door, re:Inventing the Gestalt Rundown, and Talking IT with Chin-Fah Heoh in Gestalt Networking News 17.10 - December 4, 2017
- Chin-Fah Heoh – IT Origins - November 30, 2017