The writing has been on the wall for SHA-1 for quite some time. The cryptographic hash has been around over a decade now, but organizations have started to move away from it as more sophisticated options became available (SHA-256, SHA-3, etc). Back in 2013, researchers published theoretical approach to generating a collision. Now with the help of Google’s computation grunt and additional resources, were able to actually generate a collision in the wild.
At least right now, the requirements are pretty steep, you won’t be making collisions with a Raspberry Pi any time soon. The two-phase approach taken by the researches required about 6,500 years of CPU compute and 110 years of GPU grunt. But in perspective, that’s 100,000 times faster than a brute force attack. For a sophisticated actor, the compute involved is trivial if they really want to break it any, once a method is out there.
Since it’s Google, the blog post has some delightful graphics and a full PDF of the process, so make sure to check that out. What I like to see though is that the major browser manufacturers are on top of this. Chrome, Firefox, IE/Edge, and Safari/Webkit all previously announced plans to block SHA-1 certificates by mid-2017. The real concerns is when the next big hack of passwords come out. Hopefully we won’t see an equivalent repeat of Yahoo storing passwords in MD5 a decade after it was thoroughly broken.
Moral of the story: You should have already planned to move away from SHA-1 years ago, and now there’s no excuse to keep using it.
From the Google Security Blog:
Today, 10 years after of SHA-1 was first introduced, we are announcing the first practical technique for generating a collision. This represents the culmination of two years of research that sprung from a collaboration between the CWI Institute in Amsterdam and Google. We’ve summarized how we went about generating a collision below. As a proof of the attack, we are releasing two PDFs that have identical SHA-1 hashes but different content.