Friday February 24, 2017

SHA-1 Cracked after 20 Years

Secure Hash Algorithm 1 has finally been cracked. That said, it is not exactly something easy to do and requires some expensive resources, but we can be sure that someone nasty has those resources available. You can read up on this at the Google Security Blog.

Today, more than 20 years after of SHA-1 was first introduced, we are announcing the first practical technique for generating a collision. This represents the culmination of two years of research that sprung from a collaboration between the CWI Institute in Amsterdam and Google. We’ve summarized how we went about generating a collision below. As a proof of the attack, we are releasing two PDFs that have identical SHA-1 hashes but different content.

So what kind of resources are needed to crack SHA-1? Google tells us that over 6,600 years of CPU computation time are needed to complete the crack. So unless you have a data center at your fingertips, or have access in to multiple CPUs at multiple datacenters, you will not be able to play with this yourself. This all said, SHA-1 has pretty much gone the way of the dinosaur, giving way to SHA-3 and SHA-256. So all in all, this is good news and given that the specifics will be released in a few months, but if you rely on SHA-1, now you have a very good reason to move to more modern cryptographic hash functions.

News Image