A collision refers to an event where two separate files or messages produce the same cryptographic hash, which malicious entities can use to feign authentication and facilitate an attack. While this has been observed before in relation to other hash algorithms, this is the first time that two SHA-1 hashes have collided, according to a report from Ars Technica.
SHA1 was officially deprecated by the National Institute of Standards and Technology in 2011, but the algorithm is still in use despite doubts about its security. In November 2016, Microsoft joined Google and Mozilla in making preparations to start blocking sites that use SHA-1 protection.
A paper that was published Thursday demonstrates that SHA-1 is unsafe as of right now, and should be retired immediately. The paper is the result of two years of collaborative work undertaken by the Centrum Wiskunde & Informatica, a national research center in Amsterdam, and Google’s security, privacy, and anti-abuse research group.
It would take a great deal of computing power to carry out an attack that takes advantage of an SHA-1 collision — however, that kind of muscle is ready available, as long as the perpetrators have enough financial backing. The paper states that an attack could be performed using Amazon Web Services for as little as $110,000.
Google’s disclosure policy dictates that source code used to perform the collision detailed in the paper will be released in 90 days. As a result, the sites and services that still use SHA-1 hashing will need to discontinue their usage of the algorithm before that date, as those materials will make it much easier for an attack to be carried out.
Editors' Recommendations
- No, 1Password wasn’t hacked – here’s what really happened
- Moto Edge X30, first Snapdragon 8 Gen 1 phone likely to launch on December 9
- SimCam 1S is an indoor security camera with a ‘hacker-proof’ mode
- 1.5% of Chrome users’ passwords are known to be compromised, according to Google
- Sony’s Xperia 1 is the first smartphone with a 4K OLED display
