Google and CWI Institute have been able to create two PDFs that hash to the same SHA-1
Google has officially disproved the security of cryptographic hash function SHA-1 by carrying out a practical collision attack against the protocol in collaboration with the CWI Institute in Amsterdam.
SHA-1 is a security tool commonly used by cryptographers, playing a role in browser security, managing code repositories and detecting duplicate files in storage. It is essentially used to prove that data hasn’t been tampered with in any way.
The function compresses large amounts of data into 160-bit hash values known as a message digests and has been deemed secure due to the fact that finding two messages that lead to the same ‘digest’ should be a mathematical improbability.
A collision occurs when two separate data sets hash to the same digest, as shown in the picture above. Google says that a collision should never occur for secure hash functions but, “if the hash algorithm has some flaws, as SHA-1 does, a well-funded attacker can craft a collision”.
The attacker would then be able to deceive hash-based systems by altering content or by inserting malicious files in place of their harmless counterparts.
“For the tech community, our findings emphasize the necessity of sunsetting SHA-1 usage,” Google says. “Google has advocated the deprecation of SHA-1 for many years, particularly when it comes to signing TLS certificates. As early as 2014, the Chrome team announced that they would gradually phase out using SHA-1.
“We hope our practical attack on SHA-1 will cement that the protocol should no longer be considered secure. “We hope that our practical attack against SHA-1 will finally convince the industry that it is urgent to move to safer alternatives such as SHA-256.”
It should be noted that the two-phase attack required a huge amount of computer power – nine quintillion SHA1 computations, 6,500 years of CPU computation for the first attack phase,
110 years of GPU computation for the second – but the results should still be a warning to cryptographers.
Google recommends that security practitioners migrate to hashes such as SHA-256 and SHA-3 and will wait 90 days before releasing code allowing anyone to create a pair of PDFs that hash to the same SHA-1.
“The SHA-1 algorithm has been known to be weak for some years and it has been deprecated by NCSC, NIST, and many vendors,” commented David Chismon, senior security consultant at MWR InfoSecurity. “However, until today no real world attacks have been conducted. Google’s proof of concept, and the promise of a public release of tools may turn this from a hypothetical issue to a real, albeit expensive one.”
Quiz: Cyber security in 2017