Google achieves first ever SHA-1 collision attack
Researcher unveiled on Thursday the first practical collision attack for cryptographic hash function SHA-1.
SHA-1,Secure Hash Algorithm 1,is popular hashing function used in many websites.
Google researchers and academics have today demonstrated it is possible – albeit with a lot of computing power – to produce two different documents that have the same SHA-1 hash signature.
One real-world example where SHA-1 may be used is when you're entering your password into a website's login page. Though it happens in the background without your knowledge, it may be the method a website uses to securely verify that your password is authentic.
In this example, imagine you're trying to login to a website you often visit. Each time you request to log on, you're required to enter in your username and password.
If the website uses the SHA-1 cryptographic hash function, it means your password is turned into a checksum after you enter it in. That checksum is then compared with the checksum that's stored on the website. If the two match, you're granted access; if they don't, you're told the password is incorrect.
Another example where the SHA-1 hash function may be used is for file verification. Some websites will provide the SHA-1 checksum of the file on the download page so that when you download the file, you can check the checksum for yourself to ensure that the downloaded file is the same as the one you intended to downloaded.
A collision occurs when two distinct pieces of data—a document, a binary, or a website’s certificate—hash to the same digest as shown below.
Specifically, the team has successfully crafted what they say is a practical technique to generate a SHA-1 hash collision. As a hash function, SHA-1 takes a block of information and produces a short 40-character summary. It's this summary that is compared from file to file to see if anything has changed. If any part of the data is altered, the hash value should be different. Now, in the wake of the research revealed today, security mechanisms and defenses still relying on the algorithm have been effectively kneecapped.Researchers claim the collision they got off the ground with the help from Google's cloud infrastructure -is "one of the largest computation ever completed"The number back the claim.IN order to perform attack,the researchers claim they needed to carry out 9,223,372,036,854,775,808 SHA-1 computation in total,something that took 6500 years of CPU computation time to complete the first phase and 110 years of GPU computation to finish the second.
SHA-1 has been on its deathbed for years.Despite being officially deprecated by NIST in 2011,its still used in variety of ways worldwide.The algorithm figures into how some credit card transactions are processed and some software is updated.It's also used in document signing system ,and GIT,a system that's used for tracking changes in computer files and coordinating work between users.
Meanwhile, Google and researchers have released a free detection tool that detects if files are part of a collision attack. You can find both the tool and much more information about the first collision attack at shattered.io.
SHA-1,Secure Hash Algorithm 1,is popular hashing function used in many websites.
Google researchers and academics have today demonstrated it is possible – albeit with a lot of computing power – to produce two different documents that have the same SHA-1 hash signature.
How is SHA-1 Used?
One real-world example where SHA-1 may be used is when you're entering your password into a website's login page. Though it happens in the background without your knowledge, it may be the method a website uses to securely verify that your password is authentic.
In this example, imagine you're trying to login to a website you often visit. Each time you request to log on, you're required to enter in your username and password.
If the website uses the SHA-1 cryptographic hash function, it means your password is turned into a checksum after you enter it in. That checksum is then compared with the checksum that's stored on the website. If the two match, you're granted access; if they don't, you're told the password is incorrect.
Another example where the SHA-1 hash function may be used is for file verification. Some websites will provide the SHA-1 checksum of the file on the download page so that when you download the file, you can check the checksum for yourself to ensure that the downloaded file is the same as the one you intended to downloaded.
So,what is Cryptographic Hash Collision?
A collision occurs when two distinct pieces of data—a document, a binary, or a website’s certificate—hash to the same digest as shown below.
Specifically, the team has successfully crafted what they say is a practical technique to generate a SHA-1 hash collision. As a hash function, SHA-1 takes a block of information and produces a short 40-character summary. It's this summary that is compared from file to file to see if anything has changed. If any part of the data is altered, the hash value should be different. Now, in the wake of the research revealed today, security mechanisms and defenses still relying on the algorithm have been effectively kneecapped.Researchers claim the collision they got off the ground with the help from Google's cloud infrastructure -is "one of the largest computation ever completed"The number back the claim.IN order to perform attack,the researchers claim they needed to carry out 9,223,372,036,854,775,808 SHA-1 computation in total,something that took 6500 years of CPU computation time to complete the first phase and 110 years of GPU computation to finish the second.
How does it affect us?
SHA-1 has been on its deathbed for years.Despite being officially deprecated by NIST in 2011,its still used in variety of ways worldwide.The algorithm figures into how some credit card transactions are processed and some software is updated.It's also used in document signing system ,and GIT,a system that's used for tracking changes in computer files and coordinating work between users.
Meanwhile, Google and researchers have released a free detection tool that detects if files are part of a collision attack. You can find both the tool and much more information about the first collision attack at shattered.io.
Comments
Post a Comment