Light Dark
February 27, 2017 By Mark Samuels 2 min read

Google’s announcement of the first-ever collision attack means the Secure Hash Algorithm 1 (SHA-1) is officially dead, according to a report from Bleeping Computer.

SHA-1 is a cryptographic function that generates hashes for digital data. These hashes should be unique and help prove the identity of a file. However, the successful collision attack undermines that uniqueness, and the algorithm can thus no longer be considered secure.

The demise of SHA-1, which was designed by the United States National Security Agency several decades ago, creates significant implications for businesses that rely on the algorithm for the delivery of files across the web. Technology companies should work to move from SHA-1 as soon as possible.

How Did Google Run the Attack?

This successful attack marks the conclusion of two years’ research between Google and the CWI Institute in Amsterdam. In a blog post, Google noted how CWI researcher Marc Stevens published an initial theoretical paper on SHA-1 collision in 2013.

The blog post explains researchers had to overcome some considerable challenges to build a theoretical collision attack in practice. As many as 6,500 years of CPU computation were required to complete the first phase of attack, and 110 years of GPU computation for the second phase. During these phases, researchers ran more than 9 quintillion different SHA-1 computations in total.

As proof of the attack, Google released two PDFs with identical SHA-1 hashes but different content.

What Is a Collision Attack and Why Does It Matter?

A collision occurs when two distinct pieces of data, such as a document or website certificate, produce a hash with the same number value. Collisions should, in theory, never occur for secure hash functions.

However, experts have long believed a well-funded attacker could craft a collision in a flawed algorithm, such as SHA-1. Google’s research proved this flaw and demonstrates how an attacker could use a collision attack to replace one file with another.

An errant individual or third party, for example, could use two colliding contracts to trick another party into digitally signing a higher-value contract. The seller could later claim the purchaser signed a contract with drastically different terms and a much higher price.

What Should Businesses and IT Managers Do Now?

The demise of the algorithm comes at a time when many organizations still rely on SHA-1. Estimates suggest thousands of software packages could use SHA-1 to ensure the safe installation and update of files distributed over the web.

Google says its research highlights how the IT industry must break its reliance on SHA-1. The source code for performing the collision attack on SHA-1 will be published in 90 days.

Stevens told Ars Technica that any individual or business still using SHA-1 should look to move to a safer standard before real-world attacks take place. He suggested that continued growth in computational power means it will become cheaper and easier to run such attacks.

Security Intelligence reported late last year how major technology firms such as Microsoft and Mozilla would stop accepting outdated certificates. In its blog post announcing the collision attack, Google suggests businesses should urgently move from SHA-1 to safer alternatives such as SHA-256.

 |  |  |  | 
Mark Samuels
Tech Journalist

More from

November 15, 2024

Cybersecurity dominates concerns among the C-suite, small businesses and the nation

4 min read - Once relegated to the fringes of business operations, cybersecurity has evolved into a front-and-center concern for organizations worldwide. What was once considered a technical issue managed by IT departments has become a boardroom topic of utmost importance. With the rise of sophisticated cyberattacks, the growing use of generative AI by threat actors and massive data breach costs, it is no longer a question of whether cybersecurity matters but how deeply it affects every facet of modern operations.The 2024 Allianz Risk…

November 14, 2024

Autonomous security for cloud in AWS: Harnessing the power of AI for a secure future

3 min read - As the digital world evolves, businesses increasingly rely on cloud solutions to store data, run operations and manage applications. However, with this growth comes the challenge of ensuring that cloud environments remain secure and compliant with ever-changing regulations. This is where the idea of autonomous security for cloud (ASC) comes into play.Security and compliance aren't just technical buzzwords; they are crucial for businesses of all sizes. With data breaches and cyber threats on the rise, having systems that ensure your…

November 13, 2024

Adversarial advantage: Using nation-state threat analysis to strengthen U.S. cybersecurity

4 min read - Nation-state adversaries are changing their approach, pivoting from data destruction to prioritizing stealth and espionage. According to the Microsoft 2023 Digital Defense Report, "nation-state attackers are increasing their investments and launching more sophisticated cyberattacks to evade detection and achieve strategic priorities."These actors pose a critical threat to United States infrastructure and protected data, and compromising either resource could put citizens at risk.Thankfully, there's an upside to these malicious efforts: information. By analyzing nation-state tactics, government agencies and private enterprises are…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature