February 27, 2017 By Mark Samuels 2 min read

Google’s announcement of the first-ever collision attack means the Secure Hash Algorithm 1 (SHA-1) is officially dead, according to a report from Bleeping Computer.

SHA-1 is a cryptographic function that generates hashes for digital data. These hashes should be unique and help prove the identity of a file. However, the successful collision attack undermines that uniqueness, and the algorithm can thus no longer be considered secure.

The demise of SHA-1, which was designed by the United States National Security Agency several decades ago, creates significant implications for businesses that rely on the algorithm for the delivery of files across the web. Technology companies should work to move from SHA-1 as soon as possible.

How Did Google Run the Attack?

This successful attack marks the conclusion of two years’ research between Google and the CWI Institute in Amsterdam. In a blog post, Google noted how CWI researcher Marc Stevens published an initial theoretical paper on SHA-1 collision in 2013.

The blog post explains researchers had to overcome some considerable challenges to build a theoretical collision attack in practice. As many as 6,500 years of CPU computation were required to complete the first phase of attack, and 110 years of GPU computation for the second phase. During these phases, researchers ran more than 9 quintillion different SHA-1 computations in total.

As proof of the attack, Google released two PDFs with identical SHA-1 hashes but different content.

What Is a Collision Attack and Why Does It Matter?

A collision occurs when two distinct pieces of data, such as a document or website certificate, produce a hash with the same number value. Collisions should, in theory, never occur for secure hash functions.

However, experts have long believed a well-funded attacker could craft a collision in a flawed algorithm, such as SHA-1. Google’s research proved this flaw and demonstrates how an attacker could use a collision attack to replace one file with another.

An errant individual or third party, for example, could use two colliding contracts to trick another party into digitally signing a higher-value contract. The seller could later claim the purchaser signed a contract with drastically different terms and a much higher price.

What Should Businesses and IT Managers Do Now?

The demise of the algorithm comes at a time when many organizations still rely on SHA-1. Estimates suggest thousands of software packages could use SHA-1 to ensure the safe installation and update of files distributed over the web.

Google says its research highlights how the IT industry must break its reliance on SHA-1. The source code for performing the collision attack on SHA-1 will be published in 90 days.

Stevens told Ars Technica that any individual or business still using SHA-1 should look to move to a safer standard before real-world attacks take place. He suggested that continued growth in computational power means it will become cheaper and easier to run such attacks.

Security Intelligence reported late last year how major technology firms such as Microsoft and Mozilla would stop accepting outdated certificates. In its blog post announcing the collision attack, Google suggests businesses should urgently move from SHA-1 to safer alternatives such as SHA-256.

More from

How prepared are you for your first Gen AI disruption?

5 min read - Generative artificial intelligence (Gen AI) and its use by businesses to enhance operations and profits are the focus of innovation in virtually every sector and industry. Gartner predicts that global spending on AI software will surge from $124 billion in 2022 to $297 billion by 2027. Businesses are upskilling their teams and hiring costly experts to implement new use cases, new ways to leverage data and new ways to use open-source tooling and resources. What they have failed to look…

Cybersecurity crisis communication: What to do

4 min read - Cybersecurity experts tell organizations that the question is not if they will become the target of a cyberattack but when. Often, the focus of response preparedness is on the technical aspects — how to stop the breach from continuing, recovering data and getting the business back online. While these tasks are critical, many organizations overlook a key part of response preparedness: crisis communication.Because a brand’s reputation often takes a significant hit, a cyberattack can significantly affect the company’s future success…

Brands are changing cybersecurity strategies due to AI threats

3 min read -  Over the past 18 months, AI has changed how we do many things in our work and professional lives — from helping us write emails to affecting how we approach cybersecurity. A recent Voice of SecOps 2024 study found that AI was a huge reason for many shifts in cybersecurity over the past 12 months. Interestingly, AI was both the cause of new issues as well as quickly becoming a common solution for those very same challenges.The study was conducted…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today