View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
February 24, 2017

Google breaks old cryptographic algorithm SHA-1 in collision attack

SHA1 is used to generate hashes for digital data.

By CBR Staff Writer

Security researchers from Google and the CWI Institute in Amsterdam have cracked an old cryptographic algorithm called SHA-1 in a collision attack, making it dead or obsolete.

Security researchers have made the first successful collision attack against the Secure Hash Algorithm 1 (SHA-1) hash function, producing two different PDF files with the same SHA-1 fingerprint.

The National Institute of Standards and Technology (NIST) standardised SHA-1 in 1995 to securely compute message fingerprints for use in the computation of digital signatures that are essential to Internet security, like HTTPS (TLS,SSL) security, electronic banking, signing documents and software.

CWI cryptanalyst Marc Stevens says: “Many applications still use SHA-1, although it was officially deprecated by NIST in 2011 after exposed weaknesses since 2005.

“Our result proves that the deprecation by a large part of the industry has been too slow and that migration to safer standards should happen as soon as possible.”

Researchers were able to demonstrate a collision attack using two different PDF files with the same SHA-1 fingerprint, but with different visible contents.

The researchers had to use the equivalent of 6,500 years of CPU computation and 110 years of GPU computation to complete the two phases of the technique, and 9,223,372,036,854,775,808 SHA-1 computations.Google SHA-1 Collision

Content from our partners
Rethinking cloud: challenging assumptions, learning lessons
DTX Manchester welcomes leading tech talent from across the region and beyond
The hidden complexities of deploying AI in your business

It is more than 100,000 times faster than a brute force attack. The researchers said: “We used the same infrastructure that powers many Google AI projects including Alpha Go and Google Photo as well as Google Cloud.”

The group said they will be waiting for 90 days before releasing the code of the attack in line with Google’s vulnerability disclosure policy. They are also offering a free detection system to the public.

Google said in a blog post, “In order to prevent this attack from active use, we’ve added protections for Gmail and GSuite users that detects our PDF collision technique.

“Moving forward, it’s more urgent than ever for security practitioners to migrate to safer cryptographic hashes such as SHA-256 and SHA-3.”

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.