Researchers at Google and the CWI Institute in Amsterdam submitted the first ever successful SHA-1 collision attack.
SHA-1 (Secure Hash Algorithm), a known and the most popular cryptographic hashing designed in 1995 by National Security Agency and a U.S. Federal Information Processing Standard published by the United States NIST is now officially dead.
SHA-1 produces a 160-bit (20-byte) hash value known as a message digest. An SHA-1 hash value is typically rendered as a hexadecimal number, 40 digits long.
What is Collision Attack?
A collision attack is an attack when the same hash value (fingerprint) are produced or provided for two different messages allowing an attacker to break communications encoded with SHA-1 and can forge your digital signature.
In simple words, an attacker can get access to your online banking system by generating the same copy of your digital signature.
In October 2015, a group of researchers lead by Marc Stevens from the Centrum Wiskunde and Informatica (CWI) in the Netherlands has published an article that proofs the collision attack of SHA-1 – Freestart Collision.
Many researchers have been warning about the security of SHA-1, but the hash functions were used in wild.
In Late 2015, researchers estimated the running cost for SHA-1 collision attack would cost in between $75000-$120000 using Amazon’s EC2 computing power over a period of time can be month or year.
Group of researchers from Google has now published a new research detailing successful collisions attack, dubbed as SHAttered and cost to carry out the collision via Amazon’s cloud computing platform is $110000.
According to the researchers, the SHAttered collision attack is 100,000 faster than the regular brute force attack.
Also, the technique can be used to create collision in GIT file on objects and in Digital Signature Certificates.
Statement –“This attack required over 9,223,372,036,854,775,808 SHA1 computations. This took the equivalent processing power as 6,500 years of single-CPU computations and 110 years of single-GPU computations,” the researcher explains.
Statement — “While those numbers seem very large, the SHA-1 shattered attack is still more than 100,000 times faster than a brute force attack which remains impractical.”
Now, it is the time to migrate to safer cryptographic hashes like SHA-256 and SHA-3
In November 2013 Microsoft announced that it would not accept SHA-1 certificate after 2016, SHA-1 has been used widely over the internet, Despite declared insecure by researchers
Many of the open-source platforms use SHA-1 encryptions, GIT the most widely used free open-source platform system for managing software development is using SHA-1 encryption for data safety.
We can’t guess there are an unknown number of such platforms, even some banks also relies on SHA-1 encryption for digital signatures.
What types of systems are affected?
Any application that relies on SHA-1 for digital signatures, file integrity, or file identification is potentially vulnerable. These include:
- Digital Certificate signatures
- Email PGP/GPG signatures
- Software vendor signatures
- Software updates
- ISO checksums
- Backup systems
- Deduplication systems
Google is planning to release its proof-of-concept(PoC) in 90days. So enough time to replace SHA-1 encryption with other more secure encryption.
Google has also launched a detection tool that will detect if the files are part of collision attack. You can get more information and tool about the collision attack done by Google at Shattered.io