The aging cryptographic hash function SHA-1 (Secure Hash Algorithm 1) has suffered what some experts consider its final blow today as researchers from Google and the CWI Institute revealed that they had found a practical way to break SHA-1.
SHA-1 long has been considered obsolete, and most major browser vendors plan to halt accepting SHA-1 based certificates this year due to its relatively weaker crypto scheme than the newer SHA-2 and SHA-3 standards.
Google and CWI engineered a collision attack against SHA-1, demonstrating two PDF files with the same SHA-1 hash and different content as a proof-of-concept of their findings.
"For the tech community, our findings emphasize the necessity of sunsetting SHA-1 usage. Google has advocated the deprecation of SHA-1 for many years, particularly when it comes to signing TLS certificates. As early as 2014, the Chrome team announced that they would gradually phase out using SHA-1. We hope our practical attack on SHA-1 will cement that the protocol should no longer be considered secure," Google said in a blog post today. "We hope that our practical attack against SHA-1 will finally convince the industry that it is urgent to move to safer alternatives such as SHA-256."
See Google's post here for more details on the PoC.
Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio