Google Researchers 'Shatter' SHA-1 Hash
'Collision' attack by researchers at CWI Institute and Google underscores need to retire SHA-1.
The aging cryptographic hash function SHA-1 (Secure Hash Algorithm 1) has suffered what some experts consider its final blow today as researchers from Google and the CWI Institute revealed that they had found a practical way to break SHA-1.
SHA-1 long has been considered obsolete, and most major browser vendors plan to halt accepting SHA-1 based certificates this year due to its relatively weaker crypto scheme than the newer SHA-2 and SHA-3 standards.
Google and CWI engineered a collision attack against SHA-1, demonstrating two PDF files with the same SHA-1 hash and different content as a proof-of-concept of their findings.
"For the tech community, our findings emphasize the necessity of sunsetting SHA-1 usage. Google has advocated the deprecation of SHA-1 for many years, particularly when it comes to signing TLS certificates. As early as 2014, the Chrome team announced that they would gradually phase out using SHA-1. We hope our practical attack on SHA-1 will cement that the protocol should no longer be considered secure," Google said in a blog post today. "We hope that our practical attack against SHA-1 will finally convince the industry that it is urgent to move to safer alternatives such as SHA-256."
See Google's post here for more details on the PoC.
About the Author
You May Also Like
DevSecOps/AWS
Oct 17, 2024Social Engineering: New Tricks, New Threats, New Defenses
Oct 23, 202410 Emerging Vulnerabilities Every Enterprise Should Know
Oct 30, 2024Simplify Data Security with Automation
Oct 31, 2024