Recently a report was published that stated Google Cracks SHA-1 (Secure Hash Algorithm 1). This Hash function was original developed by the NSA in 1993. But is still used by many websites today, although there are much newer versions that offers greater security.
The adoption of these newer methods has not been massive. But from a security side, the algorithms and computational power required to crack these newer methods makes it much more secure.
The method Google used to crack SHA-1 was hash collision. This is notably one of the issues surrounding SHA-1, in 1993 giving each file a unique header could be seen as very secure. But unfortunately as computational power has increased, the security associated with SHA-1 has diminished. The age of this encryption method could also be seen as a negative. In 1993 there could have been no way to predict the increase in computer users over the next 20+ years. This alongside the leap in technology combine to weaken this encryption algorithm.
Google were in fact able to force a collision between two SHA-1 file header, and thus have technically cracked the SHA-1 encryption. But this ‘experiment’ was done under lab conditions with the might of both Google and the University of Amsterdam. Considering the resources both organisations will have at their disposal reduce the chance of many rouge hackers targeting this attack vector.
Considering that it took these organisations two years to achieve this also further reduces the chances of this becoming a popular attack method. Although it can be said that SHA-1 can no longer be considered ‘secure’, organisations probably wont be rushing out to remove it.
The image below depicts the number of SHA-1 compressions performed before the collision was caused.
Infoagraphic – Google Cracking SHA-1
Fortunately this should not shake the cybersecurity world too much, as SHA-2 is readily available. The means that even if Google are able to cause a collision again, there are more secure options out there.
In 2005 the creator of both Linux and Git was warned about the possible vulnerability. But still uses it on Git to this day. It is his belive that it would be for to costly for any attacker to attempt. However Git has layered security meaning that even if one layer is compromised that isn’t the end game.
It is my opinion that although SHA-1 has been cracked under lab conditions, it is not a feasible attack method. Even if from a state sponsored actor, the resources and time would be considered to great. Also companies such as Google and Microsoft already using SHA-3, meaning their users will be protected. Some companies have stopped accepting SHA-1 and it is recommend that you upgrade but it wont be considered urgent.