Google Researchers Successfully Broke SHA-1 Web Security Tool

According to Google’s research team, they have successfully broken Secure Hash Algorithm 1 encryption, commonly referred to as SHA-1, which is a vital internet security tool. They believe that with this new breakthrough they can limit the widespread use of encryption technology.

It is indeed a breakthrough since SHA-1 has been touted as vulnerable so far despite being an important and widely used internet security method but nothing was practically proved. So, now we can claim SHA-1 to be vulnerable without any confusion and it is time for the safety firms and software developers to update the system and use something else instead of this algorithm.

Marc Stevens spearheaded the research with other staff members at the Netherlands-based computer science institute Centrum Wiskunde & Informatica while the Dutch government funded the research. They have been trying to crack the SHA-1 code since 2009 and today, they have finally decoded it successfully and have publicly announced the success story. Google collaborated with Stevens in 2015 and contributed to the research through resourcing pro bono such as computing/engineering infrastructure and technological expertise.

SHA-1 has been a vital internet security tool for as long as 1995, and with the passage of time it became mainstream security tool for internet users and cyber-community, but its salient weaknesses weren’t highlighted until 2005.

LinkedIn data leak in 2016 revealed the company was using unsalted SHA-1 to hash user passwords.

Google practices a profound vulnerability disclosure policy, and as per its policy, the company has plans to release the code acquired after cracking the SHA-1 encryption algorithm. However, this will happen within 90 days from today. This would lead to attackers and cybercriminals receiving an instruction manual for decoding the algorithm. Therefore, whoever will be relying upon SHA-1 will most definitely become vulnerable to attackers’ malicious antics.

The first concrete collision attack against SHA-1

In a blog post by Google researcher Elie Bursztein, it was noted that the company had urged security practitioners to employ more reliable and safe “cryptographic hashes,” on an urgent basis. The post further clarified that the SHA-1 algorithm was used very commonly for encryption of documents such as emails, payment transactions, email attachments, electronic files and legal documents. The algorithm has remained in use for so many years that most people would find it difficult to switch to a new mechanism. However, this is the need of the day.

Read the attack Infographics here [Pdf] | Read the Reseach Paper here [Pdf]


DDoS attacks are increasing, calculate the cost and probability of a DDoS attack on your business with this DDoS Downtime Cost Calculator.

Waqas

Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.