SHA-1 Broken
Today, Google made major waves in the cryptography world, announcing a public collision in the SHA-1 algorithm. It’s a deathblow to what was once one of the most popular algorithms in cryptography, and a crisis for anyone still using the function. The good news is, almost no one is still using SHA-1, so you don’t need to rush out and install any patches. But today’s announcement is still a major power play from Google, with real implications for web security overall.
Like most cryptography, it can get a little complicated, so it’s probably best to start from the very beginning...
WHAT JUST HAPPENED?
Google publicly broke one of the major algorithms in web encryption, called SHA-1. The company’s researchers showed that with enough computing power — roughly 110 years of computing from a single GPU for just one of the phases — you can produce a collision, effectively breaking the algorithm. We’ve known this was possible for a while, but nobody has done it, in part because of the possible fallout.
In accordance with its disclosure policy, Google is waiting 90 days to say exactly how they did it — but once the proof-of-concept is out, anyone with enough computing power will be able to produce a SHA-1 collision, rendering the algorithm both insecure and obsolete.
It’s hard to say if Google’s researchers are the first people to do this (<cough> NSA <cough>), but they’re the first ones to talk about it, which has major implications for anyone still using SHA-1.
WHAT DOES SHA-1 ACTUALLY DO?
SHA-1 is a hashing function, which produces a digital fingerprint from a given file. That lets you verify a file’s integrity without exposing the entire file, simply by checking the hash. If the hash function is working properly, each file will produce a unique hash — so if the hashes match, the files themselves will also match. That’s particularly important for login systems, which need to verify that a password is correct without exposing the password itself.
No comments:
Post a Comment