The SHA-1 hashing algorithm is no longer secure, Google technicians have found a collision and declare the algorithm lapsed. Few used it yet.
The SHA-1 algorithm is no longer secure. Google technicians found a "collision" and declared the SHA-1 hashing algorithm lapsed. This is a severe blow to what was once considered the emblem of cryptographic algorithms and represents a genuine crisis for those who still use this function. The good news that almost no one still relies on SHA-1, so there is no need to run for cover by installing any patches. But the announcement is significant as it represents an important power game on Google's part, with real implications for global web security.
SHA1 a cryptographic hash algorithm created in 1995 which leaves the digital footprint of a given file and which, for a long time, has been widely used to ensure data integrity control and to ensure the security of Internet connections. When the hash function works correctly, each file will produce a unique hash and if the hashes are the same, then the files themselves will also be. It becomes essential for login systems that need to verify that a password is correct, without showing the password.
A collision what happens when a hash function breaks and two files produce the same hash. In this case an attack could creep in through a malicious file, which shares lhash with the legitimate file. As evidence of what has been told so far, Google has shared two files in PDF that led by SHA-1 have produced the same hash. In practical terms, when a hash function is broken you can break into HTTPS systems, which is the cryptography system that currently protects at least half of the web.
However, technology has changed a lot in recent years and consequently, this algorithm was progressively less and less secure, to the point of having obtained the first collision hash, proving that this was already completely broken. Google researchers have shown that through adequate computing power around 110 years of computing from a single GPU for only one of the phases it is possible to produce a collision, which actually breaks the algorithm. for a long time it has been known that it is possible for it to happen, but no one before was able to prove it.
Google will reserve a time frame of about 90 days before explaining in detail the way in which it has managed to achieve such a result, but now that the proof has been disseminated, anyone with sufficient computing power can produce a SHA collision -1, making the algorithm both unsafe and obsolete.
Perhaps Google's researchers are not really the first to achieve such a result, in the past there were rumors that the NSA had already done so, but they are officially the first to talk about it, raising a considerable problem for anyone using SHA-1.Chi deals with cryptography has foreseen this scenario for years, starting to make predictions not only on how to produce these breaks but also by estimating the computing power indispensable for this purpose.
There are many sites that have dropped from SHA-1, in 2014 it was used for as much as 90% of the encryption on theb, but was largely abandoned in the following years. As of January 1, all major browsers have shown a warning when visiting a site protected by SHA-1. In any case, anyone with an average certificate provider is safe.
SHA-1 still used in a couple of places outside of web cryptography for example the Git archives but having been deprecated for some time, this algorithm should not have such a widespread impact.
Google has aimed to highlight its name in the matter. The process that led to the gradual abandonment of SHA-1 required considerable time and effort, and not everyone was in favor of such a move.
The result was a rush to make the switch and Google's Chrome Security team provides the means to transition quickly. Chrome started to force sites to get rid of SHA-1 already in 2014, Long before the other browsers and the first steps taken they caused significant problems for the certificate providers, but now that evidence of a tangible collision, Chrome's security team seems to have moved quite intelligently.
In a broader sense, it is a struggle over how make the web more secure. For those who produce smartphones or sell applications, it is worth completely excluding a shaky algorithm. Whenever an algorithm like SHA-1 breaks down, the ad networks are the first to pay the costs and that's why Google has invested so heavily to make sure that the cryptography systems are functional and inviolable. a mathematical curiosity, but it is a Google victory itself. Who continued to reiterate that SHA-1 was unstable, he was right.