The most significant danger for a hash algorithm is when a “collision”—which happens when two different pieces of data produce the same hash value—occurs. While the theoretical chances of a SHA1 collision have been covered before, there have been no reports of an actual collision until recently.
A cryptographic hash function can be compared to a person’s fingerprint. Theoretically, each piece of data comes with its own unique identifiable hash value, so even seemingly similar files that have minute differences would still have different hashes. A SHA1 collision is similar to a person “copying” another person’s fingerprints, then using the copied fingerprints to gain access to areas or files that require biometric data.
In the case of a SHA1 collision, HTTPS websites that use SHA1 certificates will be vulnerable to attacks that duplicate a specific digital data’s SHA1 hash value. Seemingly “secure” websites that are protected by the HTTPS protocol might turn out not to be safe at all, making the content of these sites susceptible to man-in-the-middle attacks.
While the SHA1 collision is definitive proof that the algorithm can be compromised, it still took Google and CWI’s researchers a massive amount of computing power (nine quintillion SHA1 or 6,500 CPU and 110 GPU years’ worth of computations) despite all the technology available to them. This means that these kinds of attacks will be relatively rare since they require a large amount of resources. Still, with computational power simultaneously becoming more powerful and more affordable, the chances of these kinds of attacks happening only increase with time. As such, security professionals need to be prepared for potential scenarios involving actual SHA1 collision attacks.
Google has announced that the source code used in the attack will be published in 90 days, essentially giving websites that still use the SHA1 algorithm a deadline for migrating to more secure hash algorithms such as SHA256 and SHA3.
Like it? Add this infographic to your site: 1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).