Michael Talks Tech

Google Cracks SHA-1

A couple of weeks ago a report by Google came out stating they had managed to crack the SHA-1 (Secure Hash Algorithm 1) This Hash function was original developed by the NSA in 1993. And it is still used by a lot of websites today, although there are much newer versions that offers a lot more security as the maths and computing power to crack it is even greater it has not been as widely adopted.

These issue with the Hash Collision is that the idea behind SHA-1 was essentially each file would be given a unique header and in 1993 when this was first developed the for-site that there could potentially be a collision would have seemed impossible due to the amount of computing power required to even entertain this and the fact that PC and computer use was no where near as common as it is today. But although Google has managed to force a collision between 2 items having the same SHA-1 hash it did however take them 2 year with support from the university of Amsterdam. Combine the resources and computing power both a university and Google have and given it took them 2 years to achieve this means as an out-and-out security vulnerability it is not all that feasible that a hacker would be able to force a collision and potentially cause damage.

Source: Google Security Blog

Another reason this isn’t to much of a concern to the integrity of cyber security in my option is that SHA-2 is readily available, and already deployed meaning that even if the collision is able to be simulated again in much less time there is a very accessible upgrade path that will offer much greater security and also not lead to a time between SHA-1 is vulnerable and SHA-2 is being developed.

The Creator of both Linux and Git was warned about the possible vulnerability with SHA-1 in 2005 and proceed to continue using it for Git. This is because he felt it would be far to expensive and Git has layered security meaning that one layer might be compromised but that isn’t the end game.

In my opinion although it has been cracked in an experimental setting it would not be as accessable to do for malicious purposes unless it was a state sponsored attack because the resources and time required are not anywhere close to where hackers would feel it a useful tool. And furthermore companies such as Google and Microsoft already use SHA-256 so your average joe who uses YouTube and Gmail will have nothing to worry about in regards to their online privacy and security.

 

If you enjoyed that check out some other posts below

McAfee Cyber Threat Predictions 2017

Paid vs Free Anti-Virus Software