Google has announced that it has cracked the Secured Hash Algorithm 1 (SHA-1) cryptographic function, marking a milestone that spells both danger and opportunity for the computing world.
The unprecedented feat was achieved through the real-world collision attack on the cryptographic algorithm, which led to the production of two PDF files that contain similar SHA-1 signature.
What Is SHA-1?
As a mathematical algorithm, the SHA-1 is capable of transforming a digital object into a hash or its representation. For example, if the algorithm is used to convert or verify an email signature, the SHA-1 will transform it into a string of 40 characters.
The elaborate combination of numbers and the way SHA-1 attaches such strings into digital objects makes it an effective mechanism to authenticate digital files. Here, identical files can have the same SHA-1 hash but two different files cannot be identified with the same string of characters.
However, that is what exactly the researchers at Google were able to achieve. With help from peers at CWI Institute in Amsterdam, they successfully created two different files with the same SHA-1 footprint.
Impact On Security
Google's successful breach is a critical security issue because the SHA-1 function is currently used in financial processes. Specifically, the algorithm is said to be still widely used to validate credit card transactions. It is also employed to verify electronic documents and software updates.
"It is now practically possible to craft two colliding PDF files and obtain a SHA-1 digital signature on the first PDF file which can also be abused as a valid signature on the second PDF file," the webpage dedicated to the initiative explained.
Google cited a specific example to demonstrate the breach's impact. When one creates a rental agreement that involves a digital signature, it is now possible for one of the parties to create another rental agreement with different clauses or provisions but with the same valid signature.
To be fair, SHA-1, which was developed back in 1995, has already been labeled as unsafe. This was highlighted back in 2011 when the U.S. National Institute of Standards and Technology officially deprecated the algorithm especially in transactions conducted in federal agencies. Some companies have also followed suit especially after incidents involving the SHA-1 vulnerability affected even Apple. The algorithm was also partly blamed for the Dropbox hack that exposed 68 million user accounts.
Again, many companies still use it even after such bans. For example, Mozilla has allowed Symantec last year to issue a SHA-1 certificate to Worldpay just to accommodate more than 10,000 payment terminals that have not been upgraded. These terminals were given the green light to communicate with servers that process consumer transactions.
According to Google, many applications also still use the algorithm and it hopes that its practical attack will serve as an opportunity for the industry to adopt safer alternatives. In the meantime, you can protect yourself from risk by using Chrome for your transactions because the browser automatically treats those with SHA-1 certificates as insecure.