SHA-1 encryption is a hash cryptographic algorithm created in 1995 by the NSA and has for a long time been used widely to secure data, verify its integrity and to ensure the security of Internet connections. However, the technology has changed a lot in recent years and, therefore; this algorithm has been getting less and less secure to the point of getting the first collision of Hash, showing that this is already completely broken. Now, we can say that his official death has arrived today, as a group of researchers from Google and CWI Amsterdam have made the first hash collision attack on SHA-1.
It is not the first time that the SHA1 algorithm is said to be unsafe and broken. At the end of 2015 we could see how several weaknesses had been found in the same that, in theory, could be broken, although to prove it would require a system of more than $100,000 and several years of computing. Now, Google has broken it in practice.
From 2015 until this announcement now things have changed and inform us as fellow ADSL Zone, yesterday Google has made the first collision in SHA1 hash public, demonstrating the ineffectiveness of the old algorithm and no security. When we calculate the hash sum of a file we get a series of hexadecimal characters that, in theory, should be unique. Thanks to this we can know if a file that originally had an “abc” hash, after sending it over the Internet, the recipient gets the same amount “abc” and not a different sum that could indicate that the file has been modified in an intermediate point of the transfer and even it has been downloaded poorly.
What Google has done is to get two different files to have the same Hash, thus showing that a collision is possible and that this algorithm is already, officially, broken.
However, the process has not been easy, and has required 9, 223,372,036,854,775,808 cycles. While breaking this algorithm by brute force would take more than a year using 12 million graphics cards working at the same time, with the new technique “alone” have been necessary 110 graphics cards working for a year to reach the result.
In the case of the MD5 algorithms, the thing is much simpler, and is that these can be broken in just 30 seconds using a simple smart phone.
Fortunately, although Google just demonstrated the inefficiency of this algorithm and leave it completely broken, nowadays practically is not used at all, since there are several reviews such as SHA2 and SHA3 totally safe today. In addition, at the end of last year, web browsers have begun blocking these default algorithms, as well as many web pages, such as Facebook, that have even deleted them from their servers as they are totally useless, as well as secure.
Big Internet companies like Google and Microsoft work daily on making connections safer, so, little by little, everything is changing towards more secure protocols and algorithms, being one of today’s favorite SHA256.