On February 23rd, a joint team from the Dutch CWI University and Google announced that they had generated the first ever collision in the SHA-1 cryptographic hashing algorithm. This industry standard is used in digital signatures and for file integrity verification, which secure credit card transactions, electronic documents. Another application is the usage of SHA-1 in signing of certificates and auto-signing of a Root CA.

What is SHA-1?

SHA-1 is a hash function used to calculate a fixed length binary string that serves as a message digest of a file or a piece of data. Lots of software uses this type of hashing function and relies on the collision-resistance property to verify that the contents of the original message haven’t been corrupted or tampered with. It should be unique and help prove the integrity of a file.

Diagram illustrating how a simple digital signature’s hash is applied and verified.

Collision attack

SHA-1 has long been considered theoretically insecure by cryptanalysts due to weaknesses in the algorithm design, but this marks the first time researchers were actually able to demonstrate a real-world example of the insecurity. Although its security weaknesses have been recognised for some time, SHA-1 has continued to be used because a real-life attack on the standard was believed to be too difficult and expensive. However, the research team said they have now successfully demonstrated the first practical “collision attack” on the SHA-1 function.

What is a cryptographic hash collision?

A collision occurs when two distinct pieces of data hash to the same digest. In practice, collisions should never occur for secure hash functions. However, if the hash algorithm has some flaws, as SHA-1 does, a well-funded attacker can craft a collision. The attacker could then use this collision to deceive systems that rely on hashes for file integrity into accepting a malicious file in place of its benign counterpart.

For example, two contracts with substantially different financial fees. An errant individual or third party, for example, could use two colliding contracts to trick another party into digitally signing a higher-value contract. The seller could later claim the purchaser signed a contract with drastically different terms and a much higher price.

On the research

Here are some numbers that give a sense of how large scale this computation was: As many as 6,500 years of CPU computation were required to complete the first phase of attack and 110 years of GPU computation for the second phase. During these phases, researchers ran more than 9 quintillion different SHA-1 computations in total. In 90 days, the Google and CWI researchers plan to disclose the code they used to generate the colliding PDF files, which will allow others to create similar collisions, if they have the necessary computing resources.

Migration plan to switch towards SHA-2 or SHA-3

The inevitable demise of the algorithm looms at a time when many organisations still rely on SHA-1. At AET, we suggest businesses should urgently move from SHA-1 to safer alternatives such as SHA-2 or SHA-3. This does not merely imply for digital signing of documentation, but also for (auto) signing of certificates and Certification Authorities. Nevertheless, AET also recommends that when transitioning to the safer alternative organisations carefully plan and execute this transition, including checking the compatibility of existing applications and services with the new algorithm.

Source images: Wikimedia, Google Blog