Security researchers announced the first practical collision attack against the Secure Hash Algorithm-1 cryptographic function.
Security researchers at Google and the CWI Institute in Amsterdam have found a way to crack the Secure Hash Algorithm-1 (SHA-1) cryptographic function.
The two organizations Thursday announced what they described as the first practical collision attack against SHA-1. In other words, what they have done is find a way to mathematically generate identical SHA-1 hashes for two entirely different sets of content, something that should typically never happen with a hash function.
A cryptographic hash is basically an alphanumeric representation of input data. A sentence or a word that goes through a cryptographic function comes out as a unique hash value or a fixed-length string of letters and numbers that bear no resemblance to the input data. With a strong hash function it is almost impossible to reverse the hash value to its original content.
The National Security Agency (NSA) designed the SHA-1 cryptographic hash function 10 years ago. Though Google and others have been warning about its susceptibility to attack, SHA-1 is still widely used for encrypting communication on the Internet and for functions like signing website digital security certificates and software code in order to authenticate them.
The attack that Google and CWI researchers announced this week harnessed Google’s cloud computing infrastructure and was one of the largest computations ever completed, according to the researchers. Finding a collision involved nine quintillion computations in total and took 6,500 years of CPU computation to complete the first phase and an additional 110 years of computation with graphics processing units to complete the second phase.