Google shatters SHA-1 prompting calls to pull it from use

Encryption system has already been deprecated by NIST, but some companies still use it

A major cryptographic standard has been broken in practice, leading for calls to hurry efforts to fully pull it from use.

Google revealed that it "shattered" SHA-1, an encryption system that was deprecated by the National Institute of Standards and Technology in 2011. While it's no longer in wide use, some applications still rely on it, the researchers noted.

The Google's security team produced a "collision" with SHA-1, which is when two pieces of data such as a document or a website's certificate are reduced to the same hash digest.  

"Hash functions compress large amounts of data into a small message digest," Google explained in a blog post. "As a cryptographic requirement for wide-spread use, finding two messages that lead to the same digest should be computationally infeasible. Over time however, this requirement can fail due to attacks on the mathematical underpinnings of hash functions or to increases in computational power."

As SHA-1 has known flaws, it's long been thought to be possible for an attacker to craft such a collision. "The attacker could then use this collision to deceive systems that rely on hashes into accepting a malicious file in place of its benign counterpart," Google added.

Such an attack has long been known to be theoretically possible, but it took two years of work between Google and the CWI Institute in Amsterdam to manage it in practice which required one of the "largest computations ever completed".

Google used its cloud system to run it, using 6,500 of CPU computation to complete the first attack phase and 110 years of GPU computation for the second.

"While those numbers seem very large, the SHA-1 shattered attack is still more than 100,000 times faster than a brute force attack which remains impractical," Google added.

Kevin Bocek, chief cyber-security strategist for Venafi, said the announcement confirms what we already knew that SHA-1 isn't secure. "This is no longer science fiction," said Bocek. "Unfortunately, despite the dangers, organisations are just not reacting."

While SHA-1's use has been discouraged for years, Venafi's research at the end of last year suggested 35% of organisations were still using certificates based on its encryption.

"The time to eradicate SHA-1 digital certificates is now and it needs to be eradicated everywhere from the public Internet to the deepest parts of private networks and datacenters," he added. "We are already past the SHA-1 deprecation deadline and the longer the problem goes unaddressed, the greater the potential damage that SHA-1 could cause."

Featured Resources

Navigating the new normal: A fast guide to remote working

A smooth transition will support operations for years to come

Download now

Leading the data race

The trends driving the future of data science

Download now

How to create 1:1 customer experiences at scale

Meet the technology capable of delivering the personalisation your customers crave

Download now

How to achieve daily SAP releases

Accelerate the pace of SAP change to support your digital strategy

Download now

Recommended

Best free malware removal tools 2020
Security

Best free malware removal tools 2020

21 Sep 2020
Windows Server flaw sparks emergency US gov warning
vulnerability

Windows Server flaw sparks emergency US gov warning

21 Sep 2020
'Largest ever' Magecart hack compromises 2,000 online stores
hacking

'Largest ever' Magecart hack compromises 2,000 online stores

15 Sep 2020
Infocyte integrates with Palo Alto Networks Cortex XSOAR
cyber security

Infocyte integrates with Palo Alto Networks Cortex XSOAR

19 Aug 2020

Most Popular

Google Pixel 4a review: A picture-perfect package
Google Android

Google Pixel 4a review: A picture-perfect package

18 Sep 2020
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020