Google's Collision Shakes Up Computer Cryptography
Source: Tom Brant
Google researchers have engineered an extremely rare and invisible collision, but they didn't need the Large Hadron Collider to do it.
That's because their collision isn't atomic, it's cryptographic: after years of trying, Google found a way to crack the SHA-1 cryptographic hash function, a security building block that enables digital signatures and HTTPS encryption.
Cracking SHA-1 requires creating a cryptographic hash collision, which is essentially when a single hash, or "digest" applies to two different files.
"A collision occurs when two distinct pieces of data—a document, a binary, or a website's certificate—hash to the same digest," Google explained in a blog post. "In practice, collisions should never occur for secure hash functions. However if the hash algorithm has some flaws, as SHA-1 does, a well-funded attacker can craft a collision."
Google SHA-1 Collision
The danger of a collision is much the same as weak encryption: hackers could exploit it. In this case, they could use a collision to trick a system into accepting a malicious document or other file using the hash of a benign one.\
Google's collision comes more than 20 years after SHA-1 was first introduced, and suggests that the standard isn't secure enough to handle sensitive information. To prove their collision, Google's researchers provided two PDFs that have identical SHA-1 hashes but different content.
"We hope that our practical attack against SHA-1 will finally convince the industry that it is urgent to move to safer alternatives such as SHA-256," Google wrote.
Other security experts agree: in light of Google's findings, password management company LastPass said it would be accelerating its retirement of SHA-1. LastPass, the Google Chrome browser, and much of the rest of the Internet is gradually moving to the SHA-256 encryption standard.
| }
|