SHAttered

For years, the SHA-1 algorithm served as one of the encryption backbones of the internet. It was used in a number of applications, including SSL/TLS, which secures the data traveling between a user’s browser and the website, and S/MIME, a protocol to encrypt email. Earlier this year, however, Google announced that a research team had proven that it was no longer secure, and have a website called shattered.io with their proof of work. How did they do it?

First, a little background on SHA-1: the algorithm works by taking a message and hashing it down to a 160-bit digest, regardless of how large the message was to begin with. At the advent of SHA-1 in the nineties, computers did not have enough power or speed to “brute force” the decryption of the algorithm, and so SHA-1 was considered to be very secure. NIST mandated that it be the standard for government use. As computers improved, it became apparent that SHA-1 was vulnerable to a collision, which is what happens when two different messages are hashed to the same value. As early as 2005, noted cryptologist Bruce Schneier reported that a theoretical attack had been demonstrated.

Luckily, both NIST and major technology corporations have paid attention to these developments, and in the early 2000’s, NIST approved a new algorithm family to replace SHA-1. Called SHA-2, it includes SHA-256, which is supported by most operating systems and browsers, and is set to be the widespread replacement option for companies updating their SHA-1 systems. Over the past few years, companies like Google and Microsoft have begun the process of “sunsetting” support for SHA-1, in anticipation of a proof of insecurity.

Flash forward to 2017, when Google announced they had achieved a collision. Using two different PDF files, they were able to generate the same hashed values for both. That means that you can no longer be confident that a document or file encrypted with SHA-1 has not been tampered with. Since the files could be completely different, but result in the same hashed value, an attacker could slip in a false version of a document, with the user none the wiser. Fortunately, enough work has been done, with a number of systems already up and running with the very secure SHA-256 algorithm, that the average user does not need to worry about the end of SHA-1 on a practical level.

temp mail - Which companies can you trust with your data?

What a fantastic resource! The articles are meticulously crafted, offering a perfect balance of depth and accessibility. I always walk away having gained new understanding. My sincere appreciation to the team behind this outstanding website.

zencortex reviews - Twitter, an Example of Transparency

This website has quickly become my go-to source for [topic]. The content is consistently top-notch, covering diverse angles with clarity and expertise. I'm constantly recommending it to colleagues and friends. Keep inspiring us!

cerebrozen - Twitter, an Example of Transparency

I truly appreciated the work you've put forth here. The sketch is tasteful, your authored material stylish, yet you appear to have developed some nervousness regarding what you intend to deliver next. Rest assured, I'll return more regularly, much like I've done almost constantly, should you maintain this upward trajectory.

Privacy and Technology News

Latest Privacy and Technology News

SHAttered

Related

Share this:

Related