For years, the SHA-1 algorithm served as one of the encryption backbones of the internet. It was used in a number of applications, including SSL/TLS, which secures the data traveling between a user’s browser and the website, and S/MIME, a protocol to encrypt email. Earlier this year, however, Google announced that a research team had proven that it was no longer secure, and have a website called shattered.io with their proof of work. How did they do it?
First, a little background on SHA-1: the algorithm works by taking a message and hashing it down to a 160-bit digest, regardless of how large the message was to begin with. At the advent of SHA-1 in the nineties, computers did not have enough power or speed to “brute force” the decryption of the algorithm, and so SHA-1 was considered to be very secure. NIST mandated that it be the standard for government use. As computers improved, it became apparent that SHA-1 was vulnerable to a collision, which is what happens when two different messages are hashed to the same value. As early as 2005, noted cryptologist Bruce Schneier reported that a theoretical attack had been demonstrated.
Luckily, both NIST and major technology corporations have paid attention to these developments, and in the early 2000’s, NIST approved a new algorithm family to replace SHA-1. Called SHA-2, it includes SHA-256, which is supported by most operating systems and browsers, and is set to be the widespread replacement option for companies updating their SHA-1 systems. Over the past few years, companies like Google and Microsoft have begun the process of “sunsetting” support for SHA-1, in anticipation of a proof of insecurity.
Flash forward to 2017, when Google announced they had achieved a collision. Using two different PDF files, they were able to generate the same hashed values for both. That means that you can no longer be confident that a document or file encrypted with SHA-1 has not been tampered with. Since the files could be completely different, but result in the same hashed value, an attacker could slip in a false version of a document, with the user none the wiser. Fortunately, enough work has been done, with a number of systems already up and running with the very secure SHA-256 algorithm, that the average user does not need to worry about the end of SHA-1 on a practical level.