Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 15 submissions in the queue.

First Real World SHA-1 Collision Attack Conducted by Google, CWI

posted by Fnord666 on Friday February 24 2017, @04:41AM   Printer-friendly
from the bound-to-happen-eventually dept.

Fnord666 writes:

SecurityWeek has an interesting article today about the first real world SHA-1 collision attack.

Researchers at Google and Centrum Wiskunde & Informatica (CWI) in the Netherlands have managed to conduct the first real world collision attack against SHA-1, creating two documents with different content but identical hashes.

SHA-1 was introduced in 1995 and the first attacks against the cryptographic hash function were announced a decade later. Attacks improved over the years and, in 2015, researchers disclosed a method that lowered the cost of an SHA-1 collision to $75,000-$120,000 using Amazon's EC2 cloud over a period of a few months.

Despite steps taken by companies such as Google, Facebook, Microsoft and Mozilla to move away from SHA-1, the hash function is still widely used.

Google and CWI, which is the national research institute for mathematics and computer science in the Netherlands, have now managed to find a collision, demonstrating that these attacks have become increasingly practical. Their technique has been dubbed "SHA-1 shattered" or "SHAttered."

"We were able to find this collision by combining many special cryptanalytic techniques in complex ways and improving upon previous work. In total the computational effort spent is equivalent to 2 63.1 SHA-1 compressions and took approximately 6 500 CPU years and 100 GPU years," experts said in their paper.

While the task still required a large number of computations – nine quintillion (9,223,372,036,854,775,808) to be precise – the SHAttered attack is 100,000 times faster than a brute-force attack.

An Anonymous Coward also noted:

Google and CWI have announced the first publicly known SHA-1 collision at: https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html The collision is based on a prefix attack and requires 5 orders of magnitude less work to find a collision, when compared to brute force. More information and the actual files are available here: https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html and a detection tool here: https://github.com/cr-marcstevens/sha1collisiondetection

Original Submission #1Original Submission #2

 
This discussion has been archived. No new comments can be posted.
First Real World SHA-1 Collision Attack Conducted by Google, CWI | Log In/Create an Account | Top | 13 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by LoRdTAW on Friday February 24 2017, @04:22PM

    by LoRdTAW (3755) on Friday February 24 2017, @04:22PM (#471152) Journal

    EBG13 onol!

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2