Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 17 submissions in the queue.

Submission Preview

Link to Story

Merge: Fnord666 (02/23 22:45 GMT)

Accepted submission by Fnord666 at 2017-02-23 22:45:56
News

First Real World SHA-1 Collision Attack Conducted by Google, CWI

Fnord666 [soylentnews.org] writes:

SecurityWeek has an interesting article today about the first real world SHA-1 collision attack [securityweek.com].

Researchers at Google and Centrum Wiskunde & Informatica (CWI) in the Netherlands have managed to conduct the first real world collision attack against SHA-1, creating two documents with different content but identical hashes.

SHA-1 was introduced in 1995 and the first attacks against the cryptographic hash function were announced a decade later. Attacks improved over the years and, in 2015, researchers disclosed a method that lowered the cost of an SHA-1 collision [securityweek.com] to $75,000-$120,000 using Amazon's EC2 cloud over a period of a few months.

Despite steps taken by companies such as Google, Facebook, Microsoft and Mozilla to move away from SHA-1, the hash function is still widely used [securityweek.com].

Google and CWI, which is the national research institute for mathematics and computer science in the Netherlands, have now managed to find a collision, demonstrating that these attacks have become increasingly practical. Their technique has been dubbed "SHA-1 shattered" or "SHAttered."

"We were able to find this collision by combining many special cryptanalytic techniques in complex ways and improving upon previous work. In total the computational effort spent is equivalent to 2 63.1 SHA-1 compressions and took approximately 6 500 CPU years and 100 GPU years," experts said in their paper [shattered.it].

While the task still required a large number of computations – nine quintillion (9,223,372,036,854,775,808) to be precise – the SHAttered attack is 100,000 times faster than a brute-force attack.

First public SHA-1 collision found

An Anonymous Coward writes:

Google and CWI have announced the first publicly known SHA-1 collision at: https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html [googleblog.com] The collision is based on a prefix attack and requires 5 orders of magnitude less work to find a collision, when compared to brute force. More information and the actual files are available here: https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html [googleblog.com] and a detection tool here: https://github.com/cr-marcstevens/sha1collisiondetection [github.com]

Original Submission #1  Original Submission #2