An association between Google’s research unit and a Dutch institute on cracked a widely used cryptographic technology that has been one of the key edifice blocks of Internet security.
Researchers out to demonstrate inherent flaws in the SHA-1 internet security standard broadcast they had broken the legacy cryptographic algorithm using a so-called collision attack.
The algorithm, known as Secure Hash Algorithm 1 or SHA-1, is now used to verify the integrity of signature and digital files that safe credit card transactions as well as Git open-source software repositories.
Researchers were able to show a “collision attack” using two altered PDF files with the same SHA-1 fingerprint, but with diverse visible content, according to a paper available by Amsterdam-based Centrum Wiskunde & Informatica.
“Moving forward, it’s more urgent than ever for security experts to migrate to safer cryptographic confusions such as SHA-256 and SHA-3,” according the Google’s security blog.
For the tech community, our findings emphasize the necessity of sunsetting SHA-1 usage. Google has supported the deprecation of SHA-1 for many years, mainly when it comes to signing TLS certificates. As early as, the Chrome team broadcast that they would progressively phase out using SHA-1. We hope our practical attack on SHA-1 will cement that the protocol should no slower be considered safe.