Researchers at Google and CWI have been the first to create a practical collision attack against the SHA-1 cryptographic hash function. Previously a collision was only possible in theory with the premise that a significant amount of computing power would be necessary to generate a collision. Now it seems as though that computing power has been harnessed by the team who have named the collision issue “SHAttered”.
Cryptographic hash functions such as SHA-1 are used extensively in applications of data integrity and data storage. Some applications rely on a cryptographic hash function being collision-resistant, others that it is not possible to generate the input from only knowing the hash.
An example of a SHA-1 hash is: 902D7F9DA0770CAE4830C4774EF7DEC3D6D37A79
Cryptographic hash functions take an input (that could be a file or message) and apply a mathematical function to the input which outputs a fixed-size string unique to the input (often called a hash or digest). No two files should generate the same hash.
Using limitations in the SHA-1 algorithm and the availability of increased computing power the SHAttered team have found a way to show that two different files can be made to generate the same hash.
As far as we know the SHAttered team’s research is the first to create a collision using SHA-1. A proof of concept has been made available on Google’s blog (https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html) which shows two distinct PDFs hashing to the same SHA-1 hash.
As reported by Google the SHAttered computation required 110 years of GPU computation in comparison to breaking MD5 which could typically take 30 seconds on a smart phone.
More information can be found on the official website https://shattered.io/
Forcepoint Security Labs will continue to monitor for developments.