Google’s Collision Shakes Up Computer Cryptography – PC Magazine

A cryptographic hash collision suggests the SHA-1 standardused to authenticate documentscan be hacked.

Google researchers have engineered an extremely rare and invisible collision, but they didn't need the Large Hadron Collider to do it.

That's because their collision isn't atomic, it's cryptographic: after years of trying, Google found a way to crack the SHA-1 cryptographic hash function, a security building block that enables digital signatures and HTTPS encryption.

Cracking SHA-1 requires creating a cryptographic hash collision, which is essentially when a single hash, or "digest" applies to two different files.

"A collision occurs when two distinct pieces of dataa document, a binary, or a website's certificatehash to the same digest," Google explained in a blog post. "In practice, collisions should never occur for secure hash functions. However if the hash algorithm has some flaws, as SHA-1 does, a well-funded attacker can craft a collision."

The danger of a collision is much the same as weak encryption: hackers could exploit it. In this case, they could use a collision to trick a system into accepting a malicious document or other file using the hash of a benign one.

Google's collision comes more than 20 years after SHA-1 was first introduced, and suggests that the standard isn't secure enough to handle sensitive information. To prove their collision, Google's researchers provided two PDFs that have identical SHA-1 hashes but different content.

"We hope that our practical attack against SHA-1 will finally convince the industry that it is urgent to move to safer alternatives such as SHA-256," Google wrote.

Other security experts agree: in light of Google's findings, password management company LastPass said it would be accelerating its retirement of SHA-1. LastPass, the Google Chrome browser, and much of the rest of the Internet is gradually moving to the SHA-256 encryption standard.

Tom is PCMag's San Francisco-based news reporter. He got his start in technology journalism by reviewing the latest hard drives, keyboards, and much more for PCMag's sister site, Computer Shopper. As a freelancer, he's written on topics as diverse as Borneo's rain forests, Middle Eastern airlines, and big data's role in presidential elections. A graduate of Middlebury College, Tom also has a master's journalism degree from New York University. Follow him on Twitter @branttom. More

Original post:
Google's Collision Shakes Up Computer Cryptography - PC Magazine