A cryptographic hash collision suggests the SHA-1 standardused to authenticate documentscan be hacked. <\/p>\n
Google researchers have engineered an extremely rare and invisible collision, but they didn't need the Large Hadron Collider to do it. <\/p>\n
That's because their collision isn't atomic, it's cryptographic: after years of trying, Google found a way to crack the SHA-1 cryptographic hash function, a security building block that enables digital signatures and HTTPS encryption. <\/p>\n
Cracking SHA-1 requires creating a cryptographic hash collision, which is essentially when a single hash, or \"digest\" applies to two different files. <\/p>\n
\"A collision occurs when two distinct pieces of dataa document, a binary, or a website's certificatehash to the same digest,\" Google explained in a blog post. \"In practice, collisions should never occur for secure hash functions. However if the hash algorithm has some flaws, as SHA-1 does, a well-funded attacker can craft a collision.\" <\/p>\n
The danger of a collision is much the same as weak encryption: hackers could exploit it. In this case, they could use a collision to trick a system into accepting a malicious document or other file using the hash of a benign one. <\/p>\n
Google's collision comes more than 20 years after SHA-1 was first introduced, and suggests that the standard isn't secure enough to handle sensitive information. To prove their collision, Google's researchers provided two PDFs that have identical SHA-1 hashes but different content. <\/p>\n
\"We hope that our practical attack against SHA-1 will finally convince the industry that it is urgent to move to safer alternatives such as SHA-256,\" Google wrote. <\/p>\n
Other security experts agree: in light of Google's findings, password management company LastPass said it would be accelerating its retirement of SHA-1. LastPass, the Google Chrome browser, and much of the rest of the Internet is gradually moving to the SHA-256 encryption standard. <\/p>\n
Tom is PCMag's San Francisco-based news reporter. He got his start in technology journalism by reviewing the latest hard drives, keyboards, and much more for PCMag's sister site, Computer Shopper. As a freelancer, he's written on topics as diverse as Borneo's rain forests, Middle Eastern airlines, and big data's role in presidential elections. A graduate of Middlebury College, Tom also has a master's journalism degree from New York University. Follow him on Twitter @branttom. More <\/p>\n
<\/p>\n