The CWI Institute and Google have successfully demonstrated a practical SHA-1 collision attack by publishing two unique PDF files that produce the same hash value.
TL;DR Researchers published a technique for causing SHA-1 collisions and demonstrated it by providing two unique PDF documents that produced the same SHA1 hash value.
Secure Hash Algorithm 1 or SHA-1 is a cryptographic hash function designed by the United States National Security Agency and released in 1995. The algorithm was widely adopted in the industry for digital signatures and data integrity purposes. For example, applications would use SHA-1 to convert plain-text passwords into a hash that would be useless to a hacker, unless of course, the hacker could reverse engineer the hash back into the original password, which they could not. As for data integrity, a SHA-1 hash ensured that no two files would have the same hash, and even the slightest change in a file would result in a new, completely unique hash.
According to Wikipedia, the ideal cryptographic hash function has five main properties:
- It is deterministic so the same message always results in the same hash.
- It is quick to compute the hash value for any given message.
- It is infeasible to generate a message from its hash value except by trying all possible messages.
- A small change to a message should change the hash value so extensively that the new hash value appears uncorrelated with the old hash value.
- It is infeasible to find two different messages with the same hash value.
In 2005, researchers discovered potential vulnerabilities in the SHA-1 algorithm and by 2010 many organizations stopped it as it was deemed insecure. The potential vulnerabilities had not been proven, until today, when CWI Institute and Google demonstrated a practical collision attack against SHA-1. The researchers were able to provide two unique PDF files that produced the same exact SHA-1 hash value.
The team published a practical technique showing how to generate a collision bringing the fears that SHA-1 was insecure to reality. The technique outlined required years of research and immense computation resources. From the research published, it would take a cluster of 110 powerful GPU’s running computations 24 hours a day for an entire year to cause a collision, or about 6,500 years on a single-CPU. So while this attack vector is fairly impractical, it is not impossible.
This is a big deal because even though many organization have stopped using SHA-1, underlying systems still often rely on SHA-1. Software updates, ISO checksums, PGP signatures, digital certificate signatures, git, and others still make use of SHA-1 for data integrity. If a malicious party were able to create a collision for a popular piece of software for example, and distributed it on the web, they could infect many unsuspecting users causing all sorts of damage.
On the bright side, the typical user does not have to worry too much. Certification Authorities are forbidden from issuing SHA-1 certificates, and Google and Mozilla will warn users accessing HTTPS websites that use SHA-1 signed certificates. More and more organizations are using safer alternatives like SHA-256 for their cryptographic needs. Additionally, since the published attack vector has only been proven with PDF files, the team created a website, shattered.io, which allows you to test your PDF files and see if they could have been compromised.
For most, security is not actively thought about, but for us at Auth0, security is the only thing we think about. Ok, not the only thing, but it’s up there. In addition to embracing open authentication standards like OAuth and OpenID, we follow industry standards and best practices for security and when this popped up on our radar we just had to share it. Learn more about our security practices here.