SHA-1 Encryption Shattered by Google

Hashing Algorithm Already On the Way Out

Google announced this week that a team of its researchers had definitively broken SHA-1, a hashing algorithm that has been widely used across the internet.

A hashing algorithm, or cryptographic hash function, is a mathematical construct used in cybersecurity to validate the authenticity of files.  Using the function, any digital file can be reduced to a ‘digest’ or ‘hash’–a unique representation of that file by a string of characters of set length.  In SHA-1, the hash is 40 characters long.  The key here is that a properly secure algorithm can only generate one unique hash.  So, even if you had two very large files that differed by just one bit of information, they would generate two distinct hashes–verifying that they are, in fact, different files.

What Google’s team did is use some math wizardry to create two different pdfs that generated the same hash using SHA-1.  The risk here is that any checking of a hash for security purposes to validate the authenticity of a file could ‘OK’ a file that is, in fact, not the same–like a malware file, for instance.

The good news is that the major web browser developers have known for a while that SHA-1 is vulnerable and have been phasing out their acceptance of its use as a valid means of authenticating files (including site certification certificates) for the past couple of years.  This week’s news should only speed up that process.

Feature Image via Huffington Post.