February 24, 2017

SHAttered - A SHA-1 hash collision

Carl Leonard Principal Security Analyst

Researchers at Google and CWI have been the first to create a practical collision attack against the SHA-1 cryptographic hash function.  Previously a collision was only possible in theory with the premise that a significant amount of computing power would be necessary to generate a collision.  Now it seems as though that computing power has been harnessed by the team who have named the collision issue “SHAttered”.

Cryptographic hash functions such as SHA-1 are used extensively in applications of data integrity and data storage.  Some applications rely on a cryptographic hash function being collision-resistant, others that it is not possible to generate the input from only knowing the hash.

An example of a SHA-1 hash is: 902D7F9DA0770CAE4830C4774EF7DEC3D6D37A79

Cryptographic hash functions take an input (that could be a file or message) and apply a mathematical function to the input which outputs a fixed-size string unique to the input (often called a hash or digest).  No two files should generate the same hash.
Using limitations in the SHA-1 algorithm and the availability of increased computing power the SHAttered team have found a way to show that two different files can be made to generate the same hash.

Risk assessment

As far as we know the SHAttered team’s research is the first to create a collision using SHA-1.  A proof of concept has been made available on Google’s blog (https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html) which shows two distinct PDFs hashing to the same SHA-1 hash. 
As reported by Google the SHAttered computation required 110 years of GPU computation in comparison to breaking MD5 which could typically take 30 seconds on a smart phone.

Further information

More information can be found on the official website https://shattered.io/
Forcepoint Security Labs will continue to monitor for developments.

Carl Leonard

Principal Security Analyst

Carl Leonard is a Principal Security Analyst within Forcepoint X-Labs. He is responsible for enhancing threat protection and threat monitoring technologies at Forcepoint, in collaboration with the company’s global Labs teams. Focusing on protecting companies against the latest cyberattacks that...

Read more articles by Carl Leonard

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.