A collaboration between Google’s research unit and a Dutch institute on Thursday cracked a widely used cryptographic technology that has been one of the key building blocks of Internet security.
The algorithm, known as Secure Hash Algorithm 1 or SHA-1, is currently used to verify the integrity of digital files and signatures that secure credit card transactions as well as Git open-source software repositories.
Researchers were able to demonstrate a “collision attack” using two different PDF files with the same SHA-1 fingerprint, but with different visible content, according to a paper published by Amsterdam-based Centrum Wiskunde & Informatica.
“Moving forward, it’s more urgent than ever for security practitioners to migrate to safer cryptographic hashes such as SHA-256 and SHA-3,” according to a post by the collaborators on Google’s security blog.
“For the tech community, our findings emphasise the necessity of sunsetting SHA-1 usage. Google has advocated the deprecation of SHA-1 for many years, particularly when it comes to signing TLS certificates. As early as 2014, the Chrome team announced that they would gradually phase out using SHA-1. We hope our practical attack on SHA-1 will cement that the protocol should no longer be considered secure,” the blog post added.