SHA-1 is a cryptographic hashing function we use, among other things, to fingerprint sets of digital data, such as files or digital certificates. These functions are designed to output “unique” fingerprints for individual data sets. Over a decade ago, researchers found weaknesses in the SHA-1 implementation that could allow attackers to find “collisions” easier. A collision is when two different data sets have the same hash. At the time, this was a theoretical weakness that experts felt would be impractical in the real world. Even though the research proved it was computationally easier to find collisions, it would still take a very long time.
Thursday, Google and other Dutch researchers released information about their Shattered SHA-1 attack. Essentially, these researchers have proven that with the right computing infrastructure, well-funded attackers can now practically generate SHA-1 collisions. Watch the video below to learn more about this attack, and what types of systems it could affect.
Episode Runtime: 6:15
Direct YouTube Link: https://www.youtube.com/watch?v=ZaVGtc_xvOE
EPISODE REFERENCES:
- Researchers page for the Shattered Attack – Shattered.it
- Academic whitepaper on the Shattered attack – Shattered.it
- Easy to parse infographic about Shattered – Shattered.it
- Great Forbes article explaining the Shattered Attack – Forbes
- Another article on the SHA-1 attack – Wired
- What is a hash function? – Wikipedia
- Decade old article on original SHA-1 weakness discovery – Schneier.com