Google Announces First Practical SHA1 Collision
While SHA1 is still much better off than MD5, developers really should think about moving to SHA256 or other crypto hashes with Google now demonstrating the first SHA1 collision.
Google today announced the first practical technique for generating a SHA1 collision where two files could have different contents yet generate an identical SHA1 hash.
Though it's still not too easy to come by such an attack: Google's SHA1 "shattered" attack takes 110 GPUs one year of work to produce a collision while a SHA1 bruteforce attack on the other hand would take 12 million GPUs and a year worth of work.
In 90 days, Google will release its code that allows people to create a pair of PDFs that hash to the same SHA1 sum but there are some pre-conditions.
Those interested in Crypto can read Google's announcement this morning via their security blog or as with most disclosures they have come up with a cute name and website: Shattered.io.
Google today announced the first practical technique for generating a SHA1 collision where two files could have different contents yet generate an identical SHA1 hash.
Though it's still not too easy to come by such an attack: Google's SHA1 "shattered" attack takes 110 GPUs one year of work to produce a collision while a SHA1 bruteforce attack on the other hand would take 12 million GPUs and a year worth of work.
In 90 days, Google will release its code that allows people to create a pair of PDFs that hash to the same SHA1 sum but there are some pre-conditions.
Those interested in Crypto can read Google's announcement this morning via their security blog or as with most disclosures they have come up with a cute name and website: Shattered.io.
34 Comments