Researchers break once-standard identification algorithm

Researchers at Google and the Amsterdam-based research center CWI have developed a first-of-its-kind technique to trick a common verification algorithm known as SHA-1.

SHA-1 provides a signature used to verify that files have not been tampered with and prove that websites are not being impersonated. SHA-1 is out of favor in the computer world — most programmers now implement the newer algorithms — but was used for a long enough time that many sites and products still make use of it. 

The technique, which the researchers are calling “SHAttered,” is what is known as a collision attack: a way of manufacturing items that produce the same signature as an item attackers are trying to mimic. 

{mosads}Companies like Google and even United States government agencies like the National Institute of Standards and Technology have long advocated that websites drop SHA-1. Google’s web browser Chrome no longer recognizes SHA-1 as a valid security technique. 

The SHAttered attack is around 100,000 times faster than trying to guess all the possible unique variables entered into SHA-1 to create signatures. But SHAttered is still a resource-intensive attack. While it might be practical for a malicious government, it requires too much computational power for normal computers.