SHA-1 is the oldest of the family SHA cryptographic algorithm: developed by the NSA, since 2005 was considered theoretically insecure, a...
SHA-1 is the oldest of the family SHA cryptographic algorithm: developed by the NSA, since 2005 was considered theoretically insecure, and from 2011 it is not advisable to use.
Nevertheless, it is still widely used, although more secure versions, such as SHA-256, and giants like Google have started since 2014 to give support to this old standard are available.
Just as Google now comes the most serious reason to completely abandon SHA-1: the Mountain View engineers are in fact able to "pierce" the algorithm.
The SHA algorithms are widely used to create the password hashes: for example when you register at a site and enter a password, the site does not store type characters in your database but a unique sequence of letters and numbers - called just hashes - generated from the password itself.
The method for generating the hash ensures that this can not go back to the original characters. Then when the user wants to be identified and enters the password, the system generates a new hash from this and make sure it matches with the one in the database: if the test is positive, access is granted.
Now that Google has managed to do is not get the password from the hash. Instead, she gave birth to a collision, namely spawned two identical hash from two different PDF files.
To illustrate when made, Google has created a special website with the two files that give rise to the same hash.
It is true that in order to achieve the result it was necessary to have a considerable computing power: the attack - says Google - took more than 9 trillion calculations SHA, namely "an equivalent computing power of 6,500 years of calculations with a single CPU and 110 years of calculations with a single GPU. "
It is however clear that the very possibility that such a thing could happen mini behind the credibility of the SHA-1 system and a requirement to move as soon as possible in one of the safest successors.
At risk are not only websites but also passwords digital certificates, PGP / GPG signatures, transactions with credit cards, the integrity check of the file systems, and all those cases where identification is needed safety.
It is no coincidence that since January, the Google Chrome browser you consider insecure any site protected by SHA-1, and that Firefox is being preparing to do the same.
Before revealing the code used for the attack, Google will wait 90 days, giving you time to those who must upgrade to more secure cryptographic standards to provide.
