One of the most famous Hash Algorithm, the “Secure Hash Algorithm” SHA-1 is finally dead after a team, composed by employee from Google Research and the dutch CWI, demonstrated the first collision on February 23.
Even if SHA-1 was deprecated in 2011 by NIST, because theoretical attacks have been known since 2005, many systems still rely on this algorithm.
These include:
- Digital Certificate signatures
- Email PGP/GPG signatures
- Software vendor signatures
- Software updates
- ISO checksums
- Backup systems
- GIT
Why you should be worried about it?
Google demonstrated that is possible to generate two different documents (in this case PDF) with the same SHA-1 using an attack that relies on Differential cryptoanalysis and is much faster than a bruteforce.
This attack reqired 9,223,372,036,854,775,808 SHA1 computations, the equivalent of 6,500 years of single-CPU computations and 110 years of single-GPU computations.