SHA1 is broken, long life to SHA3

One of the most famous Hash Algorithm, the “Secure Hash Algorithm” SHA-1 is finally dead after a team, composed by employee from Google Research and the dutch CWI, demonstrated the first collision on February 23.

Even if SHA-1 was deprecated in 2011 by NIST, because theoretical attacks have been known since 2005, many systems still rely on this algorithm.

These include:

  • Digital Certificate signatures
  • Email PGP/GPG signatures
  • Software vendor signatures
  • Software updates
  • ISO checksums
  • Backup systems
  • GIT

Why you should be worried about it?

Google demonstrated that is possible to generate two different documents (in this case PDF) with the same SHA-1 using an attack that relies on Differential cryptoanalysis and is much faster than a bruteforce.

This attack reqired 9,223,372,036,854,775,808 SHA1 computations, the equivalent of 6,500 years of single-CPU computations and 110 years of single-GPU computations.