Block on Trump's Asylum Ban Upheld by Supreme Court
One of the technologies underlying document encryption and internet security for years isn't nearly as secure as once thought. Researchers at Google and CWI Amsterdam announced last week that they have cracked that technology, the Secure Hash Algorithm 1, or SHA-1. That techn has been used for more than 20 years to verify the safety of websites and the authenticity of documents.
SHA-1 works by creating a sort of digital fingerprint, allowing for quick authentication of documents, passwords, and websites. Researchers found that they could trick the algorithm into creating identical "fingerprints" for different files. And while the technology has been suspect for some time, it is still commonly used to validate the integrity of documents, according to the Wall Street Journal.
SHA-1 Under Attack
SHA-1 works by turning a digital document into a unique 40-digit sequence. A cryptographic hash function, SHA-1 is supposed to create a hash value that is unique to a specific file. That is, using HAS-1, no two documents should ever have the same hash value. That lets the hash value operate as a marker of authenticity for everything from HTTPS websites to encrypted documents to PDFs.
But researchers have now undermined that promised security. Using a technique called "SHAtterred," the researchers were able to demonstrate that two PDFs with different content could produce the same hash, meaning that fraudulent PDF B would be read as genuine PDF A.
It wasn't particularly easy, though. According to ZDNet, the successful attack:
required nine quintillion (9,223,372,036,854,775,808) SHA-1 computations and took the equivalent of 6,500 years of single-CPU computations to complete phase one of the collision, and 110 years of single-GPU to finish phase two.
Still, the technique, called a collision attack, is much faster than a "brute-force attack" and the cost of such attacks is dropping. Right now, successfully replicating such an attack would cost about $100,000, according to researchers.
Should You Worry?
The good news is that such an attack has been theorized for years. In 2005, researchers in China first identified risks with SHA-1 and by 2010, many technology organizations were recommending that SHA-1 be replaced with newer technology. In terms of website authentication, Google Chrome, Microsoft Edge, Mozilla Firefox, and more have all started shifting their browsers away from SHA-1 SSL certificates.
But there are still some risks. SHA-1 is still "likely to be found behind corporate firewalls on devices where software upgrades are difficult, such as point-of-sale terminals in retail stores," according to the Wall Street Journal.
Patches against the most recent attack are already rolling out, and most software is moving on to more sophisticated and more secure hash systems. Making sure your programs, from your web browsers to your PDF programs, are up to date is the first step to protecting yourself.