Google performs first successful collision attack on SHA-1 security algorithm

February 25, 2017

This Thursday, Google announced that it had performed a successful on the popular   for the first time &mdash; that they know of. The collision attack demonstrated an algorithm for making two distinct inputs map to the same hash output, putting at risk the usage of SHA-1 for verifying data integrity. Google published a blog post and made a website about the collision attack. A successful attacker would be able to add a malicious file to the system to damage a backup relying on SHA-1 for checking data integrity, deliver a malicious update to clients using SHA-1 to verify the update file, attack and decrypt an encrypted connection to a website where the user's browser is using SHA-1 to identify the connection certificate, replace a file revision history using SHA-1 to identify commits, and perform other actions that would substitute for valuable files with something seemingly identical but misleading or malicious in practice. Similar systems not using SHA-1 would not be affected.

To demonstrate the success of the algorithm, Google published two distinct (PDF) files with identical SHA-1 hash. Google recommended everyone who uses SHA-1 to switch to or, stronger cryptographic hash functions.

The group started with a paper published by Marc Stevens in 2013 in which the authors proposed a theoretical algorithm for the collision attack. They chose PDF files as the basis for their attack. They wrote a PDF file prefix on both files and PDF contents which hashed to the same SHA-1 digest. Then they used the Google computing infrastructure to perform more than nine quintillion (upwards of 9,223,372,036,854,775,808) SHA1 computations. They described this as 6,500 years of CPU time distributed in the first phase, then 110 years of (GPU) time total in the second phase of the attack to reach full collision. They said this new algorithm was 100,000 times faster than the and 50 times faster than a  algorithm proposed in 2005.

The cryptology group at the (CWI) institute, Netherlands, collaborated with the Google Research Security, Privacy and Anti-abuse Group to achieve the collision. According to a press release, and  were the initial leaders of the initiative, Ange Albertini developed the PDF attack code, Pierre Karpman developed the cryptoanalysis, Yarik Markov and Pierre Karpman developed the distributed graphical processing unit (GPU) code, and Clement Baisse checked the reliability of the programs.

Google also provided a collision detector online, where users can upload a PDF file to test whether it was tampered with for reaching a collision. Alex Petit Bianco developed the online file collision detector. Following its security policy, Google set a 90-day delay before the release of the source code for the attack.

Operating systems and software rely on SHA-1 for verifying the file integrity when distributing updates to its users and in ISO checksums. Developers use SHA-1 in their, such as , to verify the files' integrity. Many people install programs that use SHA-1 for detecting duplicate files on storage media and for verifying backups' integrity. People surfing the web see SHA-1 used for verifying the integrity of certificates to verify the users' connection with the website is not subject to a. People also use SHA-1 in email / signatures.

Since January, does not trust SHA-1 certificates. stopped trusting them yesterday.

SHA-1 was introduced more than twenty years ago.