From the crypto-dungeons: why we had a big day today
[Dear crypto friends, I wrote this on request to explain the SHA-1 collision for regular internet users, so please excuse me where I cut corners in the explanation below. If something is actually _wrong_ please let me know though!]
Today something huge happened in the world of cryptology (the art & science of communicating & storing data while keeping it secret). Without encryption, we’d have no way to make any payments online or do anything confidential. So it matters.
So what happened? “The first SHA-1 collision was found”. At an expense of hundreds of thousands of dollars, some exceptionally smart people made an obscure breakthrough that had the crypto community buzzing.
So why was this huge? When we connect to the website of our bank, or transmit a password online, we’d like to be sure we are sending our details to the right place.
Cryptology is mostly a lot of mathematics, which operates on numbers, and not directly on websites. With these mathematics, we can take a number, do a lot of calculations on it, and know positively that we got that number from (say) “yourbank.com”. And this is important — we’d like to send our money instructions and passwords to the right place, and not to a bunch of hackers.
But in order to make this work for a webpage, we first need to turn the entire contents of such a page.. into a number. We call this “making a hash”, it turns as much data as we want into a (big) number. And this process of “hashing data” is what today’s announcement was about: one important way of doing it was broken.
Let’s say there are two pages: one that sends your password to your bank (the original) and one that sends your password to a bunch of criminals (made by attackers).
And with cryptology, based on the hash (the big number) of a page, we should be able to know it is the original page, from our bank.
But what if it were possible to make an ‘evil’ page.. that hashes to the same number? This would allow me to impersonate ‘yourbank.com’! Because the number still matches! It must be official!
(Note: this week’s breakthrough does something slightly different: it allows you to make two pages with the same number, but not to ‘clone’ the number from another page.)
To turn whole documents into numbers, we use algorithms. One of these algorithms, SHA-1, used to be the most popular one on the internet. It might even still be, even though for a number of years, it was clear someone would eventually be able to craft multiple documents that hashed to the same number, allowing evil things.
Today the Dutch CWI in Amsterdam and Google showed the world.. two documents that “SHA-1 hash” to the same number:
Everyone knew this moment would be coming, but it was a stunning result nonetheless. Google spent 6500 years of computer calculations on it using special equipment. It was estimated that the calculation cost $100000 at least. It is being hailed as one of the biggest calculations ever.
And the result? On shattered.io, you can download two PDF files that “SHA-1” to this same number.
And that’s why many crypto people lost their minds a bit today.
So should you be worried? Not so much about your webbrowser. We knew this was coming and were already moving on to better hashing algorithms. For other reasons too, the sky is not falling today.
But for us crypto fanatics, it was a special day.