Crypto is SHAttered!

SHA-1 is not a favoured son at the present time, and has been on borrowed time when it has shown to have theoretical collisions from its hash signatures. But it was Google’s who finally produced a collision for SHA-1 in 2017. For this Google used some of the best computing power around to cause a practical collision [here]:

Google, and the University of Amsterdam, thus announced that they had cracked SHA-1 (Secure Hash Algorithm 1), and which has been a standard hashing method since 1993. SHA-1 produces a 160-bit hash signature, and NIST designed a new hash function for SHA-2, and which has four main hash sizes: 224-bits (SHA-224); 256-bits (SHA-256); 384 bits (SHA-384); and 512 bits (SHA-512). SHA-3 uses a new type of hashing method, and is optimised for IoT methods [here].

But wait … it took Google two years to create a single collision. Considering the resources at Google’s fingertips, the cracking of SHA-1 is well out-of-budget for most organisations [here]. The answer for many is the move to SHA-2/SHA-256 [here], but this can be costly, especially to replace digital certificates which use SHA-1. Basically we have evolved from MD5 (a 128-bit hash signature), and then onto SHA-1 (a 160-bit hash signature), but…