The “SHA-1 hash algorithm” is still in use for verifying the authencity of digital content, despite the march of Moore’s Law ramping up computing power available to hackers in the wild and despite other, more robust alternatives having existed for years.
According to the blog post on Google, Marc Stevens published a paper that outlined a theoretical approach to create a SHA-1 collision. The team leveraged Google’s technical expertise and cloud infrastructure to compute the collision which is one of the largest computations ever completed.
So How Large the Computation Was?
Nine quintillion (9,223,372,036,854,775,808) SHA1 computations in total
- 6,500 years of CPU computation to complete the attack first phase
- 110 years of GPU computation to complete the second phase
While those numbers seem very large, the SHA-1 shattered attack is still more than 100,000 times faster than a brute force attack which is almost impractical!
Mitigating the risk of SHA-1 collision attacks
So today, it’s more urgent than ever for security practitioners to migrate to safer cryptographic hashes such as SHA-256 and SHA-3 which are quite hard to do a collision attack!