First time here? Checkout the FAQ!
x

Got a Question ? We Got the Answers !

1
Why is SHA1 collision such a big deal

Solved 1 Answers 92 Views Hacking
Recently, SHA collision has created a big hype on internet.

How i am at risk by this and how it can be exploited?

Thanks in advance

1 Answer

1
Best answer

What is SHA-1 Collision Attack ? 

SHA-1 was designed by NSA in 1995 as a standard Digital Signature Algorithm , for a decade researchers pointed out the flaw in the system theoretically and how it can be exploited but the costs to pull that off were more than $130K and months of computing.

Google with a group of researchers pulled it off making it a reality that's why its a big news..


How SHA-1 Collision Works ?

2 files can not have a digital print , even if a difference of a period in one file will give you a different digital print a.k.a SHA-1 , but if you see PDF-1 and PDF-2 both have different content but guess what ? they have same digital signature which  means SHA-1 has been exploited or "Shattered" because of the collision Attack.

In the image below you can see that the Bad doc also has the same hash 

image

How SHA-1 Effects the normal User ?

If you use Chrome, you will be automatically protected from insecure TLS/SSL certificates, and Firefox has quickly reacted to this announcement, and deprecated SHA-1 as of February 24th, 2017.
Files sent via Gmail or saved in Google Drive are already automatically tested against this attack.

What types of systems are affected?

Any application that relies on SHA-1 for digital signatures, file integrity, or file identification is potentially vulnerable. These include:

  • Digital Certificate signatures

  • Email PGP/GPG signatures
  • Software vendor signatures
  • Software updates
  • ISO checksums
  • Backup systems
  • Deduplication systems
  • GIT

How to Exploit SHA-1 for Collision Attacks ?

This would require a great number of Computation Power , even the attack done by Google cost them $11000 , so its not currently in the range. You should read a research of 2009 where a user made 2 different files with same hashes here and after that read Marc Research on the current Collision Attack

answered Feb 26 by Dr-Hack
selected Mar 1 by eirtaza
1Comments
commented Mar 1 by eirtaza
that's a great source of info... thanks
...