To the average computer user, hash is the first part of a compound word quickly replacing “pound sign” in our vernacular. Or, if you’re particularly hungry, it’s a delicious combination of diced meat and potatoes, but beneath the surface, hashes play an integral part in basic computing functions. Essentially, hashes are ways for computers to summarize large amounts of data into easily digestible bits, and are used for everything from checking for file duplicates to transporting secure data. It’s the latter part of this functionality that is at the center of Google’s latest findings.
Secure Hash Algorithm 1, or SHA-1, a 20-year-old method of generating secure hashes, has successfully been shattered. By throwing massive amounts of computing power at the mathematical architecture that underpins SHA-1, Google was able to generate a cryptographic hash collision using PDF files. In simplest terms, a hash collision is when two pieces of data generate the same hash, which can then be used to trick the receiving computer into accepting an entirely different file than what was expected. Using Google’s particular method, a malicious user could replace a legitimate file, a contract for instance, with a fraudulent document.
Google and others have long been advocating for the complete deprecation of SHA-1, going as far as removing support for SHA-1 encrypted sites from major browsers beginning this year, and this finding represents the latest push toward using more modern hash generating methods. Google, per its standard vulnerability disclosure policy, will wait 90 days before publishing its findings, and have taken steps to protect users of Gmail and Gsuite products from the attack.
You can read all the details, including the staggering amount of computing force thrown at the project, in the source link below.
Source: Google Security Blog | Image: Google