Era uma vez o SHA-1

Desde 2015 que já se sabia, na teoria, que o algoritmo de hashing SHA-1 era inseguro.
Sabia-se que o algortimo era vulnerável a ataques de colisão. Agora está provado.

Uma equipa da Google consegiu criar dois PDF’s que produzem o mesmo digest SHA-1, através de um ataque chamado SHAttered. O processamento intensivo desse ataque tem um custo que se estima em 110 mil dólares.

“This attack required over 9,223,372,036,854,775,808 SHA1 computations. This took the equivalent processing power as 6,500 years of single-CPU computations and 110 years of single-GPU computations,” the researcher explains.

“While those numbers seem very large, the SHA-1 shattered attack is still more than 100,000 times faster than a brute force attack which remains impractical.”

Google is planning to release the proof-of-concept (PoC) code in 90 days, which the company used for the collision attack, meaning anyone can create a pair of PDFs that hash to the same SHA-1 sum given two distinct images with some pre-conditions.

Therefore, Git and an unknown number of other widely used services that still rely on the insecure SHA1 algorithm have three months to replace it with the more secure one.

Google Achieves First-Ever Successful SHA-1 Collision Attack [The Hacker News]

Imagem: matrix, por Gamaliel Espinoza Macedo, sob licença CC BY-NC 2.0.