SHAttered: SHA-1 Proved Insecure
By MDL on February 25, 2017
Headline: SHAttered: SHA-1 Proved Insecure
SHA-1, a cryptologic hash function still widely in use, is proven to be insecure after security researchers documented a successful collision attack this week.
A research team from Google and CWI Amsterdam released a paper on Thursday, February 23 detailing how they used a collision attack to make two distinct files containing different data that hash to the same SHA-1 digest.
Bottom Line: In the words of the researchers, “Any application that relies on SHA-1 for digital signatures, file integrity, or file identification is potentially vulnerable. These include: digital certificate signatures, email PGP/GPG signatures, software vendor signatures, software updates, ISO checksums, backup systems, deduplication systems, GIT, and so on,” In 90 days, the researchers plan to release code that would allow anyone to reproduce their findings. The many services still relying on SHA-1 must make changes and move to safer alternatives before that date.
Sources: HelpNet Security. New attack sounds death knell for widely used SHA-1 crypto hash function, Wired. A Super-Common Crypto Tool Turns Out to Be Super-Insecure, ArsTechnica. At death’s door for years, widely used SHA1 function is now dead, Google Security Blog. Announcing the first SHA1 collision
-
The Weakest Link: DoD Data Exposed by Third-party
The Weakest Link: DoD Data Exposed by Third-party
11/1/2019 -
New York Financial Companies must comply with cybersecurity regulation
New York Financial Companies must comply with cybersecurity regulation
3/29/2019 -
Global Weekly Executive Summary, 02 November 2018
Global Weekly Executive Summary, 02 November 2018
11/7/2018