Google cracked one of the building blocks of web encryption..!

Google researchers did something that rather seemed impossible before, they have managed to produce two different documents which have the same SHA-1 hash signatures. This shows nothing is impossible.

Why is it such a big deal? Well, it has everything to do with the fact that SHA-1 is widely used across the Internet. It’s used for HTTPS certificates which are used to protect your browsing and also in Git repositories. It is also used to find if data in many forms like PDFs, emails, source code, website certificates and so on, have not been tampered with by hackers or not.

Coming back to the present, Google has managed to prove that it is, possible to create a hash collision by just altering a PDF without changing the SHA-1 hash value of it. It means that people can be tricked into thinking the altered document or duplicate document was actually the original one, which is worrisome.

In a blog post, Google wrote saying, 

“Today, 10 years after the SHA-1 was first introduced, we are today announcing the first practical technique for generating a collision. This represents the culmination of two years of research which sprung from a collaboration between the Google and the CWI Institute in Amsterdam”.

What is the Purpose of doing all these?

This is a common question arising in minds. Why should Google try to crack the algorithm which was used all over the internet for encryption? The simple answer is that - if Google had not, some other attacker might have. And its good that Google made the world aware about the faulty SHA-1 hash algorithm. 

This industry cryptographic hash function standard is used for digital signatures and file integrity verification, and protects a wide spectrum of digital assets, including credit card transactions, electronic documents, open-source software repositories and software updates.

The purpose of this entire effort and spending two years of research into this was to show the tech community that it is necessary to stop the SHA-1 usage. Google has supported the deprecation of SHA-1 for many years, especially when it comes to signing the TLS certificates, due to this type of problem. Chrome has been slowly phasing out of using SHA-1 ever since 2014.

“We hope our practical attack on this encryption type will cement that the protocol should no longer be considered secure,” the team added, pushing the tech industry towards using a safer alternative such as SHA-256.