First Practical SHA-1 Collision Attack

Researchers have unveiled the first practical collision attack for the 22 year old cryptographic hash function SHA-1. While long expected, news of the attack, dubbed ‘SHAttered,’ should further accelerate the urgency of sunsetting of the maligned algorithm. Lamar Bailey, Sr. Director, Security R&D at Tripwire commented below.

Lamar Bailey, Sr. Director, Security R&D at Tripwire:

“Cryptographic algorithms have a half-life similar to radioactive isotopes. The factors that play into determining the half-life are the processing power needed to find collisions that break the algorithm along with the costs to obtain the processing power. When both of these factors are in the realm of possibility of a well-funded bad actor that expends the resources for a high priority target, the algorithm can be broken. Once these conditions are met, it is time to have a plan to replace the algorithm in any and all highly secure applications and have a plan for removal in lower importance uses. Companies should have a plan to retire this algorithm as soon as reasonably possible and no later than the end of the year.”