SHA-1 cracked by Google

So you can make your own SHA1 colliding PDFs now:

https://alf.nu/SHA1

Gmail flags PDFs generated in this manner as harmful.

Heptapod language makes more sense to me than that article.

first figure out what a hash function is:

"Imagine a new deck of cards. You write a step by step procedure for shuffling them. The end result is a ‘mixed up’ deck of cards. If you followed the same procedure for every new deck of cards you would get the same result.
A hash function is like shuffling a deck of cards except the input is an alphanumeric string of characters. "

A specific hashing algorithm SHA-1, first created in 1993, has been cracked by Google. Any software and hardware using this for security (passwords) or other ways like verifying digital signatures and file uniqueness in the Adobe Acrobat PDF format, is fundamentally broken.

Webkit repo using Apache SVN for software code checkin/out uses SHA1 hashing to differentiate code/files. Someone uploaded a corrupted PDF generated by the first link and it corrupted their system.

When you hash a file, you get a unique fingerprint based upon its contents. To collide hashes, you generate two different files with thr same hash. This is very computationally intensive today but won’t be in say, 10 years. So the moral is to stop using SHA1 and move to a hash without a known non brute-force attack vector like SHA256.

This is important because hashes are used to check that a file is what it’s supposed to be. For example, when your browser gets a SSL certificate, it checks the hash against the signing authority like Verisign. So if a SHA1 collision attack existed on SSL certs a man in the middle could hijack your connection and steal your gmail password without your browser knowing any different.

Note this specific attack only works on PDFs as they are unique in that you can fit anything inside of them without compromising the file format. That doesn’t apply to SSL certs.

Some man wants your hash browns, and you go, sha, right! but he’s still on a collision course toward you.

Isn’t that two different files with the same hash?

What if I prefer natural cut instead?

Yes I fixed it.

Ah, got it. That makes sense. Thanks.



SHA1 has been on the decline for a while now as this was not unexpected. It’s the reason why I spent hundreds of hours a couple of years ago replacing certificates and updating a ton of network gear to shift to SHA256.

I’m not surprised at Google’s latest revelation. It only speeds up the timeline for getting rid of using that as a hash for anything. Hey, it’s been a good run for that hash. Over 20 years.

Very close. It was actually an episode of Spongebob.