SHA1 Collision Finally Occured

Well it was bound to happen eventually – the Secure Hash Algorithm (SHA1) has finally been broken in so much as a team of researches at Google managed to generate a collision.

If you aren’t sure what that means consider that the idea of a hashing algorithm is to take a variable length input and provide a fixed length output which should be unique for every unique input. Where two different inputs generate the same hash output we term this a collision – this is a very bad thing.

For your reference here are links to the research –

I recommend reading these articles even if security is outside your usual domain. In my organisation I started the move from SHA1 to SHA2 roughly two years ago and I am happy to say that we are 99% done. The only systems left are those which are either being decommissioned or where we have a vendor limitation. Thankfully these systems are few and far between, not critical to the business and in isolated networks.

It is amusing for me to think that way back when I began the work other organisations in our Active Directory forest thought I was being overly cautious and that we had at least 5-10 years before we had to worry about SHA1. It was with even greater amusement that I watched the same organisations (and the third-party experts) scramble to build new certificate authorities and rush there systems over to SHA2 when the realisation dawned that browsers were going to start throwing errors and that SHA1 was no longer considered safe.

Anyway it goes without saying that you really need to look at your own organisations setup and understand where you are leveraging SHA1 so that a plan can be developed to migrate. Perhaps you have already done so in which case congratulations, for those that have not it’s time to speak with management and get things rolling.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.