Privacy and security are two of the most important features that any technology meant for mass consumption should provide. If the technology in question is Internet, then privacy and security become even more paramount. Just think about how many apps and websites you use on a daily basis that require protection from unauthorized accesses.
Understanding network security in a few lines!
Let us take the example of an email service. Your email is personal and you chose to protect the account with a password. Without your password, nobody can enter your account and read or write emails on your behalf. There is one problem. When you send an email, the information travels through the internet to reach the servers. A malicious third-party can listen to the traffic leaving your home and can record them. So, does that mean all the effort put into ensuring a hard password for your email account was worthless?
The answer is NO!
Cryptography to the rescue
All major websites/service providers over Internet use cryptographic techniques. This technique scrambles your messages that leave your device in such a manner that only the intended recipient can unscramble it. A third-party can still listen to the traffic leaving your home, but to any non-intended user, it would seem like a garbled message. They can not make sense out of it. If a malicious third-party modifies the information he has been listening to, the intended user will not be able to unscramble the information which indicates that someone, other than the actual sender, has modified it.
What is SHA-1?And why do I need to know about it?
Websites that support such cryptography based communication have their URL begin with https instead of HTTP. The Internet is still using SHA-1 based encryption developed more than 20 years ago. Without going deep into the mathematics and computer science behind it, one can think of SHA-1 as a puzzler, that takes any arbitrary file (of arbitrary size) and converts it into a fixed sized garbled string. It has the following properties:
- You will receive the same garbled string every time you input the same file.
- The garbled string can not be used to retrieve the original file.
- No two files will have same garbled string output.
To understand the third property, imagine the following scenario. Alice gives Bob a confidential file ‘FileA’ and tells Bob the SHA-1 for the file to be ‘SHA_FileA.’ Bob receives the file finds the SHA-1 string for the file same as what Alice told him. He is assured that the file is indeed sent by Alice and no one has tampered with it.
But, if there is another file ‘FileB’ whose SHA-1 version is ‘SHA_FileB’ then Bob cannot be sure if it is actually sent by Alice.
Findings that shook the confidence on SHA-1
This is what has happened. Researchers at Google and the CWI Institute in Amsterdam have found a way to produce same SHA-1 values for two different pdf files. The process required a massive computation capability, but it is considered within the realms of reality for organizations who can afford cloud computing time. Here are some numbers that give a sense of how large scale this computation was:
Nine quintillion (9,223,372,036,854,775,808) SHA1 computations in total
6,500 years of CPU computation to complete the attack first phase
110 years of GPU computation to complete the second phase
This is a problem. Simply put, it means that SHA-1 is no more the impregnable fort that we believed it was. Thankfully, as always, humans have evolved the tech further.
Moving Forward: SHA-256 a new mandate?
While the amount of computation required to break the SHA-1 algorithm is huge, a large part of the industry has moved to SHA-256, a much stronger and safer cryptographic technique. Unfortunately, the move is far from complete. There are quite a few products/services that still rely on SHA-1, e.g., GIT repository and SVN repository.
The future version of Google Chrome will provide a notification whenever you visit a website which uses SHA-1 for encryption, instead of the new and secure SHA-256
In conclusion, SHA-1 is outdated, and a loophole has been found to break its security. While doing that is a very complicated process, nevertheless, it is recommended to move on to the much safer SHA-256. Soon enough, the leading internet players would call out older versions of security. So, it is time for providers to move ahead.