Security News > 2020 > January > Exploit Fully Breaks SHA-1, Lowers the Attack Bar

A proof-of-concept attack has been pioneered that "Fully and practically" breaks the Secure Hash Algorithm 1 code-signing encryption, used by legacy computers to sign the certificates that authenticate software downloads and prevent man-in-the-middle tampering.

All of the major browsers and most applications don't recognize certificates signed with SHA-1 these days, few certificate authorities still support it, and NIST has deprecated it since 2011, but the latest PoC attack is nonetheless deeply concerning given that for all of that, it remains far from being fully deprecated.

The exploit, which focused on PGP, is yet another collision attack, but it's one that significantly lowers the bar for attackers looking to break SHA-1 compared to previous PoCs.

In practice, achieving the attack takes computational horsepower and processor resources; the researchers said that they paid $756,000 for their trial-and-error process and computations, but the cost could be as low as $50,000 using more advanced GPUs and a known attack methodology.

"GPU technology improvements and general computation cost decrease will quickly render our attack even cheaper, making it basically possible for any ill-intentioned attacker in the very near future."

News URL

https://threatpost.com/exploit-fully-breaks-sha-1/151697/