SHA1 SHAttered
This content has been archived
This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk
Summary
Threat details
SHA1 was released in 1995 and was used in browser security, code repositories, file identity security and more. The concept was that a large amount of data can be condensed into a relatively small hash which can be compared with no two pieces of source data resulting in the same hash. A collision occurs when two pieces of source data are put through the hashing function and result I the same hash.
Researchers have been calling for the deprecation for some time after highlighting weaknesses in the algorithm and suggesting collisions could soon become a possibility.
Researchers have now confirmed that, with the use of an unannounced proof of concept method along with huge computational power, they have managed t produce the first SHA1 collision.
The sheer scale of computational power required renders an attack unfeasible for the average attacker. However, this type of attack may not be out of reach for a well-funded Advanced Persistent Threat (APT) group or state sponsored attackers.
Remediation steps
Last edited: 17 February 2020 11:38 am