Researchers say SHA-1 will soon be broken, urge migration to SHA-2 by Teri Robinson.
In as little as three short months, the SHA-1 internet security standard used for digital signatures and set to be phased out by January 2017, could be broken by motivated hackers, a team of international researchers found, prompting security specialists to call for a ramping up of the migration to SHA-2.
“We just successfully broke the full inner layer of SHA-1,” Marc Stevens of Centrum Wiskunde & Informatica in the Netherlands, one of the cryptanalysts that tested the standard, said in a release. Stevens noted that the cost of exploiting SHA-1 has dropped enough to make it affordable to every day hackers. The researchers explained that in 2012 security computer security and privacy specialist Bruce Schneier predicted that the cost of a SHA-1 attack would drop to $700,000 in 2015 and would decrease to an affordable $173,000 or so in 2018.
But the prices fell–and the opportunity rose–more quickly than predicted. “We now think that the state-of-the-art attack on full SHA-1 as described in 2013 may cost around 100,000 dollar renting graphics cards in the cloud,” said Stevens.
…
The silver lining in this dark cloud is that “every day hackers” can afford to spend “around $100,000 renting graphics cards in the cloud,” to break SHA-1 encryption.
I had no idea that “every day hackers” had that sort of cash flow.
Certainly something that should be mentioned at the next career day at local high schools and when recruiting for college CS programs. 😉
Depending on your interests, the even brighter silver lining will be the continued use and even upgrade to SHA-1, such as with the OPM (Office of Personnel Management), long after the graphic card rental price has broken into the three digit range.