It’s official: The SHA-1 cryptographic algorithm has been “.” . Now what?

After years of warning that advances in modern computing meant a successful collision attack against SHA-1 was imminent, a team of researchers from Google and Centrum Wiskunde & Informatica (CWI) in the Netherlands have successfully developed the first successful SHA-1 collision. In practical terms, SHA-1 should not be relied upon for practical security.

Modern cryptographic hash functions depend on the fact that the algorithm generates a different cryptographic hash for every file. A hash collision refers to having two separate files with the same hash. The fact that cryptographic weaknesses in SHA-1 make certificates using the SHA-1 algorithm potentially vulnerable to collision attacks is well-known. The National Institute of Standards and Technology deprecated SHA-1 more than five years ago, and experts have been long urging organizations to switch to stronger hash algorithms. Up until now, the only thing going for SHA-1 was the fact that collision attacks were still expensive and theoretical.

No longer, as the Google-led research team has developed a method that let them generate two PDF files with different content but generating the same SHA-1 hash. While the collision attack is still expensive, the “SHA-1 shattered” attack is no longer theoretical, which means the attack is within the reach of anyone motivated enough and with deep enough pockets.

 has been recommending everyone , as has the CA/Browser Forum. Expect to hear new timelines and schedules from major vendors over the next few weeks and incorporate the changes accordingly into your infrastructure. 

But SHA-2 is subject to the same mathematical weaknesses as SHA-1, so why not move to the stronger SHA-3 algorithm, which doesn’t share the same issues? As InfoWorld’s Roger Grimes told me, that isn’t a practical idea for several reasons, and it would likely lead to wide-scale difficulties and operational challenges. Although NIST has been recommending moving to SHA-3 since August 2015, practically no operating system or software supports it by default. Also, SHA-2 is not considered as operationally weak as SHA-1 because its hash lengths are longer, so it is good enough to use for now. SHA-2 hash lengths range from 192 bits to 512 bits, although 256 bits is the most common. Most vendors will start adding more SHA-3 support over time, so it’s best to use the migration to SHA-2 as the opportunity to learn what to do for the inevitable SHA-2-to-SHA-3 migration.   

The warnings were there all along, and now the time for warnings are over. IT teams need to finish the SHA-1 to SHA-2 migration, and they should use the news that a successful collision attack is now within reach as the hammer to bludgeon management into prioritizing the project.