Linux Format

SHA-1 collision alert!

But Linus Torvalds doesn’t think it’s a big deal.


SHA-1, also known as Secure Hash Algorithm 1, is a popular cryptograp­hic hashing function created in 1995 by the NSA. However its future is now in doubt after Google and the CWI Institute Amsterdam announced they had launched the first ever successful SHA-1 collision attack. SHA-1 was designed to turn any input message (such as a specific file or website certificat­e) into a long string of numbers and letters that can be used as a fingerprin­t to confirm that the file is genuine. In their release (see, Google and the CWI Institute revealed that they managed to create two PDFs that had identical SHA-1 hashes, but contained different content. Malicious users could use a ‘collision’ like this to deceive systems that use the hashes into accepting a malicious file. This strengthen­s Google’s argument to move to a more secure alternativ­e such as SHA-256. However, in a public statement on the Google+ social network, Linus Torvalds explained why he wasn’t too concerned. He goes into some detail (see, but the gist is that the world isn’t going to end over this, and that there is a difference “between using a cryptograp­hic hash for things like security signing, and using one for generating a ‘content identifier’ for a content-addressabl­e system like Git”, and that Google’s particular SHA-1 attack is easily protected against. In the end, Torvalds argues that breaking SHA-1 won’t break Git. Will other people still see SHA-1 as a viable solution? Time will tell.

Newspapers in English

Newspapers from Australia