Katrin Eggert

SHAttered => SHA-1 substitute now

New attack renders the most widely used hash algorithm unsafe

A procedure appeared at the beginning February 2017 making it “easier” to generate a SHA-1 1  collision. This attack was named “SHAttered” to make clear that the SHA-1 procedure is “broken” and should no longer be used.

Jürgen Schmidt warns that this is not merely a theoretical possibility of attack that may be ignored before simply carrying on in his contribution “Warum SHAttered wichtig ist” [Why SHAttered is important] on heise Security:

Some may think that the hurdle of 6 500 CPU years required for SHAttered remains adequately high. Yet, with Cloud Computing and the stubborn Moore’s law for the growth of computing power, combined with progress with attacks, this is a dangerous misconception. In 2008, for instance, Marc Stevens researchers needed to get a cluster of more than 200 Playstation 3 consoles to continue computing for several days. Every PC will today spit out such MD5 collision in less than a second. The grace period for SHAttered has definitely expired: SHA-1 is officially dead.

This shows: Although an attack is still not realistic TODAY, an attack a few years later may crack SHA-1 integrity.

This will be a problem especially because SHA-1 is (or may be) used in many standard protocols such as PGP, S/MIME, TLS (aka SSL), …. This puts most conventional digital communication at risk – from online banking via ELSTER and signed programs up to encryption of e-mails and Messenger news.

Changing or replacing protocols, or converting algorithms used by protocols, takes many years. To start off with, you should therefore establish where SHA-1 is used in your organisation and whether conversion is possible. This will, for instance, not be possible for many embedded devices – these should be replaced in the medium-term.

I therefore appeal to you: Start today already! Draw the attention of your development department, network and server department, suppliers, … to this. Alternatives such as the SHA-2 family (SHA-256, SHA-384 and SHA-512), SHA-3, Blake2 or (depending on application) also Poly1305 are available – find out about these and say “Goodbye” to SHA-1!

Olav Seyfarth, member of BvD WG Krypto


1 SHA is the abbreviation for Secure Hash Algorithm. Hash algorithms are used to calculate hash totals for larger data volumes. The checksums are used to check whether data have been manipulated. This will, for instance, make sense when data are transmitted via insecure channels.

We may regard a hash value as a fingerprint: The fingerprint allows identification of a person but it cannot tell us what this person looks like.

A significant characteristic of hash procedures applied to digital signatures and encryption is that minor changes to the checked text will produce different, unpredictable checksums. The attack on the presently extremely widely used “SHA-1”standard hash procedure will allow the attacker to change the checked text, yet without changing the checksum (hash collision).

This would then point to another person with the identical fingerprint. This would not even be the case with identical twins.