The research result on October 2015 from Dutch CWI estimated that finding a SHA-1 hash collision is possible, and the order of magnitude of the cost is around $100 000. See our previous: SHA-1 is no longer considered secure.
Fresh result from same team with sponsored computing cluster capacity demonstrates that this is indeed correct cost estimate.
Actual Impact of SHA-1 Hash Collisions
The actual impact has not changed in past year and half:
- Rapid challenge/response processing is safe because finding a collision takes at least hours, probably weeks or months.
- Long term signature non-repudiation security depends on the value of that signature — if spending $100 000 is low enough cost for somebody to replace whatever is behind given signature, then that long term signature is not safe if it involves SHA-1 hashes.
Previously the cost level of producing this kind of hash collision has been at levels of so called State Actors. This sub-million cost level is in corporate / criminal organization ball park. Meaning that organizations wanting to do this kind of things have just become a lot more numerous.
When Will SHA-1 Follow MD5?
Both algorithms are built on similar Merkle-Damgård construction, like is also SHA-2 family.
- MD5 hash algorithm was published in 1992.
- First public collision was demonstrated in 2004 taking 1 hour in a computer cluster.
- Collision break in less than 1 second in 2013 with single PC.
- SHA-1 hash algorithm was published in 1995
- First public collision was demonstrated in 2017 taking a bit over 1 year of time with around 100 device years executed during it.
- Public collision demo taking 1 hour or less time in ____ ?
- Collision break in less than 1 second in ____ ?