​Critical flaw demonstrated in common digital security algorithm

Cryptographic experts at Nanyang Technological University, Singapore (NTU Singapore) and the French national research institute for digital sciences INRIA in Paris, have demonstrated a critical security flaw in a commonly used security algorithm, known as SHA-1, which would allow attackers to fake specific files and the information within them, and pass them off as authentic.

The researchers say it lays to rest the ongoing debate about continuing to use SHA-1 as a security algorithm, and they urge companies to quickly move on from using it.

SHA-1 is a hash function, a building block in cryptography used in almost every digital authentication process. They underpin the security of many digital applications in internet banking, web-based communications, and payment portals of online shopping sites.

SHA-1, a hash function designed by the United States’ National Security Agency (NSA) in the early 1990s has been incorporated into many pieces of software and remains in widespread use, but in recent years the security of SHA-1 had been called into question by researchers.

In May 2019, NTU’s Associate Professor Thomas Peyrin, who lectures in its School of Physical and Mathematical Sciences, and INRIA’s Dr Gaëtan Leurent, used improved mathematical methods to devise the first-ever ‘chosen-prefix collision attack’ for SHA-1.

Both researchers also presented their findings at the Real World Crypto Symposium in January this year at New York City, and warned that even if the use of SHA-1 is low or used only for backward compatibility, it will still pose a high risk for users as it is vulnerable to attacks. The researchers said their results highlight the importance of fully phasing-out SHA-1 as soon as possible.