How We Created the First SHA-1 Collision and What it Means for Hash Security

Explore the groundbreaking discovery of the first SHA-1 collision in this Black Hat conference talk. Delve into the intricate process of developing a meaningful payload, scaling computation to massive levels, and overcoming unexpected cryptanalytic challenges. Learn about cryptographic hash functions, their applications, and various attack methods including second preimage and chosen-prefix attacks. Examine the Merkle-Damgård construction, unrolled SHA-1 compress function, and the nuances of SHA-1 cryptanalysis. Discover how the team carefully chose prefixes to improve attacks and created smart prefixes like JPEG embedded in PDF. Gain insights into scaling computation, efficient GPU usage, and the role of counter-cryptanalysis in mitigating security issues. Understand the implications for widely-used systems like GIT and Gmail, and explore the future of hash security through diversity. Walk away with key takeaways on the significance of this breakthrough in cryptography and its impact on hash security.

Intro
What is a cryptographic hash function?
What are secure hash functions used for?
Second preimage attack
The need for cryptanalysis
The Merkle-Damgård construction
Unrolled SHA-1 compress function
SHA-1 cryptanalysis in a nutshell
Two block collision
Fixed prefix attack (SHA-1)
Carefully choosing prefix to improve attack
Chosen-prefix: MDS SSL certificate forgery
Malware MD5 certificate
Attack feasibility
Attack overview
Smart prefix: JPEG embedded in PDF
Scaling computation
Developing the full collision attack
Making efficient use of GPUs
Phase 2 production rate per step
Computational cost comparison
Counter-cryptanalysis to the rescue!
GIT is using SHA-1 for foreseeable future
Mitigating GIT issues with counter-cryptanalysis
Google scans incoming documents
Why scan files for collision?
Gmail counter-cryptanalysis cost
The future of hash security is diversity
Takeaways