Subscribe now

“LAST year, I walked away saying thank God she didn’t get a break in SHA-1,” says William Burr. “Well, now she has.” Burr, a cryptographer at the National Institute of Standards and Technology in Gaithersburg, Maryland, is talking about Xiaoyun Wang, a Chinese cryptographer with a formidable knack for breaking things. Last year Wang, now at Tsinghua University in Beijing, stunned the cryptographic community by breaking a widely used computer security formula called MD5. This year, to Burr’s dismay, she went further. Much further.

SHA-1 is pretty much the pinnacle of computer security, an algorithm invented and endorsed by the US National Security Agency (NSA) and used in a huge range of security applications. But not for much longer, it seems. “This is a bit like when you see the first water seeping through the dyke,” Burr says. “Will it continue to seep slowly or is it the beginning of the crumbling of the whole thing?”

SHA is short for “secure hash algorithm”. Hash algorithms are mathematical procedures that have a seemingly magical, and extremely useful, ability to “digest” a file of any length, be it a single character or a 20-page document, to produce a fixed-length string of 1s and 0s. They do this by mixing up bits from the document with other bits chosen at random, and then distilling the resulting string of bits down to a particular length (see Diagram). Although the bit string – the hash – is meaningless by itself, it provides a short cut for software that verifies whether documents, digital signatures and passwords contain the information they are meant to.

Sign up to our weekly newsletter

Receive a weekly dose of discovery in your inbox! We'll also keep you up to date with New Scientist events and special offers.

Sign up

To continue reading, subscribe today with our introductory offers

View introductory offers

No commitment, cancel anytime*

Offer ends 2nd of July 2024.

*Cancel anytime within 14 days of payment to receive a refund on unserved issues.

Inclusive of applicable taxes (VAT)

or

Existing subscribers

Sign in to your account