Finding SHA-2 collision

Question

What would be the implications if finding a collision in the SHA-2 hash function?

Would there be a greater impact if more than one were found, or would it be the same in principal?

Are you asking about finding *a* collision or finding a *process to find* collisions ? — Stephane, Dec 12 '16 at 13:29

score 3 · Accepted Answer · edited Oct 07 '21 at 07:59

First there are different types of hash collisions. The simpler and more likely case it that it is possible to create two documents which result in the same hash value ("collision attack"). The harder case is to find a collision for a specific given document so that both result in the same hash value ("second pre-image attack") or to find a document matching a specific hash value ("first pre-image attack"). This is also the case which has the more security impact.

A major use of SHA-2 is the creation of signatures. If it would be possible to create a document which results in the same hash as another given document one could successfully reuse the signature of the other document. This means it can be used to successfully claim that a document was signed by a specific entity even though this entity never signed this document.
One very important type of such documents are X509 certificates which are used for authentication within TLS (and thus HTTPS). Successfully forging such a certificate thus means that a man in the middle attack could be possible.
Other users of such signatures are S/MIME where forging a signature would mean that one could claim that a specific forged mail was signed by a specific person. And such signatures are also used for signing software and forging a signature here would mean to successfully pass through white lists where the trust to a software (and the ability to execute it) are based on the issuer of this software.

If it is not possible to create a collision to a specific document but to create two documents resulting in the same hash it would still be a serious issue. For example this could be used to create two versions of a contract which both result in the same hash. The cheating party then could later use the previously created different version of the contract with different rules and claim that this is the original version because it contains the same signature.

For more information see RFC 4270 - Attacks on Cryptographic Hashes in Internet Protocols. Interesting might be also Crypto breakthrough shows Flame was designed by world-class scientists where it shows how attacks against the the older hash function MD5 were successfully used in a real-life targeted attack.

Would there be a greater impact if more than one were found, or would it be the same in principal?

While this might be worse it would probably not be much worse compared to the initial problem.

Finding SHA-2 collision

1 Answers1