写在泳池边上

这是一篇写在Antara apartment一楼泳池边上的随笔。

今天起来收到一条推送消息，说SHA-1被破解了，google搞的事，如果你不是IT从业者，那么以下内容你可以直接无视，因为你看不懂。

我是一个程序员，但是我一开始并不知道这条消息的重要性，因为我不知道SHA-1是个什么鬼。

好了，现在跟随我的步伐走一遍：SHA-1从入门到放弃（PS：我都是google出来的，我只是搬运工）。

what the hell is SHA-1? here is the digest from wikipeia:

In cryptography, SHA-1 (Secure Hash Algorithm 1) is a cryptographic hash function designed by the United States National Security Agency and is a U.S. Federal Information Processing Standard published by the United States NIST.[3] SHA-1 produces a 160-bit (20-byte) hash value known as a message digest. A SHA-1 hash value is typically rendered as a hexadecimal number, 40 digits long.

SHA-1 is no longer considered secure against well-funded opponents. In 2005, cryptanalysts found attacks on SHA-1 suggesting that the algorithm might not be secure enough for ongoing use,[4] and since 2010 many organizations have recommended its replacement by SHA-2 or SHA-3.[5][6][7] Microsoft,[8] Google,[9] Apple[10] and Mozilla[11][12][13] have all announced that their respective browsers will stop accepting SHA-1 SSL certificates by 2017.

On February 23, 2017 CWI Amsterdam and Google announced a practical collision attack against SHA-1,[14][15] publishing two dissimilar PDF files which produce the same SHA-1 hash as proof of concept.[16]

我尝试着用我这蹩脚的英语翻译个大概给大家听：

SHA-1是高逼格密码界的一种加密算法，由老美国家安全机构设计并发行，SHA-1算法，就是将任何信息：图片、声音、文字、文件换算成40长度的16进制数字-下文称之为摘要。算法刚出来的时候，傲娇的宣称世界上不可能存在两个信息的摘要是一样的。

但是google今天打了老美的脸，发布了两个不一样的pdf文件，摘要是一样的。这两张pdf就是一张宣纸，宣告SHA-1不再是一种安全的加密算法。SHA-1已死。

其实在2005年的时候就理论上发现了SHA-1不安全，知道今天，google终于着找到了确切的证据。

好了，就一句话，以后不要用SHA-1就对了。