Encryption & Key Management , Next-Generation Technologies & Secure Development , Security Operations

SHA-1 Has Fallen

Practical Attack Demonstrated Against Deprecated Cryptographic Hash

Researchers claim the "SHAttered attack" can be used to break anything that still uses the legacy SHA-1 cryptographic hash function. (Logo: Shattered.io)

The Secure Hash Algorithm-1 - aka SHA-1 - legacy cryptographic hash function has fallen.

See Also: Live Webinar | Cybersecurity in Healthcare Supply Chains: A CISO Perspective

"We have broken SHA-1 in practice," wrote a group of researchers from the Centrum Wiskunde & Informatica research center in Amsterdam and Google on Feb. 23. A research paper from CWI's Marc Stevens and Pierre Karpman and Google's Ange Albertini, Elie Bursztein and Yarik Markov says the group's so-called "SHAttered attack" can be used to compromise anything that relies on SHA-1.

Cryptographic hash functions are meant to compute the hash value of data and then allow that data to later be verified without giving away the actual value of the data. By using a collision attack, however, attackers could pass off a fake as the real thing, ranging from the TLS/SSL digital certificates used by web browsers, to vendors' digitally signed software updates, to GPG/PGP-signed email messages.

"Today, many applications still rely on SHA-1, even though theoretical attacks have been known since 2005, and SHA-1 was officially deprecated by NIST in 2011," the group writes, referring to the U.S. National Institute of Standards and Technology.

The researchers have released more information on a dedicated site, Shattered.io, which also enables users to upload files to see if they've been designed to execute a cryptanalytic collision attack against SHA-1. A free tool designed for the same purpose is also available via GitHub.

"We hope our practical attack on SHA-1 will increase awareness and convince the industry to quickly move to safer alternatives, such as SHA-256," the group says.

The good news, however, is that "as far as we know, our example collision is the first ever created," the group says. It also does not believe that the attack has ever been "abused in the wild."

Source: Shattered.io.

Launching such attacks wouldn't be easy. "The attack still requires a large amount of computing on both CPUs and GPUs, but is expected to be within the realm of ability for nation-states or people who can afford the cloud computing time to mount a collision attack," says David Chismon, senior security consultant at the consultancy MWR InfoSecurity. "In an interesting but possibly unrelated note, Google yesterday announced the ability to reasonably cheaply rent GPU cloud computers."

For now, however, launching such attacks remains an expensive proposition, says Mikko Hypponen, chief research officer at security firm F-Secure.

It would cost around $500,000-$800,000 to replicate the computational effort Google did to break SHA-1 (at list prices). Hat tip: @frank_be. https://t.co/9siCHd1yi2 — Mikko Hypponen (@mikko) February 23, 2017

NIST's SHA-1 Warning

The writing has been on the wall for SHA-1 for some time. In 2005, cryptographer Bruce Schneier, responding to the first-ever theoretical collision attack that was demonstrated against SHA-1 by three Chinese researchers, showing how SHA-1 might one day be cracked, said that "we need to get to work replacing SHA."

There are two risks. "One-way hash functions are supposed to have two properties," Schneier wrote at the time. "One, they're one-way. This means that it is easy to take a message and compute the hash value, but it's impossible to take a hash value and recreate the original message. (By 'impossible' I mean 'can't be done in any reasonable amount of time.') Two, they're collision-free. This means that it is impossible to find two messages that hash to the same hash value."

Also in 2005, NIST warned that "federal agencies should stop using SHA-1 for generating digital signatures, generating time stamps and for other applications that require collision resistance."

Delayed Response

Yet SHA-1 use still continues. "We knew SHA-1 was dodgy, but sometimes it takes product vendors longer to react than for the prediction to come true," says Alan Woodward, a professor at the University of Surrey, citing a 2012 report from cryptographer Jesse Walker, who predicted that SHA-1 might fall by 2018.

"A collision attack is ... well within the range of what an organized crime syndicate can practically budget by 2018, and a university research project by 2021," Walker reportedly said in 2012, according to comments recorded at the time by Schneier.

SHA-1 must now definitely, positively, absolutely be consigned to the dustbin, even if you were a doubter - https://t.co/ZP5dNSTRUa — Alan Woodward (@ProfWoodward) February 23, 2017

But some products continue to support SHA-1. Microsoft, for one, had announced a plan to block the use of SHA-1 in Windows, starting with updates to be released this month. But those updates apparently have been delayed on quality control grounds, notes Liverpool, England-based security architect Kevin Beaumont.

I should also say SHA-1 attacks are also completely and utterly impractical still for 99.999% of cases. — Kevin Beaumont (@GossiTheDog) February 23, 2017

Some Browsers, Services are Safe

Anyone still employing SHA-1 should "consider using safer alternatives, such as SHA-256 or SHA-3," says the group of researchers behind Shattered.io.

"If you use Chrome, you will be automatically protected from insecure TLS/SSL certificates, and Firefox has this feature planned for early 2017," the researchers say.

"Files sent via Gmail or saved in Google Drive are already automatically tested against this attack," they add.