New attack sounds death knell for widely used SHA-1 crypto hash function

SHA-1 is definitely, provenly dead, as a group of researchers from CWI Institute in Amsterdam and Google have demonstrated the first practical technique for generating a collision.

What is SHA-1?

SHA-1 is a cryptographic hash function that has been used for years now to assure data integrity. It has been used in distributed software revision control systems (to identify revisions and to detect data corruption or tampering), to sign security certificates, and for many other things. NIST deprecated it in 2011.

“A collision occurs when two distinct pieces of data—a document, a binary, or a website’s certificate—hash to the same digest [typically a 40-digits-long hexadecimal number],” Google researchers explained.

“In practice, collisions should never occur for secure hash functions. However if the hash algorithm has some flaws, as SHA-1 does, a well-funded attacker can craft a collision. The attacker could then use this collision to deceive systems that rely on hashes into accepting a malicious file in place of its benign counterpart.”

The SHAttered attack

It has been known for a while that SHA-1 is flawed, and it was only a matter of time until a practical collision attack is demonstrated. These researchers have been working on it for two years, and have finally succeeded in creating two documents with different contents that would hash to the same SHA-1 digest.

“In building this theoretical attack in practice we had to overcome some new challenges. We then leveraged Google’s technical expertise and cloud infrastructure to compute the collision which is one of the largest computations ever completed,” they noted.

For more technical details about the computational setup and the approach they tool, you can check out the researchers’ paper. They’ve also provided a tool that the public can use to test files.

“It is based on the concept of counter-cryptanalysis and it is able to detect known and unknown SHA-1 cryptanalytic collision attacks given just a single file from a colliding file pair,” they explained.

What now?

“Any application that relies on SHA-1 for digital signatures, file integrity, or file identification is potentially vulnerable. These include: digital certificate signatures, email PGP/GPG signatures, software vendor signatures, software updates, ISO checksums, backup systems, deduplication systems, GIT, and so on,” the researchers noted.

They have announced that 90 days from today, they will be releasing the code that allows anyone to create a pair of PDFs that hash to the same SHA-1 sum. So every service that uses the doomed hash function has three months to deprecate it.

Google has already added protections for Gmail and GSuite users that detect this particular PDF collision technique. TLS/SSL certificates for HTTPS-protected websites are mostly safe, too.

“Any Certification Authority abiding by the CA/Browser Forum regulations is not allowed to issue SHA-1 certificates anymore. Furthermore, it is required that certificate authorities insert at least 20 bits of randomness inside the serial number field. If properly implemented this helps preventing a practical exploitation,” the researchers noted.

Chrome already flags websites protected with a SHA-1 certificate as insecure, and Firefox will begin to do the same very soon.

“Google’s proof of concept, and the promise of a public release of tools may turn this from a hypothetical issue to a real, albeit expensive one,” David Chismon, Senior Security Consultant at MWR InfoSecurity, commented the revelation.

“The attack still requires a large amount of computing on both CPUs and GPUs but is expected to be within the realm of ability for nation states or people who can afford the cloud computing time to mount a collision attack. In an interesting but possibly unrelated note, Google yesterday announced the ability to reasonably cheaply rent GPU cloud computers.”

“Hopefully these new efforts of Google of making a real-world attack possible will lead to vendors and infrastructure managers quickly removing SHA-1 from their products and configuration as, despite it being a deprecated algorithm, some vendors still sell products that do not support more modern hashing algorithms or charge an extra cost to do so. However, whether this happens before malicious actors are able to exploit the issue for their benefit remains to be seen,” he concluded.

There is currently no indication that an attack such as this has ever been effected in the wild.

The researchers hope that SHAttered will convince the industry to quickly move to using the SHA-256 or SHA-3 cryptographic hash functions.