Despite years of warnings to remove it due to potentially exploitable weaknesses, the SHA-1 hash algorithm has been broken by researchers who have dev
Despite years of warnings to remove it due to potentially exploitable weaknesses, the SHA-1 hash algorithm has been broken by researchers who have developed the first practical technique for generating collisions with SHA-1. Experts have long advocated for SHA-1 deprecation, but this should be the last nail in the coffin for the hashing algorithm first published in 1995.
The technique makes it possible for attackers to create two PDF documents with the same SHA-1 hash but with different, arbitrary visual content. The attack requires significant computational resources, but it is still 100,000 times faster than a brute force effort, the researchers from Google Research and CWI Amsterdam, the national research institute for mathematics and computer science in the Netherlands, wrote in their paper describing the successful attack.
“Despite its deprecation, SHA-1 remains widely used in 2017 for document and TLS certificate signatures, and also in many software such as the GIT versioning system for integrity and backup purposes,” wrote the researchers, Marc Stevens and Pierre Karpman, both at CWI Amsterdam and Elie Bursztein, Ange Albertini and Yarik Markov at Google Research, in the paper describing the collision computation. “A key reason behind the reluctance of many industry players to replace SHA-1 with a safer alternative is the fact that finding an actual collision has seemed to be impractical for the past eleven years due to the high complexity and computational cost of the attack.”
Security researcher Kenn White pointed out the key message of the news: with SHA-1 hashing algorithm no longer trustable, attackers can make themselves appear to be anyone:
Practical implications for well-funded attackers w/ the SHA-1 break: in many legacy interop scenarios (networks, banking…), I can become you
— Kenn White (@kennwhite)
February 23, 2017
The research team and Ange Albertini, Alex Petit Bianco and Clement Baisse from Google, pushed for SHA-1 deprecation in a blog post announcing the news: “We hope that our practical attack against SHA-1 will finally convince the industry that it is urgent to move to safer alternatives such as SHA-256.”
According to Google, the collision required 6,500 years of CPU computation to complete the first phase of the attack and 110 years of GPU computation for the second phase. Being able to create two files with that share the same SHA-1 hash allows an attacker to create two versions of the same document.
“The attacker could then use this collision to deceive systems that rely on hashes into accepting a malicious file in place of its benign counterpart. For example, two insurance contracts with drastically different terms,” or, as noted on shattered.it, a companion website that includes a drag-and-drop testing tool for detecting documents with collisions, by “crafting the two colliding PDF files as two rental agreements with different rent, it is possible to trick someone to create a valid signature for a high-rent contract by having him or her sign a low-rent contract.”
Stevens and Dan Shumow from Microsoft Research, posted sha1collisiondetection, an open source library and command line tool for detecting SHA-1 collisions in files. Shumow and Stevens designed the library and command line tool as “near drop-in replacements” for existing SHA-1 tools, but the collision detection tools “compute the SHA-1 hash of any given file and additionally will detect cryptanalytic collision attacks against SHA-1 present in each file.”
Google, following its own vulnerability disclosure policy, will wait 90 days before releasing the code that should cement SHA-1 deprecation by allowing anyone to create “pairs of PDFs with that hash to the same SHA-1 sum given two distinct images with some pre-conditions,” but they have already added protection to Gmail and Google Drive to detect files in which the collision technique has been used.
Many experts have called for SHA-1 deprecation as far back as 2004, when Bruce Schneier first called attention to problems with SHA-1 and MD-5. The SHA-1 deprecation campaign picked up steam in 2015 when researchers reported that a successful brute force attack on the secure hashing algorithm was already within reach for an attacker with relatively little computing resources to create fake websites that appeared legitimate.
In December 2015, Google first announced it was considering accelerating its SHA-1 deprecation timetable in the Chrome browser; version 56 of the browser currently flags SHA-1 signed websites as insecure. Mozilla announced last year that Firefox version 51 would also flag SHA-1 websites and Microsoft has also deprecated support for SHA-1.
Powered by WPeMatico