Many organizations may not realize it, but a seismic shift is occurring in the data encryption algorithm landscape. Without careful planning, experts say enterprises may find themselves on shaky ground, committed to an encryption method that could soon crumble at the hands of attackers.
SHA-1 is old enough to vote. I don't think we should let it get old enough to drink.
Ben Jun, chief technology officer, Cryptographic Research Inc.
To its credit, Microsoft is leading the war against weak encryption algorithms that can no longer withstand advanced attack methods. The vendor has already boosted the minimum key-length requirements for RSA-signed digital certificates on all its software, meaning any interaction with an application or system with a key-length smaller than 1,024 bits -- be it a webpage, email system or application server -- would be severely restricted.
Microsoft will make its next move February 11 when it deprecates the use of the vulnerable MD5 hashing algorithm. However, companies making the transition away from MD5 may not realize that SHA-1, a popular alternative algorithm, is next in the firing line.
Why is moving from MD5 to SHA-1 a mistake?
In August 2013, Microsoft announced it would restrict MD5-signed digital certificates used for server authentication, code signing and time stamping via an update to the company's root certificate program. The software giant allowed what experts considered a surprisingly lengthy six-month transition period for enterprises to move away from the algorithm, but on Feb. 11, 2014, those that have yet to act on Microsoft's warning will find most applications using MD5 will malfunction and be unable to establish secure connections, according to Lamar Bailey, director of the vulnerability and exposures research team at Portland, Ore.-based Tripwire Inc.
Bailey said that it's "good to see" Microsoft moving away from MD5, noting that the algorithm has been widely known to be vulnerable dating back to 2005. Still, Bailey said organizations that select SHA-1 as an alternative may unknowingly be forced to make the same transition in less than two years, as Microsoft announced in November 2013 that its software will no longer accept certificates signed using the SHA-1 algorithm after Jan. 1, 2016.
Bailey said that enterprises transitioning away from MD5 should adopt the largely sound SHA-2 algorithm, but said that some organizations may find that internal legacy applications don't work with SHA-2 and gravitate toward SHA-1 instead.
"I would expect some of them to go to SHA-1," Bailey said, because it's still supported by all of Microsoft's products and hence seems like a sensible option, and stakeholders will want to choose an algorithm that serves as a "lowest common denominator" to ensure the broadest possible compatibility among applications.
Ben Jun, chief technology officer of Cryptography Research Inc., a division of Rambus, warned that switching to SHA-1 would be a mistake for enterprises.
The SHA-1 algorithm was originally designed by the National Security Agency (NSA) "at a time when they were a little more trusted to do this," said Jun, referencing the allegations made by rogue former NSA contractor Edward Snowden that the NSA has deliberately sought to weaken certain encryption algorithms. At the time, the NSA's contributions to encryption were generally considered to be helpful, he noted, but cryptographers now worry about the integrity of several major hash functions, including MD5, SHA-1 and SHA-2, all of which came from what Jun called the "same family tree."
"You don't want an inbred hash function, that's probably the best way to describe it," Jun said.
Encryption algorithm attacks possible, for a price
MD5's past may give an indication of what will happen to SHA-1 in the near future, Jun said. A few years after a series of interesting but unrealistic theoretical attacks were discovered, researchers developed numerous catastrophic MD5 attack techniques. It wasn't long before these techniques were employed by attackers.
In October 2012, Jesse Walker, a security researcher with Intel Corp., indicated that the price to pull off a collision attack utilizing SHA-1 would be $2.77 million, based on how much Amazon Web Services charges to rent the estimated amount of necessary compute time. He predicted that by 2015, just before Microsoft's SHA-1 deprecation goes into effect, cost would fall to $700,000.
In validating that estimate, Jun said the cost of compromising known weak encryption algorithms is coming within the reach of cybercriminals, while the NSA and other well-funded nation-state hackers likely can already afford to deploy SHA-1 collision attacks.
Jun indicated that the National Institute of Standards and Technology (NIST) has recently worked to solve some of the problems in SHA-2 that were inherited from SHA-1, and that NIST's selection of Keccak as the winner of its recent Cryptographic Hash Algorithm Competition, which was meant to choose the next-generation SHA-3 algorithm, was reassuring because it "uses a completely different class of hash function."
"We're on the edge of feeling very uncomfortable. This is not a $300,000 attack, but it's not a $30,000,000 attack," Jun said. "That means we should be walking toward the exits, and I think Microsoft's sunsetting is a great idea and the timing of the announcement makes a lot of sense.
"SHA-1 is old enough to vote," Jun said. "I don't think we should let it get old enough to drink."
Bailey agreed with Jun's assessment, saying that he hopes that as the SHA-1 kill date approaches, Microsoft will follow the same, relatively smooth process it has employed for its MD5 deprecation.
"I think we'll see the same thing come around for 2016. Microsoft will hopefully do their bulletin again six months in advance," Bailey said, "and then do a reminder before they completely cut it out. So getting rid of MD5 will be a good test case for them to see how customers react."
History of MD5
Though organizations have nearly two years to move away from SHA-1, the MD5 deprecation date arrives on February 11. Originally published by renowned cryptographer Ron Rivest in 1992, MD5 has long been considered too weak to be used for digital certificates and signatures.
In 2004, a pair of Chinese researchers proved that MD5 was no longer collision-resistant, though they were unable to demonstrate a practical attack. Several more security weaknesses were discovered in the coming years, with perhaps the biggest blow to the algorithm's reputation coming in 2008 when a group of researchers were able to demonstrate how previously theoretical attacks could in fact be used in real-world scenarios to falsify SSL certificates.
Microsoft actually downplayed the threat posed by the MD5-based attack at the time, but when the Flame malware was revealed in 2012, the company could no longer ignore MD5's weaknesses. Much like the researchers before them, Flame's authors were able to generate a fraudulent certificate via an MD5 collision with an insecure Microsoft Terminal Services certificate. The fake certificate then enabled the attackers to spoof a certificate authority (CA) that resembled Microsoft's CA, ultimately allowing them to hijack Windows' update mechanism on compromised machines.
"At that point, there's really no other proof point that you need," Jun said. "It was a demonstrated live attack that targeted a piece of infrastructure based on the ability to generate an MD5 collision very quickly."
Bailey said the publicity surrounding Flame caused many to abandon MD5 back in 2012. With Microsoft's February 11 deadline looming, he wagered that most companies have already completed the "fairly easy" update from MD5 as outlined in a Microsoft Tech Bulletin. The transition requires editing the registry of the affected server to redefine which crypto algorithm the organization wants to use. The process shouldn't be noticeable to end users, but with the important role these algorithms play in enterprise security, the process is "not as easy" as the simple checkbox that Bailey desires.
Regardless of the difficulty involved in replacing MD5, Bailey said organizations that still use it in their environments have no choice but to replace it if they want MD5-backed applications to continue functioning. After February 11, users will not be able to establish secure connections to servers with MD5 still enabled. A small number of applications may be able to fall back to a non-secure connection, according to Bailey, but most will just issue communication errors.
To ensure applications continue to function properly, an enterprise should scan for instances of MD5 in its stock of active certificates, which Bailey said most companies will keep to avoid any potential disruptions caused by expired certificates.
Bailey said that large organizations are most likely to experience issues with legacy applications. Jun agreed, noting that legacy code may not have the "forward-looking compatibility field" necessary to replace MD5. A broken application, however, may be better than one backed by a broken crypto algorithm.
"Where the impact is going to be is in these internal applications that large corporations need to build and maintain, and maybe the guy that developed it is no longer with the company. And that's where they're going to see and have the headaches," Bailey said. "I'm sure they'll have some internal apps that break, but if they're breaking, you've got a security issue that you need to fix anyway."