Sergey Nivens - Fotolia
Despite years of warnings to remove it due to potentially exploitable weaknesses, the SHA-1 hash algorithm has been broken by researchers who have developed the first practical technique for generating collisions with SHA-1. Experts have long advocated for SHA-1 deprecation, but this should be the last nail in the coffin for the hashing algorithm first published in 1995.
The technique makes it possible for attackers to create two PDF documents with the same SHA-1 hash, but with different, arbitrary visual content. The attack requires significant computational resources, but it is still 100,000 times faster than a brute-force effort, according to researchers from Google Research and CWI Amsterdam, the national research institute for mathematics and computer science in the Netherlands.
"Despite its deprecation, SHA-1 remains widely used in 2017 for document and TLS certificate signatures, and also in many software such as the Git versioning system for integrity and backup purposes," wrote CWI Amsterdam's Marc Stevens and Pierre Karpman and Google Research's Elie Bursztein, Ange Albertini and Yarik Markov, in the paper describing the collision computation. "A key reason behind the reluctance of many industry players to replace SHA-1 with a safer alternative is the fact that finding an actual collision has seemed to be impractical for the past 11 years due to the high complexity and computational cost of the attack."
Security researcher Kenn White pointed out the key message of the news: With SHA-1 hashing algorithm no longer trustable, attackers can make themselves appear to be anyone.
Practical implications for well-funded attackers w/ the SHA-1 break: in many legacy interop scenarios (networks, banking…), I can become you— Kenn White (@kennwhite) February 23, 2017
The research team, along with Albertini, Alex Petit-Bianco and Clement Baisse from Google, pushed for SHA-1 deprecation in a blog post announcing the news. "We hope that our practical attack against SHA-1 will finally convince the industry that it is urgent to move to safer alternatives such as SHA-256."
According to Google, the collision required 6,500 years of CPU computation to complete the first phase of the attack and 110 years of GPU computation for the second phase. Being able to create two files with that share the same SHA-1 hash allows an attacker to create two versions of the same document.
"The attacker could then use this collision to deceive systems that rely on hashes into accepting a malicious file in place of its benign counterpart." For example, an attacker could craft two colliding PDF files as two otherwise identical rental agreements that differ only by the amount of rent to be paid. "It is possible to trick someone to create a valid signature for a high-rent contract by having him or her sign a low-rent contract," as the example given on the researcher's companion website explains. The companion site, shattered.it, also includes a drag-and-drop tool for detecting files that have been crafted to produce a SHA-1 collision.
Stevens and Dan Shumow from Microsoft Research posted on GitHub sha1collisiondetection, an open source library and command-line tool for detecting SHA-1 collisions in files. Shumow and Stevens designed the library and command-line tool as "near drop-in replacements" for existing SHA-1 tools, but the collision detection tools "compute the SHA-1 hash of any given file and additionally will detect cryptanalytic collision attacks against SHA-1 present in each file."
Google, following its own vulnerability disclosure policy, will wait 90 days before releasing the code that should cement SHA-1 deprecation by allowing anyone to create "pairs of PDFs with that hash to the same SHA-1 sum given two distinct images with some pre-conditions." But Google has already added protection to Gmail and Google Drive to detect files in which the collision technique has been used.
Many experts have called for SHA-1 deprecation as far back as 2004, when cryptographer Bruce Schneier first called attention to problems with SHA-1 and MD-5. The SHA-1 deprecation campaign picked up steam in 2015, when researchers reported that a successful brute-force attack on the secure hashing algorithm was already within reach for an attacker with relatively little computing resources to create fake websites that appeared legitimate.
In December 2015, Google first announced it was considering accelerating its SHA-1 deprecation timetable in the Chrome browser; version 56 of the browser currently flags SHA-1-signed websites as insecure. Mozilla announced last year that Firefox version 51 would also flag SHA-1 websites, and Microsoft has also deprecated support for SHA-1.
Find out more about the potential for risk from open source software in the enterprise
Learn about the basics of using Git for version control
Read about the transition to SHA-2