When a paper demonstrating the first known SHA-1 collision was published last month, it caused quite a stir among the tech community. SHA-1 is still an extremely popular form of encryption, and breaking it wide open could expose a wealth of sensitive information.
“It’s moved from a theoretical attack, to a provable, real-world attack with proofs of concept that are out there in the wild,” said Brian Hanrahan, product manager as endpoint security specialist Avecto, speaking to Digital Trends on the telephone. “So, the probability of someone out there leveraging a SHA-1 collision attack has increased exponentially, because now there’s code that shows how to do it.”
When Google releases the source code behind its findings, anyone who wanted to force a collision for malicious purposes could use it as a template. That sounds dangerous – but is it really the threat it’s made out to be?
“I do think that there’s a lot of panic around this, when there probably oughtn’t be,” said Tod Beardsley, the director of research at security engineering firm Rapid7. “Can criminals run out and use this attack to steal money? I don’t see an application like that.”
“These collisions in SHA-1 required the attackers to have control of both the ‘good’ data and the ‘bad’ data,” Beardsley explained, referring to the two PDF documents that were forced to ‘collide,’ occupying the same SHA-1 hash. “When you control both, it’s kind of game over if you don’t trust that person.”
The paper demonstrated how to cause a collision between two hashes, but both documents were in control of the researchers. In terms of carrying out an attack, this isn’t as useful as being able to force a collision with a hash controlled by someone else.
Beardsley told us of a scenario where someone might want to inject ‘evil code’ into Linux. A SHA-1 collision could be used to do so, but carrying out such an attack would still require impersonation of a trusted user to have control over an iteration of the code. While not impossible, the complexity of the task means it would probably be possible only by the largest and most skilled hacking organizations.
Still, a company like Google wouldn’t invest time and effort into its collaborative research with the Centrum Wiskunde & Informatica for no good reason. Though a widespread attack that uses a SHA-1 collision isn’t necessarily imminent, this is important work that will help push internet security standards forward.
A Nudge in the Right Direction
“We’ve had some time, right?” said Beardsley. “We’ve seen this coming down the road. And this is going be the case for many hashing algorithms. As time goes on, and science gets better, and computers get cheaper, we’re going to find that hashing algorithms will fall over in some cases.”
For the last few years, it’s been clear that SHA-1 was on borrowed time. The companies behind major web browsers like Chrome, Safari, Firefox, and Internet Explorer have already started putting their deprecation plans into action.
“It was around late 2012, early 2013, when all the browser manufacturers got together and said, ‘this is not gonna work anymore, let’s start phasing out certificates that use SHA-1 hashing to validate that the server’s real,’” explained Beardsley. “That all was happening up until December 31 of last year, that’s the point where we were supposed to be all off SHA-1 certificates.”
“People are aggressively moving to SHA-256; Microsoft, Google, all of the major technology companies have been doing that,” said Hanrahan. “I think the impetus that’s going to drive people to do it faster now is that there’s a proven, real-world attack.”
Evidence of the SHA-1 collision, which was published online under the catchy SHAttered moniker to ensure maximum visibility, is of critical importance to the continued effort to transition away from the algorithm. While we’ve known that SHA-1 was theoretically unsafe for some time, it takes more than potential threats to prompt the widespread action necessary to facilitate large-scale deprecation.
The possibility of a SHA-1 collision wasn’t enough to make companies as powerful as Microsoft and Google to enforce the switchover to SHA-2. The paper published last month, which makes it a reality, will hopefully force the issue, as with the source code out in the open, SHA-1 is something of a sitting duck — even if it is unlikely that attackers would choose to abuse its weaknesses over another, easier strategy.
But why would anyone want to keep SHA-1 in place?
Inertia and the Legacy Problem
When I asked Tod Beardsley why it was so difficult to retire hashing technology like SHA-1, he laughed. “It’s kind to say difficult, I think it’s impossible,” he explained. “I still use MD5 for things, and MD5 has been dead forever. When it comes down to it, in most cases, it’s good enough — this will set cryptographers’ teeth on edge, saying things like that, but that’s kind of the reality of those implementations,” said Beardsley. “I think you have a lot of inertia, when something kind of, mostly, works. It kind of still mostly works. That would describe the whole internet: the internet kind of, mostly, works.”
You can’t go back to software houses that are out of business and ask them to generate a SHA-2 hash.
It’s a classic case of ‘if it ain’t broke, don’t fix it,’ except in this case, the thing in question is very old, and would break if it was struck by a strong wind. Still, it’s inconvenient to replace SHA-1 with something else, especially while it’s still in working order. And there’s another reason why SHA-1 won’t be wiped from the face of the earth completely any time soon. It’s used to hash software, which is far more stoic than the living, breathing internet.
“The legacy problem is really what needs to be dealt with,” said Hanrahan. “For software that’s been generated in the past, and for which there’s only a SHA-1 hash, you can generate a SHA-256 hash for those files, or whatever entity you’re trying to identify — but you have to start with a known, trusted source.”
He gives the example of writing and compiling a piece of software on his computer, right now. He could hash it with MD5, SHA-1, or SHA-256, and at that time, he would be certain that the hashes relate specifically to that piece of software. However, if he were to compile the software and send it to another person, they would have no way of verifying what the hash was when he created the software. They could produce a SHA-256 hash, but they would have no way of being completely sure that the software hasn’t been tampered with beforehand.
“You can’t go back in time to software houses that are already out of business and ask them to generate a new SHA-2 hash for software that they created 25 years ago,” he explained.
In most cases, you would likely be safe to assume that the SHA-1 hash is legitimate, and generate a SHA-2 hash for that software. However, now that last month’s paper has outlined a way to force a collision between two SHA-1 hashes, there’s an element of doubt. “Using SHA-1 to verify a binary is no longer considered absolutely precise and perfect,” added Hanrahan.
Evidently, this kind of change in security standards doesn’t come easy. And once SHA-1 has been phased out in favor of SHA-2, what’s to stop the powers that be pushing for a move to SHA-3? Couldn’t this game of catch-up go on indefinitely? No — and we have math to thank for that.
What’s next, and the quantum problem
“With regards to SHA-2, if you think about the enormous computing power that it takes to break a SHA-1 based certificate, it’s not like we’re doubling it to go to SHA-2,” said Hanrahan. “It’s an exponential difference in the amount of computing power that would be required.”
“Quantum computing also, incidentally, breaks all existing cryptography”
SHA-2 is the successor to SHA-1, and consists of six different functions with varying hash values. “It’s not like tomorrow they’re going to turn around and say, ‘oh, we broke SHA-2 now,’ because it’s a computing power problem,” Hanrahan added. “It’s taken basically all the computer power they have to generate one collision for SHA-1, and to show how to do it.”
Outside of vulnerabilities that are being kept secret, it seems that SHA-2 will be sufficient for current hardware. However, when our computers take their next evolutionary step, cryptography must do the same. Quantum computing will change all the rules when it’s practical, according to Beardsley.
“Quantum cryptography tends to favor the secret keeper, rather than the breaker — the cryptoanalyst,” he said. “According to what we know about math today, that seems to be the endpoint. We can’t really see beyond that.”
The advent of the quantum computer will make the upheaval caused by the transition from SHA-1 to SHA-2 look miniscule. “[Quantum computing] also, incidentally, breaks all existing cryptography, but from that point on, things get pretty good for the secret keepers.”
Still, once SHA-1 has been deprecated, SHA-2 should be able to keep things safe and secure until the quantum future arrives. That’s why the research carried out by Google and the Centrum Wiskunde & Informatica is so important. It’s not that SHA-1 is going to used to facilitate an attack imminently, but with a better successor already available, it’s good to encourage companies to use it. That will keep our data safer, and better protect against attacks that would give us real reason to panic.