Hash snag: Security shamans shame SHA-1 standard, confirm crucial collisions citing circa $45k chip cost

Unsafe hashing algorithm really is unsafe

SHA-1 stands for Secure Hash Algorithm but version 1, developed in 1995, isn't secure at all. It has been vulnerable in theory since 2004 though it took until 2017 for researchers at CWI Amsterdam and Google to demonstrate a practical if somewhat costly collision attack.

Last year, crypto-boffins Gaëtan Leurent, from Inria in France, and Thomas Peyrin, from Nanyang Technological University in Singapore, proposed [PDF] a more robust technique, a chosen-prefix collision attack.

And this week, at the Real World Crypto Symposium in the US, they described how they made it work.

"This more powerful attack allows to build colliding messages with two arbitrary prefixes, which is much more threatening for real protocols," said Leurent and Peyrin in a paper, SHA-1 is a Shambles, presented at the conference.

A hash algorithm is a function that mathematically maps input data to another value of fixed length. Think of it as one-way encryption: you convert your input data, however long it is, into a summary or fingerprint that has a set size, with no way of recreating the original from this hash. Changing even a small part of the input data produces a significant change in hash, ideally. The hash is usually a lot smaller than the input.

Hashes are thus used for authentication and related applications: by comparing hashes, you can be sure data hasn't been tampered with while in transit, for instance. A hash collision occurs when two separate inputs produce the same output – obviously not desirable if you're checking, say, checking a stored hash of a password against a hash of a user-supplied password and you want only one specific password to provide access.

A chosen-prefix collision, because it allows the attacker to choose the prefixed content, represents a more serious threat.

Back in 2012, the same year America's National Institute of Standards Technology (NIST) advised against using SHA-1 for applications that require collision resistance, cryptographer Bruce Schneier estimated that the cloud computing bill for carrying out a SHA-1 attack would be about $2.77m. And he projected the cost would fall to about $43,000 by 2021.

In their paper, Leurent and Peyrin put the theoretical cost at $11,000 for a SHA-1 collision and $45,000 for a chosen-prefix collision. To actually carry out their attack required two months of computation time using 900 Nvidia GTX 1060 GPUs. The boffins paid about $75,000 because GPU prices were higher at the time and because they wasted time during attack preparation.

Their attack involved creating a pair of PGP/GnuPG keys with different identities, but colliding SHA-1 certificates, allowing them to impersonate a victim and digitally sign documents in the victim's name.

"Our work shows that SHA-1 is now fully and practically broken for use in digital signatures," the researchers state in their paper. "GPU technology improvements and general computation cost decrease will quickly render our attack even cheaper, making it basically possible for any ill-intentioned attacker in the very near future."

Much of the technical community has already taken action to avoid SHA-1 in vulnerable contexts. Web browsers like Chrome and Firefox stopped accepting SSL SHA-1 certificates in early 2017, followed by Edge and Internet Explorer a few months later.

In November last year, Apple said it would not longer trust SHA-1 certificates in macOS 10.15 and iOS 13. Microsoft took similar steps last year as well.

Usage of SHA-1 is low – Leurent and Peyrin claim about 1 per cent of website certificates still rely on it, down from 20 per cent in 2017. Nonetheless, SHA-1 signatures are still supported in many applications.

"SHA-1 is the default hash function used for certifying PGP keys in the legacy branch of GnuPG (v 1.4), and those signatures were accepted by the modern branch of GnuPG (v 2.2) before we reported our results," they note. "Many non-web TLS clients also accept SHA-1 certificates, and SHA-1 is still allowed for in-protocol signatures in TLS and SSH."

Leurent and Peyrin contacted several affected vendors in the spirit of responsible disclosure, but say they could not notify everyone. GnuPG patched the problem in its November 25, 2019 release so that SHA-1-based identity signatures created after 2019-01-19 are no longer valid.

Weapon of the information wars from Shutterstock

Dev writes Ethereum code for insecure SHA-1 crypto hash function


The researchers note that even if SHA-1 usage is low, miscreant-in-the-middle attacks may downgrade connections to SHA-1. Also, SHA-1 continues to be the foundation of the Git version control system. CAcert, a Certificate Authority for PGP keys, has acknowledged the researchers' concerns but not yet dealt with the issue. And OpenSSL developers, the researchers say, are considering disabling SHA-1 for the security level 1 setting, which calls for at least 80-bit security (SHA-1 produces a 160-bit hash value).

Back in 2017, Git creator Linus Torvalds dismissed concerns about attacks on Git SHA-1 hashes. GitHub, Microsoft's hosted Git service, offered similar reassurance, noting in a blog post that it had implemented collusion detection for each hash it computes and that the open source Git project is developing a plan to move away from SHA-1.

GitHub did not immediately respond to a request for comment.

Evidence of efforts to implement SHA-256 can be seen on the Git mailing list, but the work appears to be ongoing. At the moment, Git developers advise using the collision detection library developed in 2017 and implemented by GitHub to check repo integrity. ®

Similar topics

Other stories you might like

  • Share your experience: How does your organization introduce new systems?

    The answer is rarely obvious. Take part in our short poll and we'll find out together

    Reg Reader Survey The introduction of new systems into an organization is essential. If we stay still, if we continue to rely on legacy systems, if we fail to innovate – well, we (or, in reality, the company) will die. As business guru Sir John Harvey-Jones once put it: “If you are doing things the same way as two years ago, you are almost certainly doing them wrong.”

    But who should lead innovation in our companies? Who should be introducing new systems? The answer is not obvious.

    On one hand, the introduction of new systems into the business should be led by the business. In principle, the people doing the work, dealing with the suppliers, selling to the customers, are best placed to be standing up and saying: “We need the system to do X,” whether their motivation be to reduce cost, increase revenues, make products more efficiently, or even bolster our environmental credentials.

    Continue reading
  • These Rapoo webcams won't blow your mind, but they also won't break the bank

    And they're almost certainly better than a laptop jowel-cam

    Review It has been a long 20 months since Lockdown 1.0, and despite the best efforts of Google and Zoom et al to filter out the worst effects of built-in laptop webcams, a replacement might be in order for the long haul ahead.

    With this in mind, El Reg's intrepid reviews desk looked at a pair of inexpensive Rapoo webcams in search for an alternative to the horror of our Dell XPS nose-cam.

    Rapoo sent us its higher-end XW2K, a 2K 30fps device and, at the other end of the scale, the 720p XW170. Neither will break the bank, coming in at around £40 and £25 respectively from online retailers, but do include some handy features, such as autofocus and a noise cancelling microphone.

    Continue reading
  • It's one thing to have the world in your hands – what are you going to do with it?

    Google won the patent battle against ART+COM, but we were left with little more than a toy

    Column I used to think technology could change the world. Google's vision is different: it just wants you to sort of play with the world. That's fun, but it's not as powerful as it could be.

    Despite the fact that it often gives me a stomach-churning sense of motion sickness, I've been spending quite a bit of time lately fully immersed in Google Earth VR. Pop down inside a major city centre – Sydney, San Francisco or London – and the intense data-gathering work performed by Google's global fleet of scanning vehicles shows up in eye-popping detail.

    Buildings are rendered photorealistically, using the mathematics of photogrammetry to extrude three-dimensional solids from multiple two-dimensional images. Trees resolve across successive passes from childlike lollipops into complex textured forms. Yet what should feel absolutely real seems exactly the opposite – leaving me cold, as though I've stumbled onto a global-scale miniature train set, built by someone with too much time on their hands. What good is it, really?

    Continue reading
  • Why Cloud First should not have to mean Cloud Everywhere

    HPE urges 'consciously hybrid' strategy for UK public sector

    Sponsored In 2013, the UK government heralded Cloud First, a ground-breaking strategy to drive cloud adoption across the public sector. Eight years on, and much of UK public sector IT still runs on-premises - and all too often - on obsolete technologies.

    Today the government‘s message boils down to “cloud first, if you can” - perhaps in recognition that modernising complex legacy systems is hard. But in the private sector today, enterprises are typically mixing and matching cloud and on-premises infrastructure, according to the best business fit for their needs.

    The UK government should also adopt a “consciously hybrid” approach, according to HPE, The global technology company is calling for the entire IT industry to step up so that the public sector can modernise where needed and keep up with innovation: “We’re calling for a collective IT industry response to the problem,” says Russell MacDonald, HPE strategic advisor to the public sector.

    Continue reading
  • A Raspberry Pi HAT for the Lego Technic fan

    Sneaking in programming under the guise of plastic bricks

    There is good news for the intersection of Lego and Raspberry Pi fans today, as a new HAT (the delightfully named Hardware Attached on Top) will be unveiled for the diminutive computer to control Technic motors and sensors.

    Continue reading
  • Reg scribe spends week being watched by government Bluetooth wristband, emerges to more surveillance

    Home quarantine week was the price for an overseas trip, ongoing observation is the price of COVID-19

    Feature My family and I recently returned to Singapore after an overseas trip that, for the first time in over a year, did not require the ordeal of two weeks of quarantine in a hotel room.

    Instead, returning travelers are required to stay at home, wear a government-issued tracking device, and stay within range of a government-issued Bluetooth beacon at all times for a week … or else. No visitors are allowed and only a medical emergency is a ticket out. But that sounded easy compared to the hotel quarantine we endured in 2020.

    Continue reading
  • Intel teases 'software-defined silicon' with Linux kernel contribution – and won't say why

    It might enable activation of entirely new features on existing Xeon CPUs … or, you know, not

    Intel has teased a new tech it calls "Software Defined Silicon" (SDSi) but is saying almost nothing about it – and has told The Register it could amount to nothing.

    SDSi popped up around three weeks ago in a post to the Linux Kernel mailing list, in which an Intel Linux software engineer named David Box described it as "a post-manufacturing mechanism for activating additional silicon features".

    "Features are enabled through a license activation process," he wrote. "The SDSi driver provides a per-socket, ioctl interface for applications to perform three main provisioning functions." Those provisioning functions are:

    Continue reading
  • Chip manufacturers are going back to the future for automotive silicon

    Where we're going, we don't need 5nm

    Analysis Cars are gaining momentum as computers on wheels, though chip manufacturers' auto focus isn't on making components using the latest and greatest fabrication nodes.

    Instead, companies that include Taiwan Semiconductor Manufacturing Co and Globalfoundries are turning back the clock and investing billions in factories that use older manufacturing techniques to make chips for vehicles.

    The rapid digitization and electrification of cars has created a giant demand for smaller, more power-efficient auto chips, said Jim McGregor, principal analyst at Tirias Research. He added that cars don't necessarily need the latest manufacturing processes, though, and many are still using analog-based components for various functions.

    Continue reading

Biting the hand that feeds IT © 1998–2021