I come to bury SHA1, not to praise it

Google and CWI prove vulnerability with the first SHA1 hash collision, which will accelerate adoption of SHA-256

I come to bury SHA1, not to praise it

Most cryptography is theoretical research. When it is no longer theoretical, in practice it can become a harmful exploit.

Google and Dutch research institute CWI proved that the SHA1 hash method, first introduced 20 years ago, could produce a duplicate hash from different documents using a technique that consumed significant computational resources: 6,500 years of CPU computation to complete the attack first phase and 110 years of GPU computation to complete the second phase. The exercise was computationally intensive but proved it is within the realm of possibility, especially compared to a brute force attack that would require 12 million GPU compute years.

As far as Google and CWI know, this was the first example of a collision ever created, though cryptographers have predicted the possibility for many years. It was only possible with the application of Google’s infrastructure, but it proved that a duplicate hash could be computed 100,000 faster than a brute force attack. The computing operations were run in parallel. Compute time is proportional to the number of CPUs and GPUs applied to the problem. With parallel computing on cloud infrastructure, the project took two years of research, planning and computation to complete.

The first phase would cost $7.4 million, assuming 100 percent of the CPU is used every minute to run on Amazon, limiting an exploit of this flaw to only well-resourced criminals and nation states. Bruce Schneier reported that Intel’s Jesse Walker estimated that computing hardware costs to create a SHA1 collision will cost just $43,000 in 2021, well within the budgets of all but the poorest cybercriminals.

Protecting security methods

Moore’s law and new architectures are big risks to protecting security methods. Cryptographers work to improve security by increasing complexity of cryptography algorithms to stay ahead of advancements in computational capability. What might take a Google data center to crack today might be possible in 10 years using consumer priced hardware. Another risk is more efficient algorithms than the one used to create the collision, in this case, could emerge.

All cryptography relies on generating pseudorandom numbers. SSL used to encrypt a secure browser session begins by generating a pseudorandom number in the browser that will be used as the basis to encrypt the session. The number is encrypted in the browser with the host’s public key that is decrypted upon arrival with host’s private key. Pseudorandom is not truly random. The only numbers proved to be truly random occur in nature during the decay of radioactive material. Thus all pseudorandomly generated numbers are flawed.

An attacker that understands a flaw in the pseudorandom number generation method, would have a hint about how the computation to decode the encryption key could be limited, decreasing computational time. An example of this kind of exploit occurred in 2007 when security researchers found a flaw in the PS3 ECDSA signature randomization that let them run Linux on the PS3 that Sony had restricted. Hashes play a role in browser security, managing code repositories, signing documents and detecting duplicate files in storage.

Hashes verify that software came from the creator and that the downloaded software matches the creator's version. If the SHA1 hash can be duplicated, software with malicious code could go undetected.

Chrome and Firefox: SHA1 certificates insecure

The Chrome browser development team called for SHA1 to be deprecated three years ago and said that it would be phased out. Starting in January 2017, Chrome considers any website protected with a SHA1 certificate as insecure. Firefox has this feature planned for early 2017. Because of the theoretical understanding of the vulnerability, sun setting SHA1 has been under development for a long time. The CA/Browser Forum, a consortium of certificate authorities used by browsers, deprecated SHA1 in 2011. But older software still uses it and will require updates.

A transition to a new hashing algorithm can be disruptive, though. For example, when the MD5 hashing algorithm was dropped, many companies were forced to scramble for updates, including users of consumer firewall software. It is recommended that security practitioners migrate to safer cryptographic hashes such as SHA-256 and SHA-3. 

sha1 impacts Google

Google will release the SHA1 proof software used to create the collision in 90 days. They have added protections to Gmail and GSuite to detect and prevent an attack using SH1 collisions. Google also directed developers of software vulnerable to this type of attack to a detection tool created by CWI and Microsoft available under open source license on Github.

Preventing breaches and exploits is an arms race between mathematicians and cryptographers and cyber criminals. Like military defense projects, cryptography methods take years of research, implementation and deployment.  

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2017 IDG Communications, Inc.