SHA-1 hashing function has now been “fully and practically broken” by a team that has developed a chosen-prefix collision for it. SHA-1 has been phased out of use in most applications and none of the major browsers will accept certificates signed with SHA-1, while NIST has deprecated it since 2011. But the new result shows that the SHA-1 hashing algorithm is no longer fit for use in protecting machine identities.
For many individual users, the new collision likely won’t have any practical effect, as the major browsers have already moved on from SHA-1, as have the major certificate authorities. However, the new attack is significant.
While SHA-1 has been slowly phased out over the past five years, it remains far from being fully deprecated. It is still the default hash function for certifying PGP keys in the legacy 1.4 version of GnuPG, the open-source successor to PGP application for encrypting email and files. Git, the world's most widely used system for managing software development among multiple people, still relies on SHA-1 to ensure data integrity. And many non-Web applications that rely on HTTPS encryption still accept SHA-1 certificates. SHA-1 is also still allowed for in-protocol signatures in the TLS and SSH protocols.
How the exploit works
The new collision is the work of researchers Gaetan Leurent and Thomas Peyrin of Inria France and the Nanyang Technological University in Singapore respectively. While SHA-1 isn’t widely used anymore, it has potential consequences for users of GnuPG and OpenSSL, among other applications. In a paper presented at the Real World Crypto Symposium in New York City, the researchers warned that even if SHA-1 usage is low or used only for backward compatibility, it will leave users open to the threat of attacks that downgrade encrypted connections to the broken hash function. The researchers said their results underscore the importance of fully phasing out SHA-1 as soon as possible.
“This work shows once and for all that SHA-1 should not be used in any security protocol where some kind of collision resistance is to be expected from the hash function,” the researchers wrote. “Continued usage of SHA-1 for certificates or for authentication of handshake messages in TLS or SSH is dangerous, and there is a concrete risk of abuse by a well-motivated adversary. SHA-1 has been broken since 2004, but it is still used in many security systems; we strongly advise users to remove SHA-1 support to avoid downgrade attacks.”
The new collision gives attackers more options and flexibility than were available with the previous technique. The development means that an attacker could essentially impersonate another person by creating a PGP key that’s identical to the victim’s key. It makes it practical to create PGP encryption keys that, when digitally signed using SHA-1 algorithm, impersonate a chosen target. More generally, it produces the same hash for two or more attacker-chosen inputs by appending data to each of them.
The chosen-prefix collision is distinct from the SHA-1 collision developed by a team of researchers from Google and the Cryptology Group at Centrum Wiskunde and Informatica in the Netherlands. That work from 2017 showed that it was possible to create two distinct files that would have the same SHA-1 digest and resulted in the browser manufacturers deprecating SHA-1. In the new research, Leurent and Peyrin were able to show that SHA-1 should not be used for digital signatures, either.
In their Real World Crypto paper, the researchers explain:
“The chosen prefixes correspond to headers of two PGP identity certificates with keys of different sizes, an RSA-8192 key and an RSA-6144 key. By exploiting properties of the OpenPGP and JPEG format, we can create two public keys: key A with the victim name, and key B with the attacker name and picture, such that the identity certificate containing the attacker key and picture has the same SHA-1 hash as the identity certificate containing the victim key and name. Therefore, the attacker can request a signature of his key and picture from a third party (from the Web of Trust or from a CA) and transfer the signature to key A. The signature will still be valid because of the collision, while the attacker controls key A with the name of the victim and signed by the third party. Therefore, he can impersonate the victim and sign any document in her name.”
Mitigating the impact
Leurent and Peyrin notified the developers of GnuPG and OpenSSL of their findings and GnuPG has implemented a countermeasure already, while OpenSSL’s developers are considering removing support for SHA-1. Given the number of applications and protocols that continue to rely on SHA-1 for collision-resistant hashes, however, the researchers were unable to contact all affected developers. To prevent the attacks from being actively used in the wild, the researchers are withholding many of the collision details for the time being.
Matt Green, a Johns Hopkins University professor specializing in cryptography, said the results were impressive and underscored the oft-repeated observation that SHA-1 can no longer be considered secure. “For a secure hash function, a [speedup] factor of 10 shouldn’t make much of a difference, but when you’re down to something that’s pretty close to broken, those kinds of efficiencies really make a difference, especially when there’s lots of mining hardware out there,” he said in an interview.
Venafi has warned that it was high time for businesses to replace their SHA-1 certificates, otherwise they risk being hit by breaches, fines and reputational damage. Contact the Venafi experts to see how we can accelerate your migration to SHA-2.