Three years ago, Ars officially declared the SHA1 cryptographic hash algorithm dead after researchers executed the world’s first known instance of a fatal exploit known as a “collision.” The dead SHA1 horse was arrested again on Tuesday when another research team launched a new attack that is significantly more powerful.

The new collision offers attackers more options and flexibility than the previous technique. It is convenient to create PGP encryption keys that, when digitally signed, use the SHA1 algorithm to impersonate a selected target. Generally, the same hash is generated for two or more attacker-selected inputs by appending data to each of them. The attack, which was revealed on Tuesday, only costs $ 45,000. In contrast, the attack announced in 2017 did not allow forgery of certain specified document prefixes and cost $ 110,000 to $ 560,000 on the Amazon Web Services platform, depending on how quickly opponents tried to execute it.

The new attack is significant. While SHA1 has been slowly being phased out in the past five years, it is still far from being completely rejected. It is still the standard hash function for certifying PGP keys in the older version 1.4 of GnuPG, the open source successor to the PGP application for encrypting emails and files. Until recently, these SHA1-generated signatures were accepted by the modern GnuPG industry and only rejected after the researchers behind the new collision had privately reported their results.

Git, the world’s most widely used multi-person software development management system, still relies on SHA1 to ensure data integrity. Many non-web applications based on HTTPS encryption continue to accept SHA1 certificates. SHA1 is still permitted for protocol-internal signatures in the protocols Transport Layer Security and Secure Shell.

In a paper presented at this week’s Real World Crypto Symposium in New York City, researchers warned that the use of SHA1, even if it is minor or is used only for backward compatibility, will expose users to the risk of attack will suspend the encrypted connections to broken connections hash function. The researchers said their results underscore the importance of consistently shaving SHA1 as quickly as possible.

“This work shows once and for all that SHA1 should not be used in any security protocol in which the hash function is expected to have a kind of collision resistance,” the researchers wrote. “Continued use of SHA1 for certificates or to authenticate handshake messages in TLS or SSH is dangerous and there is a concrete risk of abuse by a well-motivated opponent. SHA1 has been defective since 2004, but is still used in many security systems. We strongly advise users to remove SHA1 support to avoid downgrade attacks. “

A hashing primer

In summary, a hash is a cryptographic fingerprint of a message, file, or other type of digital input that looks unique like traditional fingerprints. Hashes, also known as message digests, play an important role in ensuring that software updates, cryptographic keys, emails, and other types of messages are the authentic product of a particular person or entity, as opposed to fake input from an opponent was created. These digital fingerprints are in the form of a fixed sequence of numbers and letters that are generated when the message is entered into a hash algorithm or function.

The overall security of a hashing scheme rests on the impossibility of finding two or more different inputs that produce the same fingerprints. A function with a bit length of n should require a brute force attacker to test 2n / 2 inputs before finding a collision (a mathematical concept known as a birthday paradox reduces and takes into account the number of guesswork required the n / 2 in the equation). Hash functions with sufficient bit length and collision resistance require attackers to be safe because they require an unmanageable amount of time and computing resources from an attacker to generate a collision. Hash functions are considered faulty if collisions can be found with less than 2n / 2 attempts.

The 128-bit MD5 hash function was one of the previously widespread points of attack for collision attacks. Although the researchers warned in 1996 that MD5 errors could lead to collisions, it remained an important part of software and web authentication for more than two decades.

In 2008, the researchers created an HTTPS certificate for a website of their choice using MD5 collisions. The demonstration eventually persuaded browser-trustworthy certification authorities to drop MD5, but the feature continued to be used frequently for other purposes. The complete abolition of MD5 for authentication purposes only happened in 2012 when the flame spying malware, which the US and Israel reportedly used to spy on sensitive Iranian networks, launched a collision attack to hijack Microsoft’s Windows update mechanism, Flame said can spread from computer to computer within an infected network.

SHA1 has been shown to follow a path that is eerily similar to that of MD5. SHA1 was already an important part of the official standard for the validation of software updates, cryptographic keys and other sensitive data and became even more important after the end of MD5. But there were also collision gaps that have been known since 2004. The difficulty in switching to newer algorithms with better collision resistance enabled SHA1 to continue to be used on a large scale even after 2015, when the researchers predicted that it could succumb to collision attacks by the end of the year.

SHA1 is dead. Long live SHA1

Around 16 months later, the researchers demonstrated the world’s first known collision attack against SHA1. These were two PDF files that had the same SHA1 hash despite different content. The researchers behind it said it could allow a landlord to draft two leases with conflicting hashes. The landlord could induce a tenant to digitally sign a document with a low rental price, and later claim that the tenant signed the lease agreeing a much higher price.

The attack, which cost only $ 110,000 to execute on Amazon’s cloud computing platform, was described by cryptographers as a classic collision attack. This collision is also called an identical prefix collision. It occurs when two inputs have the same predetermined prefix – or the same beginning – and different following dates. Although the two entries differ significantly, they can have the same hash value if additional data is appended to the files. In other words, for a hash function H, two different messages M1 and M2 lead to the same hash output: H (M1) = H (M2).

Identical prefix collisions are powerful and a major blow to the security of a hash function, but their usefulness for attackers is also limited. A far more powerful form of collision is the so-called prefix attack, which was used to perform the MD5 attacks against the HTTPS certificate system in 2008 and Microsoft’s update mechanism in 2012. Cousins ​​are generally much more useful.

This is because selected prefix attacks allow attackers to use two or more different prefixes – as opposed to the same prefix in traditional collision attacks – and append data to everyone to have the same value. With two message prefixes P1 and P2, an attacker can calculate two messages M1 and M2 such that H (P1 || M1) = H (P2 || M2), where || means “concatenation” or the process of connecting the two. You can find a more detailed explanation of the selected prefix collisions in this 2015 article by Nick Sullivan, Head of Research and Cryptography at Content Delivery Network Cloudflare.

PGP / GnuPG impersonation

The attack demonstrated on Tuesday is the first known collision with the chosen prefix on SHA1. Researchers Inira France’s Gaëtan Leurent and Thomas Peyrin and Nanyang Technological University in Singapore used the collision to launch a PGP / GnuPG impersonation attack. In their Real World Crypto Paper, the researchers explain:

The prefixes selected correspond to the headers of two PGP identity certificates with keys of different sizes, an RSA-8192 key and an RSA-6144 key. By exploiting the properties of the OpenPGP and JPEG formats, two public keys can be created: key A with the name of the victim and key B with the name and picture of the attacker, so that the identity certificate, which contains the key and the picture of the attacker , the same SHA has -1 hash as the identity certificate, which contains the victim’s key and name. The attacker can therefore request a signature of his key and his picture from a third party (from the Web of Trust or from a certification body) and transfer the signature to key A. The signature remains valid due to the collision, while the attacker controls key A with the victim’s name and signed by the third party. Therefore, he can pretend to be the victim and sign every document on their behalf.

In a post that further demonstrated the attack, the researchers provided both messageA and messageB. Although they contain different user ID prefixes, both are assigned the same SHA1 hash of 8ac60ba76f1999a1ab70223f225aefdc78d4ddc0.

The researchers’ results significantly improve the efficiency of SHA1 attacks with an acceleration factor of around 10. Specifically, the new attacks reduce the cost of an identical prefix collision attack from 264.7 to 261.2 and the cost of a selected prefix collision attack from 267.1 to 263.4 when executed with a GTX 970 graphics processor.

The researchers carried out the attack over a period of two months on a cluster of 900 Nvidia GTX 1060 GPUs that they had rented online. You said the rented cluster is a much more economical platform than Amazon Web Services and competing cloud services. The attack cost $ 74,000 a few months ago. Given the continued decrease in implementation and computation costs, the researchers believe the same attack will now cost $ 45,000. The researchers estimate that the attack will cost $ 10,000 by 2025. The result: The same selected prefix attacks that have been possible against MD5 since 2009 are now also practicable against SHA1 and will become more affordable over time.

SHA1: May it (finally) rest in peace

The researchers reported their results privately to the developers of the most affected software. They included developers for:

GnuPG. The developers responded with a countermeasure in November that invalidated SHA1-based identity signatures that were created after January 2019.

CAcert, a certification authority that issues PGP keys. The researchers noticed a large number of CAcert-issued keys with current SHA1 signatures on public key servers. This may indicate that the certification authority continues to use SHA1 to sign user keys. CAcert has identified the problem and plans to move away from SHA1.

OpenSSL, a cryptographic library that continues to accept SHA1 certificates in many security-related contexts. The developers replied that they are considering disabling SHA1 in these contexts.

However, given the variety of applications and protocols that still rely on SHA1 for collision-resistant hashes, the researchers were unable to contact all of the developers concerned. To prevent the attacks from being used actively in the wild, the researchers initially withhold many details of the collision.

Matt Green, a professor at John Hopkins University who specializes in cryptography, said the results were impressive and underscored the often repeated observation that SHA1 can no longer be considered secure.

“For a safe hash function, a (acceleration) factor of 10 shouldn’t make much difference. However, if you limit yourself to something that is almost broken, these types of efficiency really make a difference, especially when there are lots of mining hardware out there, ”he said in an interview. “We knew that one shoe fell and this is the next.”