Vulnerabilities / Threats
10/8/2015
04:35 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Researchers Warn Against Continuing Use Of SHA-1 Crypto Standard

New attack methods have made it economically feasible to crack SHA-1 much sooner than expected.

The SHA-1 security standard, widely used in digital certificates, electronic banking, browsers, and other applications is weaker than previously thought and susceptible to attacks that are now well within the resources of criminal groups, an international team of cryptanalysts warned Thursday.

Security researchers had previously estimated that it would take at least another two years for so-called collision attacks against SHA-1 to become economically feasible for threat actors.

But a new method, developed by researchers Marc Stevens from CWI -- The Netherlands’ national research institute for math and computer science -- Pierre Karpman from French counterpart Inria, and Thomas Peyrin from Singapore’s Nayang Technological University, shows the estimates were too conservative.

“We now think that the state-of-the-art attack on full SHA-1 as described in 2013 may cost around $100,000 renting graphics cards in the cloud,” the researchers said in a technical paper describing their attack.

The finding is important because browser makers and certificate authorities (CA) are currently scheduled to stop accepting SHA-1 signatures only in January 2017. Members of the CA/Browser forum are in fact currently considering a proposal that would extend the issuance of SHA-1 certificates through the end of 2016.

Approving that proposal would be dangerous, the cyrptanlaysts said, while strongly recommending that SHA-1 based signatures should be marked as unsafe “much sooner” than that.

Cryptographic hash functions like SHA-1 basically encrypt data—or "messages" in cryptospeak--in a fashion where it is considered practically impossible to reconstruct the original input message from just the hash value.

In theory at least, it should be highly difficult for anyone to find two messages with the same hash value. A collision attack is an attempt to do just that so as to enable malicious actions like creating forgeries of digital signatures.

As far back as 2005, security analysts expressed concern about SHA-1 being susceptible to collision attacks. But many believed that the computational and financial requirements to pull off such an attack would be too prohibitive for anyone to want to try it.

In 2012, noted cryptographer and security researcher Bruce Schneier estimated that it would cost attackers about $700,000 to pull off a successful collision attack on SHA-1 in 2015. He estimated that cost would drop to $173,000 in 2018; a figure that he felt would be within the reach of criminals.

But in a technical paper released Sep. 22, the three researchers presented what they described as an example of a freestart collision attack against SHA-1. The example showed how attackers could use modern graphic cards to achieve full SHA-1 collision for as little as $100,000 by renting space on Amazon’s EC2 cloud. According to the researchers, it took just 10 days of computing with a 64 GPU cluster on Amazon’s cloud to successfully break the full inner layer of SHA-1

“The current policy of the retraction of SHA-1 has been strongly guided by Bruce Schneier's estimates of the attack costs,” Stevens says. “What has changed today is that we have shown … these kind of attacks can be done very efficiently and is in fact more cost-efficient,” using graphics cards. “This means that in principle, SHA-1 collisions are within the resources of criminal syndicates two years earlier than previously expected.”

In their paper, Stevens and the other researchers noted that SHA-2 and SHA-3, the successors of SHA-1, are unaffected by the attack method and remain secure. They urged websites, browser makers, and others to move to SHA-2 as soon as possible.

In a blog post, Schneier concurred with the researchers in recommending that SHA-1 should be retired before 2017. Given the continuing advances in computing technologies and efforts by researchers to improve on existing methods, it’s not surprising that a new technique is available that dramatically lowers the cost of launching a collision-attack on SHA-1, Schneier said.

“What’s news," he wrote, "is that our previous estimates may be too conservative.”

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SimhaluK693
100%
0%
SimhaluK693,
User Rank: Apprentice
10/14/2015 | 3:56:45 PM
Re: SHA1 vulnerable
Timline
MD4
------
1990  by Ron Rivest based on Merkle Damgard

1991 Boer and Bosselaers - psuedo collisions
Same message with two different sets of initial values.
Linear attack on last 2 rounds.
1 millisecond on a 16 Mhz IBM PS/2

1996 Dobbertin - Semi freestart collisions.
Few seconds on a PC with Pentium processor.

1997 Dobbertin - Found preimages
Takes less than 1 hr on a PC.

2005 Wang - Full Collisions
Uses 2 blocks(1024 bits)
IBM P690 takes about 1 hour to find pair of first blocks.
Fastest cases take only 15 minutes.
15 seconds to 5 minutes to find the pair of second blocks.

SHA-0  
----------
1993 by NIST based on MD4
2004 Biham and Chen near-collision
2004 Joux - 4 block full collision - 2^ 51 hash ops
80,000 hours of CPU hrs on a supercomputer with 256 Itanium
2 processors.

2008 boomerang attack
2 ^ 33.6
Takes less than 1 hour of PC

MD5
--------
1991 Ron Rivest
128-bit hash value

1996 Dobbertin - Semi - FreeStart Collisions
2005 Wang - Full collisions

SHA-1
----------
1995  by NIST based on MD4
160-bit hash value

2005 Wang 2005  - Theoretical collision attack

2015 Stevens - Semi- Freestart collisions
All 80 steps
Takes 10 days using
16 * 4 GTX-970 GPUs, 1 Haswell i5-4460 processor and 16GB of RAM
----
TejGandhi1986
50%
50%
TejGandhi1986,
User Rank: Apprentice
10/9/2015 | 10:37:17 PM
SHA1 vulnerable
As computers evolve its becoming aier to break into aglorithms.It appears that upgrading the algorithm to SHA2 and SHA3 be the rigt way to go ahed.As quantum computers evolve it is just a  matter of time when algorithms like SHA2 and SHA 3 can also be broken.
Why Cybersecurity Must Be an International Effort
Kelly Sheridan, Associate Editor, Dark Reading,  12/6/2017
NIST Releases New Cybersecurity Framework Draft
Jai Vijayan, Freelance writer,  12/6/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.