Vulnerabilities / Threats
10/8/2015
04:35 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Researchers Warn Against Continuing Use Of SHA-1 Crypto Standard

New attack methods have made it economically feasible to crack SHA-1 much sooner than expected.

The SHA-1 security standard, widely used in digital certificates, electronic banking, browsers, and other applications is weaker than previously thought and susceptible to attacks that are now well within the resources of criminal groups, an international team of cryptanalysts warned Thursday.

Security researchers had previously estimated that it would take at least another two years for so-called collision attacks against SHA-1 to become economically feasible for threat actors.

But a new method, developed by researchers Marc Stevens from CWI -- The Netherlands’ national research institute for math and computer science -- Pierre Karpman from French counterpart Inria, and Thomas Peyrin from Singapore’s Nayang Technological University, shows the estimates were too conservative.

“We now think that the state-of-the-art attack on full SHA-1 as described in 2013 may cost around $100,000 renting graphics cards in the cloud,” the researchers said in a technical paper describing their attack.

The finding is important because browser makers and certificate authorities (CA) are currently scheduled to stop accepting SHA-1 signatures only in January 2017. Members of the CA/Browser forum are in fact currently considering a proposal that would extend the issuance of SHA-1 certificates through the end of 2016.

Approving that proposal would be dangerous, the cyrptanlaysts said, while strongly recommending that SHA-1 based signatures should be marked as unsafe “much sooner” than that.

Cryptographic hash functions like SHA-1 basically encrypt data—or "messages" in cryptospeak--in a fashion where it is considered practically impossible to reconstruct the original input message from just the hash value.

In theory at least, it should be highly difficult for anyone to find two messages with the same hash value. A collision attack is an attempt to do just that so as to enable malicious actions like creating forgeries of digital signatures.

As far back as 2005, security analysts expressed concern about SHA-1 being susceptible to collision attacks. But many believed that the computational and financial requirements to pull off such an attack would be too prohibitive for anyone to want to try it.

In 2012, noted cryptographer and security researcher Bruce Schneier estimated that it would cost attackers about $700,000 to pull off a successful collision attack on SHA-1 in 2015. He estimated that cost would drop to $173,000 in 2018; a figure that he felt would be within the reach of criminals.

But in a technical paper released Sep. 22, the three researchers presented what they described as an example of a freestart collision attack against SHA-1. The example showed how attackers could use modern graphic cards to achieve full SHA-1 collision for as little as $100,000 by renting space on Amazon’s EC2 cloud. According to the researchers, it took just 10 days of computing with a 64 GPU cluster on Amazon’s cloud to successfully break the full inner layer of SHA-1

“The current policy of the retraction of SHA-1 has been strongly guided by Bruce Schneier's estimates of the attack costs,” Stevens says. “What has changed today is that we have shown … these kind of attacks can be done very efficiently and is in fact more cost-efficient,” using graphics cards. “This means that in principle, SHA-1 collisions are within the resources of criminal syndicates two years earlier than previously expected.”

In their paper, Stevens and the other researchers noted that SHA-2 and SHA-3, the successors of SHA-1, are unaffected by the attack method and remain secure. They urged websites, browser makers, and others to move to SHA-2 as soon as possible.

In a blog post, Schneier concurred with the researchers in recommending that SHA-1 should be retired before 2017. Given the continuing advances in computing technologies and efforts by researchers to improve on existing methods, it’s not surprising that a new technique is available that dramatically lowers the cost of launching a collision-attack on SHA-1, Schneier said.

“What’s news," he wrote, "is that our previous estimates may be too conservative.”

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SimhaluK693
100%
0%
SimhaluK693,
User Rank: Apprentice
10/14/2015 | 3:56:45 PM
Re: SHA1 vulnerable
Timline
MD4
------
1990  by Ron Rivest based on Merkle Damgard

1991 Boer and Bosselaers - psuedo collisions
Same message with two different sets of initial values.
Linear attack on last 2 rounds.
1 millisecond on a 16 Mhz IBM PS/2

1996 Dobbertin - Semi freestart collisions.
Few seconds on a PC with Pentium processor.

1997 Dobbertin - Found preimages
Takes less than 1 hr on a PC.

2005 Wang - Full Collisions
Uses 2 blocks(1024 bits)
IBM P690 takes about 1 hour to find pair of first blocks.
Fastest cases take only 15 minutes.
15 seconds to 5 minutes to find the pair of second blocks.

SHA-0  
----------
1993 by NIST based on MD4
2004 Biham and Chen near-collision
2004 Joux - 4 block full collision - 2^ 51 hash ops
80,000 hours of CPU hrs on a supercomputer with 256 Itanium
2 processors.

2008 boomerang attack
2 ^ 33.6
Takes less than 1 hour of PC

MD5
--------
1991 Ron Rivest
128-bit hash value

1996 Dobbertin - Semi - FreeStart Collisions
2005 Wang - Full collisions

SHA-1
----------
1995  by NIST based on MD4
160-bit hash value

2005 Wang 2005  - Theoretical collision attack

2015 Stevens - Semi- Freestart collisions
All 80 steps
Takes 10 days using
16 * 4 GTX-970 GPUs, 1 Haswell i5-4460 processor and 16GB of RAM
----
TejGandhi1986
50%
50%
TejGandhi1986,
User Rank: Apprentice
10/9/2015 | 10:37:17 PM
SHA1 vulnerable
As computers evolve its becoming aier to break into aglorithms.It appears that upgrading the algorithm to SHA2 and SHA3 be the rigt way to go ahed.As quantum computers evolve it is just a  matter of time when algorithms like SHA2 and SHA 3 can also be broken.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Security Technologies to Watch in 2017
Emerging tools and services promise to make a difference this year. Are they on your company's list?
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.