Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10/8/2015
04:35 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Researchers Warn Against Continuing Use Of SHA-1 Crypto Standard

New attack methods have made it economically feasible to crack SHA-1 much sooner than expected.

The SHA-1 security standard, widely used in digital certificates, electronic banking, browsers, and other applications is weaker than previously thought and susceptible to attacks that are now well within the resources of criminal groups, an international team of cryptanalysts warned Thursday.

Security researchers had previously estimated that it would take at least another two years for so-called collision attacks against SHA-1 to become economically feasible for threat actors.

But a new method, developed by researchers Marc Stevens from CWI -- The Netherlands’ national research institute for math and computer science -- Pierre Karpman from French counterpart Inria, and Thomas Peyrin from Singapore’s Nayang Technological University, shows the estimates were too conservative.

“We now think that the state-of-the-art attack on full SHA-1 as described in 2013 may cost around $100,000 renting graphics cards in the cloud,” the researchers said in a technical paper describing their attack.

The finding is important because browser makers and certificate authorities (CA) are currently scheduled to stop accepting SHA-1 signatures only in January 2017. Members of the CA/Browser forum are in fact currently considering a proposal that would extend the issuance of SHA-1 certificates through the end of 2016.

Approving that proposal would be dangerous, the cyrptanlaysts said, while strongly recommending that SHA-1 based signatures should be marked as unsafe “much sooner” than that.

Cryptographic hash functions like SHA-1 basically encrypt data—or "messages" in cryptospeak--in a fashion where it is considered practically impossible to reconstruct the original input message from just the hash value.

In theory at least, it should be highly difficult for anyone to find two messages with the same hash value. A collision attack is an attempt to do just that so as to enable malicious actions like creating forgeries of digital signatures.

As far back as 2005, security analysts expressed concern about SHA-1 being susceptible to collision attacks. But many believed that the computational and financial requirements to pull off such an attack would be too prohibitive for anyone to want to try it.

In 2012, noted cryptographer and security researcher Bruce Schneier estimated that it would cost attackers about $700,000 to pull off a successful collision attack on SHA-1 in 2015. He estimated that cost would drop to $173,000 in 2018; a figure that he felt would be within the reach of criminals.

But in a technical paper released Sep. 22, the three researchers presented what they described as an example of a freestart collision attack against SHA-1. The example showed how attackers could use modern graphic cards to achieve full SHA-1 collision for as little as $100,000 by renting space on Amazon’s EC2 cloud. According to the researchers, it took just 10 days of computing with a 64 GPU cluster on Amazon’s cloud to successfully break the full inner layer of SHA-1

“The current policy of the retraction of SHA-1 has been strongly guided by Bruce Schneier's estimates of the attack costs,” Stevens says. “What has changed today is that we have shown … these kind of attacks can be done very efficiently and is in fact more cost-efficient,” using graphics cards. “This means that in principle, SHA-1 collisions are within the resources of criminal syndicates two years earlier than previously expected.”

In their paper, Stevens and the other researchers noted that SHA-2 and SHA-3, the successors of SHA-1, are unaffected by the attack method and remain secure. They urged websites, browser makers, and others to move to SHA-2 as soon as possible.

In a blog post, Schneier concurred with the researchers in recommending that SHA-1 should be retired before 2017. Given the continuing advances in computing technologies and efforts by researchers to improve on existing methods, it’s not surprising that a new technique is available that dramatically lowers the cost of launching a collision-attack on SHA-1, Schneier said.

“What’s news," he wrote, "is that our previous estimates may be too conservative.”

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SimhaluK693
100%
0%
SimhaluK693,
User Rank: Apprentice
10/14/2015 | 3:56:45 PM
Re: SHA1 vulnerable
Timline
MD4
------
1990  by Ron Rivest based on Merkle Damgard

1991 Boer and Bosselaers - psuedo collisions
Same message with two different sets of initial values.
Linear attack on last 2 rounds.
1 millisecond on a 16 Mhz IBM PS/2

1996 Dobbertin - Semi freestart collisions.
Few seconds on a PC with Pentium processor.

1997 Dobbertin - Found preimages
Takes less than 1 hr on a PC.

2005 Wang - Full Collisions
Uses 2 blocks(1024 bits)
IBM P690 takes about 1 hour to find pair of first blocks.
Fastest cases take only 15 minutes.
15 seconds to 5 minutes to find the pair of second blocks.

SHA-0  
----------
1993 by NIST based on MD4
2004 Biham and Chen near-collision
2004 Joux - 4 block full collision - 2^ 51 hash ops
80,000 hours of CPU hrs on a supercomputer with 256 Itanium
2 processors.

2008 boomerang attack
2 ^ 33.6
Takes less than 1 hour of PC

MD5
--------
1991 Ron Rivest
128-bit hash value

1996 Dobbertin - Semi - FreeStart Collisions
2005 Wang - Full collisions

SHA-1
----------
1995  by NIST based on MD4
160-bit hash value

2005 Wang 2005  - Theoretical collision attack

2015 Stevens - Semi- Freestart collisions
All 80 steps
Takes 10 days using
16 * 4 GTX-970 GPUs, 1 Haswell i5-4460 processor and 16GB of RAM
----
TejGandhi1986
50%
50%
TejGandhi1986,
User Rank: Apprentice
10/9/2015 | 10:37:17 PM
SHA1 vulnerable
As computers evolve its becoming aier to break into aglorithms.It appears that upgrading the algorithm to SHA2 and SHA3 be the rigt way to go ahed.As quantum computers evolve it is just a  matter of time when algorithms like SHA2 and SHA 3 can also be broken.
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Ransomware Damage Hit $11.5B in 2019
Dark Reading Staff 2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5524
PUBLISHED: 2020-02-21
Aterm series (Aterm WF1200C firmware Ver1.2.1 and earlier, Aterm WG1200CR firmware Ver1.2.1 and earlier, Aterm WG2600HS firmware Ver1.3.2 and earlier) allows an attacker on the same network segment to execute arbitrary OS commands with root privileges via UPnP function.
CVE-2020-5525
PUBLISHED: 2020-02-21
Aterm series (Aterm WF1200C firmware Ver1.2.1 and earlier, Aterm WG1200CR firmware Ver1.2.1 and earlier, Aterm WG2600HS firmware Ver1.3.2 and earlier) allows an authenticated attacker on the same network segment to execute arbitrary OS commands with root privileges via management screen.
CVE-2020-5533
PUBLISHED: 2020-02-21
Cross-site scripting vulnerability in Aterm WG2600HS firmware Ver1.3.2 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2020-5534
PUBLISHED: 2020-02-21
Aterm WG2600HS firmware Ver1.3.2 and earlier allows an authenticated attacker on the same network segment to execute arbitrary OS commands with root privileges via unspecified vectors.
CVE-2014-7914
PUBLISHED: 2020-02-21
btif/src/btif_dm.c in Android before 5.1 does not properly enforce the temporary nature of a Bluetooth pairing, which allows user-assisted remote attackers to bypass intended access restrictions via crafted Bluetooth packets after the tapping of a crafted NFC tag.