Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10/8/2015
04:35 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Researchers Warn Against Continuing Use Of SHA-1 Crypto Standard

New attack methods have made it economically feasible to crack SHA-1 much sooner than expected.

The SHA-1 security standard, widely used in digital certificates, electronic banking, browsers, and other applications is weaker than previously thought and susceptible to attacks that are now well within the resources of criminal groups, an international team of cryptanalysts warned Thursday.

Security researchers had previously estimated that it would take at least another two years for so-called collision attacks against SHA-1 to become economically feasible for threat actors.

But a new method, developed by researchers Marc Stevens from CWI -- The Netherlands’ national research institute for math and computer science -- Pierre Karpman from French counterpart Inria, and Thomas Peyrin from Singapore’s Nayang Technological University, shows the estimates were too conservative.

“We now think that the state-of-the-art attack on full SHA-1 as described in 2013 may cost around $100,000 renting graphics cards in the cloud,” the researchers said in a technical paper describing their attack.

The finding is important because browser makers and certificate authorities (CA) are currently scheduled to stop accepting SHA-1 signatures only in January 2017. Members of the CA/Browser forum are in fact currently considering a proposal that would extend the issuance of SHA-1 certificates through the end of 2016.

Approving that proposal would be dangerous, the cyrptanlaysts said, while strongly recommending that SHA-1 based signatures should be marked as unsafe “much sooner” than that.

Cryptographic hash functions like SHA-1 basically encrypt data—or "messages" in cryptospeak--in a fashion where it is considered practically impossible to reconstruct the original input message from just the hash value.

In theory at least, it should be highly difficult for anyone to find two messages with the same hash value. A collision attack is an attempt to do just that so as to enable malicious actions like creating forgeries of digital signatures.

As far back as 2005, security analysts expressed concern about SHA-1 being susceptible to collision attacks. But many believed that the computational and financial requirements to pull off such an attack would be too prohibitive for anyone to want to try it.

In 2012, noted cryptographer and security researcher Bruce Schneier estimated that it would cost attackers about $700,000 to pull off a successful collision attack on SHA-1 in 2015. He estimated that cost would drop to $173,000 in 2018; a figure that he felt would be within the reach of criminals.

But in a technical paper released Sep. 22, the three researchers presented what they described as an example of a freestart collision attack against SHA-1. The example showed how attackers could use modern graphic cards to achieve full SHA-1 collision for as little as $100,000 by renting space on Amazon’s EC2 cloud. According to the researchers, it took just 10 days of computing with a 64 GPU cluster on Amazon’s cloud to successfully break the full inner layer of SHA-1

“The current policy of the retraction of SHA-1 has been strongly guided by Bruce Schneier's estimates of the attack costs,” Stevens says. “What has changed today is that we have shown … these kind of attacks can be done very efficiently and is in fact more cost-efficient,” using graphics cards. “This means that in principle, SHA-1 collisions are within the resources of criminal syndicates two years earlier than previously expected.”

In their paper, Stevens and the other researchers noted that SHA-2 and SHA-3, the successors of SHA-1, are unaffected by the attack method and remain secure. They urged websites, browser makers, and others to move to SHA-2 as soon as possible.

In a blog post, Schneier concurred with the researchers in recommending that SHA-1 should be retired before 2017. Given the continuing advances in computing technologies and efforts by researchers to improve on existing methods, it’s not surprising that a new technique is available that dramatically lowers the cost of launching a collision-attack on SHA-1, Schneier said.

“What’s news," he wrote, "is that our previous estimates may be too conservative.”

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SimhaluK693
100%
0%
SimhaluK693,
User Rank: Apprentice
10/14/2015 | 3:56:45 PM
Re: SHA1 vulnerable
Timline
MD4
------
1990  by Ron Rivest based on Merkle Damgard

1991 Boer and Bosselaers - psuedo collisions
Same message with two different sets of initial values.
Linear attack on last 2 rounds.
1 millisecond on a 16 Mhz IBM PS/2

1996 Dobbertin - Semi freestart collisions.
Few seconds on a PC with Pentium processor.

1997 Dobbertin - Found preimages
Takes less than 1 hr on a PC.

2005 Wang - Full Collisions
Uses 2 blocks(1024 bits)
IBM P690 takes about 1 hour to find pair of first blocks.
Fastest cases take only 15 minutes.
15 seconds to 5 minutes to find the pair of second blocks.

SHA-0  
----------
1993 by NIST based on MD4
2004 Biham and Chen near-collision
2004 Joux - 4 block full collision - 2^ 51 hash ops
80,000 hours of CPU hrs on a supercomputer with 256 Itanium
2 processors.

2008 boomerang attack
2 ^ 33.6
Takes less than 1 hour of PC

MD5
--------
1991 Ron Rivest
128-bit hash value

1996 Dobbertin - Semi - FreeStart Collisions
2005 Wang - Full collisions

SHA-1
----------
1995  by NIST based on MD4
160-bit hash value

2005 Wang 2005  - Theoretical collision attack

2015 Stevens - Semi- Freestart collisions
All 80 steps
Takes 10 days using
16 * 4 GTX-970 GPUs, 1 Haswell i5-4460 processor and 16GB of RAM
----
TejGandhi1986
50%
50%
TejGandhi1986,
User Rank: Apprentice
10/9/2015 | 10:37:17 PM
SHA1 vulnerable
As computers evolve its becoming aier to break into aglorithms.It appears that upgrading the algorithm to SHA2 and SHA3 be the rigt way to go ahed.As quantum computers evolve it is just a  matter of time when algorithms like SHA2 and SHA 3 can also be broken.
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25414
PUBLISHED: 2021-06-17
A local file inclusion vulnerability was discovered in the captcha function in Monstra 3.0.4 which allows remote attackers to execute arbitrary PHP code.
CVE-2021-32078
PUBLISHED: 2021-06-17
An Out-of-Bounds Read was discovered in arch/arm/mach-footbridge/personal-pci.c in the Linux kernel through 5.12.11 because of the lack of a check for a value that shouldn't be negative, e.g., access to element -2 of an array, aka CID-298a58e165e4.
CVE-2021-31818
PUBLISHED: 2021-06-17
Affected versions of Octopus Server are prone to an authenticated SQL injection vulnerability in the Events REST API because user supplied data in the API request isn’t parameterised correctly. Exploiting this vulnerability could allow unauthorised access to database tables.
CVE-2021-34825
PUBLISHED: 2021-06-17
Quassel through 0.13.1, when --require-ssl is enabled, launches without SSL or TLS support if a usable X.509 certificate is not found on the local system.
CVE-2021-32944
PUBLISHED: 2021-06-17
A use-after-free issue exists in the DGN file-reading procedure in the Drawings SDK (All versions prior to 2022.4) resulting from the lack of proper validation of user-supplied data. This can result in a memory corruption or arbitrary code execution, allowing attackers to cause a denial-of-service c...