A Super-Common Crypto Tool Turns Out to Be Super-Insecure

You probably don’t think about cryptographic hash functions much, or even know what they are. They help you out every day, though, enabling authentication, integrity checks, and signature verification, and other integral security steps. But a common one of these, called SHA-1, has been out of favor for years because of known weaknesses. Now, it turns out to be even more vulnerable than previously imagined.

Concerns about SHA-1 used to be theoretical, hinging on vulnerabilities that seemed prohibitively resource-intensive to exploit. But now a team of researchers from CWI Amsterdam and Google have successfully developed an attack on SHA-1 that doesn’t require extravagant assets to pull off. That means any system still using SHA-1 to verify and protect data is very much at risk.

Hash It Out

Algorithms like SHA-1 morph information into strings of data called “hashes” that, ideally, can’t be decoded back to their original form. In this case, the researchers used a specialized assault called a “collision attack,” a sophisticated technique that allows an assailant to control what the algorithm spits out for two different data inputs. That way, instead of producing two distinct hashes, the function gives identical outputs. It’s technologically tricky, but think of it as someone who surgically alters their fingerprints to match yours, and then uses that shared trait to unlock your smartphone.

“If two inputs have the same [digital] fingerprint, then you can’t use the fingerprint to identify which file is which,” Stevens says. “It could mean that a digital signature on one file of a colliding pair is also valid for the other file of the colliding pair, so you can trick somebody.”

It’s been more than a decade since experts started discovering weaknesses in SHA-1, and more than five years since the National Institute of Standards and Technology removed all support for the protocol in favor of new cryptographic hash functions like next-gen family members SHA-256 and SHA-3. In November, for instance, Chrome completely stopped trusting web certificates that use SHA-1 and started warning users about them.

But while many corners of the internet have abandoned it, SHA-1 remains pervasive, particularly in services that need to interoperate with legacy systems running older software. It also persists because of the idea that it is not at risk of being actively attacked. For example, a popular implementation of the encryption program Pretty Good Privacy (PGP) still says that SHA-1 is “believed to be safe,” even though it’s not the preferred hash function.

“SHA-1 was an industry standard, so if you had to pick a hash function you might have picked SHA-1 for decades,” says Marc Stevens, a cryptographer at CWI Amsterdam. “We still have SHA-1 deployed in a lot of places. And we know we can warn the big companies, but this news is especially important for all the other places where SHA-1 is in small applications.”

In other words? It’s time to hustle.

Crypto Keepers

While the research shows that collision attacks are actually feasible, not everyone has access to the computing power that’s required. It took Google’s cloud CPUs as well as its machine-learning GPU computing infrastructure for the researchers to work the attack out. But executing a collision attack turns out to be significantly less resource-intensive than attempting to “brute-force” SHA-1, trying every possible input until you find the one that creates your desired output. “A well-funded organization could totally do [the attack],” says Google cryptographer Elie Bursztein, who worked on the project. “It’s not out of reach anymore.”

The researchers recognize that their work could ultimately fuel assaults on systems still implementing SHA-1. In keeping with Google’s vulnerability disclosure policy, the group will wait 90 days before releasing the code behind their attack. And Stevens created a tool called Shattered.io, which allows people to upload documents, and then uses counter-cryptoanalysis to check for signs that a file has been subject to a collision attack. The team is open-sourcing this scanning tool so that companies can adopt it in-house, and Google is implementing the tool in Gmail and Google Drive to scan documents and flag those that have been tampered with.

For such an abstract problem, these measures show that there are concrete ways to protect consumers. And the biggest upside to the research is that those still reliant on SHA-1 may finally see the necessity of dropping it. “We’ve now shown collision attacks to be practical and attacks only get better and faster,” says Stevens. “Computational cost will only get cheaper, and attackers have the uncanny ability to be more creative in exploiting these kind of collision attacks against actual applications.”

The challenge now? Convincing companies big and small that it’s time to check what kind of cryptographic hash they’re using in every backwater of their networks, and to make changes as soon as possible if they’re still relying on SHA-1. That may sound like a big ask for those who don’t know much about what’s under their hood. Then again, it’s better than finding out the hard way.

https://www.wired.com/category/security/feed/