Follow Slashdot blog updates by subscribing to our blog RSS feed

 


Forgot your password?
Close
typodupeerror
×
Encryption

Exploit Fully Breaks SHA-1, Lowers the Attack Bar (threatpost.com) 47

Posted by EditorDavid from the uncertain-certs dept.
ThreatPost reported on some big research last week: A proof-of-concept attack has been pioneered that "fully and practically" breaks the Secure Hash Algorithm 1 (SHA-1) code-signing encryption, used by legacy computers to sign the certificates that authenticate software downloads and prevent man-in-the-middle tampering.

The exploit was developed by Gaëtan Leurent and Thomas Peyrin, academic researchers at Inria France and Nanyang Technological University/Temasek Laboratories in Singapore. They noted that because the attack is much less complex and cheaper than previous PoCs, it places such attacks within the reach of ordinary attackers with ordinary resources.

"This work shows once and for all that SHA-1 should not be used in any security protocol where some kind of collision resistance is to be expected from the hash function," the researchers wrote. "Continued usage of SHA-1 for certificates or for authentication of handshake messages in TLS or SSH is dangerous, and there is a concrete risk of abuse by a well-motivated adversary. SHA-1 has been broken since 2004, but it is still used in many security systems; we strongly advise users to remove SHA-1 support to avoid downgrade attacks."

Given the footprint of SHA-1, Leurent and Peyrin said that users of GnuPG, OpenSSL and Git could be in immediate danger.
Long-time Slashdot reader shanen writes, "I guess the main lesson is that you can never be too sure how long any form of security will remain secure."
This discussion has been archived. No new comments can be posted.

Exploit Fully Breaks SHA-1, Lowers the Attack Bar More

Exploit Fully Breaks SHA-1, Lowers the Attack Bar

Comments Filter:

  • ...if we put even a fraction of the money spent on wars into security research. With the finest minds working around the globe and around the clock, we could come up with exploits for tomorrow's encryption today!

    • to each other, so they don't start wars, banks, media conglomerates, corporations, churches, religions or dictatorships in general.

      Naah. That would make too much sense.
      Knee-jerk patch it is!

    • No, the people we can't stop from making us slaves have all the money already in your scenario.

      You have to remove the need for war first, before you remove the war, or else you're entirely screwed.

    • Re: (Score:2)

      by lgw ( 121541 )

      ...if we put even a fraction of the money spent on wars into security research.

      Err, we do put a lot of the money we spend on wars into info security research. The NSA is a cold war entity. I don't think the NSA is really on our side, but that's not a problem with its budget!

      With the finest minds working around the globe and around the clock, we could come up with exploits for tomorrow's encryption today!

      You can't hide secrets from the future with math!

  • Whelp (Score:4, Funny)

    by fahrbot-bot ( 874524 ) on Saturday January 18, 2020 @06:49PM (#59633500)

    ... "fully and practically" breaks the Secure Hash Algorithm 1 (SHA-1) ...

    Time to move on to using SHA-2 -- even-number versions are better anyway.

  • SHA-1 is not "code-signing encryption"! (Score:4, Insightful)

    by Entrope ( 68843 ) on Saturday January 18, 2020 @06:52PM (#59633508) Homepage

    SHA-1 is a hash algorithm, mathematically known as a trap-door or one-way function, because it is supposed to be hard to find an input that generates a given output. Encryption has to be practical to reverse, and a signature needs to carry some information that gives confidence that a known entity generated the signature. SHA-1 provides neither encryption nor signature features.

    • It is almost as if that is why we stopped using it. LOL

    • Well, has somebody managed to develop a collision attack that works at the same time against both MD5 and SHA1? All of the proof of concept files I downloaded appear to fail one or the other. Maybe the solution is simply to use multiple hashes, when checking for file tampering, similar to the way some GNU/Linux distros provide both SHA256 and plain SHA1 sums for their ISO download links in addition to the GPG signatures. Or have I seriously misunderstood something here?

    • Digital signature protocols work by encrypting a message using a private key so that the public can verify it by decrypting it with the corresponding public key. But public-key ciphers, such as RSA and ECC, tend to be slower than symmetric ciphers. To reduce the amount of data that must be encrypted, signature protocols begin by taking the hash value of the message. A collision in a hash function allows two messages to have the same hash value. It weakens the non-repudiation of digital signatures by allowin

      • Re: (Score:2)

        by tlhIngan ( 30335 )

        To reduce the amount of data that must be encrypted, signature protocols begin by taking the hash value of the message.

        Incorrect. Signatures hash because the content is often to be left as plaintext..

        Encryption provides secrecy, and some algorithms also provide authentication (public-key algorithms by their nature show which private key was used and thus that message came from someone using that private key).

        Signatures are used to provide authentication, but not necessarily secrecy. So instead of encrypting

        • Re: (Score:2)

          by tepples ( 727027 )

          Encryption provides secrecy

          Only when the decryption key is private. When the decryption key is public, encryption provides authentication.

          As for the rest of your comment: We appear to be in violent agreement, saying the same thing with different words.

          To reduce the amount of data that must be encrypted, signature protocols begin by taking the hash value of the message.

          Incorrect. [...] A cryptographically secure hash is run over the message, and that hash is then encrypted.

          Why is a cryptographically secure hash run over the message other than to reduce the amount of data that passes through a public-key cipher?

    • Re: (Score:2)

      by gweihir ( 88907 )

      It also is not "fully broken" either. A specific collision attack got a bot better. If you do not care about collisions, or not about this specific way to create them, nothing has changed.

      • It also is not "fully broken" either. A specific collision attack got a bot better. If you do not care about collisions, or not about this specific way to create them, nothing has changed.

        And the authors have failed to understand what it is used for. Once again we have git listed as "in danger".

        Git does not use SHA1 for any form of authentication. It uses it as a hash function to generate IDs for commits. That use is still secure. Even if you wanted to generate a collision for that, you would have needed to generate a viable collision that:

        1) Passes a compile with GCC

        2) Does not introduce a change which will fail future incremental patches on top of this HASH ID.

        Frankly - that's impos

        • Re: (Score:2)

          by gweihir ( 88907 )

          Pretty much. Too many people that have no understanding of things beyond "Broken? (y/n)" just cannot shut up.

    • Re: (Score:2)

      by lgw ( 121541 )

      SHA-1 provides neither encryption nor signature features.

      SHA-1 is, however, cryptography. Calling "cryptography" "encryption" is pretty good work for a journalist; I mean, it's nearly the same word.

      Also, saying SHA-1 doesn't provide signatures is really splitting hairs. As far as anyone in the general public is concerned, cryptographic hash function are "signature functions."

  • Not like a big secret (Score:4, Informative)

    by bobstreo ( 1320787 ) on Saturday January 18, 2020 @06:55PM (#59633512)

    SHA-1 has been considered broken for almost 8 years.

    • Yup, this is mostly a 'slow news day' story.

      The protocol was superceded in 2001 by SHA2, which was replaced by SHA3 in 2015. Important people like Bruce Schneier groups like NIST advocated to moving away from it back in 2005, 15 years ago.

      It wasn't just deprecated by most protocols in past years, it has been actively rejected by many groups including all major web browsers for the past three years. If you see it as a security certificate it's woefully outdated.

      Of course, it isn't dead. It still has many us

  • Significance of the full break? (Score:3)

    by shanen ( 462549 ) on Saturday January 18, 2020 @07:01PM (#59633520) Homepage Journal

    Hmm... Actually I also submitted this story a while ago, though I thought my main point was the significance of the "fully breaks" wording. My (less than paid expert) perspective is that any file could be arbitrarily modified while preserving the checksum. Not modified absolutely without limit, but "way bad", to use the technical lingo. Certainly bad enough for all sorts of embedded exploit code.

    My motivation in submitting it was actually historical, since I was still working for actual experts when the first break happened. Pretty sure I learned about it while editing a research paper based on the original break by a Chinese woman researcher whose name I've forgotten. Memories of old times.

    Meanwhile, in the present I can't even get one of my older Windows 10 computers to install the latest security updates. Yes, it does cross-boot into Linux, and I can continue getting some use out of it on that basis, but it will annoy me if I have to buy a new machine for my wife because she doesn't want to learn Ubuntu...

    For the future of security, I was reading some interesting stuff on quantum encryption. In theory, it's possible to exchange an encryption key in a way that cannot be intercepted. (Too bad it can be defeated with a cheap camera or mic, eh? The chain of security can always be broken at any weak link.)

    • They rewrite 100% of the words "I said" when I submit a story, so you're doing pretty good if you're only quibbling about your "main point."

      • I think it depends on the editor, and also on the quality of the submission. Sometimes large parts are used without change, but in general I think my submissions have benefited from the editors' attentions, if generally not tender attentions.

    • Re: (Score:2)

      by gweihir ( 88907 )

      It is not a "full break". It is just a gradual improvement of a specific type of collision-finding. If you do not care about collisions, SHA1 remains secure.

      • Re: (Score:2)

        by shanen ( 462549 )

        Please read the original story or read what I wrote before commenting.

        Alternatively, if you have nothing to say, perhaps you should say nothing.

  • A SHA-1 collision bounty reward was written in the script Bitcoin language. It was found in 2017:
    https://www.reddit.com/r/Bitco... [reddit.com]

  • Until Five Eyes found an exploitable replacement, and can make their designed exploit for the old one public to get everyone to move to the replacement.

  • One thing is for sure (Score:4, Funny)

    by eclectro ( 227083 ) on Saturday January 18, 2020 @07:32PM (#59633560)

    Alice and Bob will be happy that there is more work.

  • Git is fine, and will be for a while (Score:5, Informative)

    by ezdiy ( 2717051 ) on Saturday January 18, 2020 @07:53PM (#59633592)
    This is a chosen prefix, not second-preimage. It's the same thing that breaks MD5 and MD4, and depends on length extension (something that neither git or bittorrent allows). There's currently no attack on full second-preimage, not even for the very weak MD5/MD4. BitTorrent and GIT is very unlikely to move away from SHA1 unless a significant breakthrough to solve for very large algebraic degrees occurs - it's a problem that all first-preimage attacks sidestep by choosing clever input so that degrees cancel out. Such breaktrough would affect far more hashes (think trivial first preimages for SHA2) before those two fall on second preimage.

    • Re: (Score:2)

      by Wyzard ( 110714 )

      Git is actually in the process of moving away from SHA1: see hash-function-transition.txt [github.com]

    • They described their 2 attacks as an identical-prefix (complexity 2^61.2) and chosen-prefix (2^63.4). However I suspect that the heuristic test that git implemented after the previous demonstrated SHA1 collision will still detect any instance of this attack. And this attack will still result in both files having a bunch of random looking noise at the end.

      • Re: (Score:2)

        by ezdiy ( 2717051 )
        Frankly hardened SHA1 is a kludge for people who want git to authenticate data. If you really want to do that, there's apparently migration path to SHA-256 (wasn't really aware of it). What I wrote above is mainly in regards to integrity of existing tree, where commits are guaranteed to be non-adversarial.

        Exploiting chosen prefix in Git is much harder than it sounds when target tree is non-adversarial. This is because there's no free choice of *both* prefix (for which you get 2^63 collision, instead of 2
  • It isn't a revolutionary break through. They have reduced the work by just less than the equivalent of 4 bits. I'm not sure that this changes who the threat actors could be significantly. Also this is still hash collisions not second pre-image attacks.. Sort of - I've been burned by saying a security feature only requires second preimage resistance (AES-MMO for example in electric meter certificates) to find someone later (UK government) changed the algorithm in such a way so that collision resistance i

    • around here we call that "more than an order of magnitude" and it's huge improvement. what are you smoking?

    • It changes the costs from $584k to $45k for a chosen-prefix collision, or $124k to $11k for an identical-prefix collision when running on rented hardware. I'd say that brings it within range of a lot more people, or at the very least it increases the number of targets that are interesting enough to pay to attack. $11k is feasibly within reach of a (dedicated) hobbyist.

    • Re: (Score:2)

      by ezdiy ( 2717051 )
      The bigger novelty is they managed to generate ad-hoc freestarts for prefix data, turning original where IV had to be of particular class into truly arbitrary freestart,thus allowing many practical SHA1 breaks for anything that doesn't commit to the input length in safe manner. Which is the case for X509 sig request and then enabling CA flag on it. It truly is the end for SHA1 in public key cryptography as far as PKI/SSL is concerned.

      As for collision resistance, integrity protocols (as well as exotic cry

  • NOT a "full break" (Score:3)

    by gweihir ( 88907 ) on Sunday January 19, 2020 @02:33AM (#59634120)

    It is just about collision resistance. There are tons of uses of hash-functions where that does not matter and where SHA1 remains secure.

  • Slight hyperbole... (Score:1)

    by Anonymous Coward

    Saying that it "fully and practically" breaks SHA-1, as compared to the state it was in before this development, is a tad hyperbolic.

    And by a tad, I mean more than a tad.

    Practical attacks, in some rather specific scenarios, are now slightly more in reach of a slightly larger group of actors than it was before.

    GIT and many other users of SHA-1 are not in any immediate danger, since their usage of SHA-1 does not fall into any of the specific scenarios where the attacks made slightly easier by this development

  • MD5 (Score:1)

    by ebvwfbw ( 864834 )

    Could be like MD5. That algo has been bad for over 10 years and yet dumb people keep using it. Even companies that know better. Too expensive to re-sign everything they say.

    Good old refrain - "It'll break stuff if we change it."

Slashdot Top Deals

He has not acquired a fortune; the fortune has acquired him. -- Bion

Close