SHA-1 has been broken in practice, now what?

Written by: Ethan Ranney

March 6, 2017 - SHA-1 has been broken in practice, now what? UL provides recommendations for moving to safer hashing algorithms.

A brief history of SHA-1

SHA-1 is a cryptographic hash function that has been widely used for over two decades in applications such as SSL/TLS, VPN protocols, PGP, SSH, and distributed revision control systems (Git, Mercurial, etc.). For over 10 years, NIST has urged moving away from SHA-1 with official deprecation starting in 2011, due to security concerns regarding the underlying math being less resistant to collision attacks than originally thought. A successful collision attack would result in locating matching hashes within two different files. On February 23, 2017, those recommendations proved to be fruitful as Google published the first publicly known collision attack of SHA-1: two different PDF files with the same SHA-1 hash.

Example of attack

This is known as an identical-prefix collision. A real world example of this type of attack could consist of an employer using two colliding employment contracts to trick an employee into digitally signing a high salary contract. The employer could later claim the employee signed a contract agreeing to a much lower salary.

Cost to carry out attack

Nine quintillion SHA-1 computations were performed in total. This breaks down to: 6,500 years of CPU computation and 110 years of GPU computation to complete both attack phases. However, thanks to the nature of modern cloud computing essentially letting anyone have access to vast computing resources, the cost to replicate this attack could be as low as $110,000 using Amazon’s cloud computing platform. This puts this attack into the realm of criminal organizations and well into the wheelhouse of state sponsored actors.

Risk of attack

Due to Google’s vulnerability disclosure policy, code is not yet publicly available to reproduce this SHA-1 collision as of this writing. However, now that it has been proven technically feasible, well-funded actors could replicate this work and produce another collision before Google’s 90-day disclosure period is up.

Recommendation

UL recommends that the industry move to safer hashing algorithms such as SHA-256 or SHA-3. Additionally, UL recommends consulting engineers and developers to discover if affected technologies (Git, PGP, SSL certificates, etc.) are being used within your company. If they are found to be vulnerable, it is strongly encouraged to create and execute a plan to sunset SHA-1 from the organization.

Attack detection

There is an online tool to submit files to be checked for SHA-1 collision attacks. The source is also available.

Disclaimer

These are the personal opinions of UL’s employees and its guests and should not be misunderstood as representing the opinion of UL's clients, suppliers or other relations.