The SHA-1 cryptographic hash function may be 22 years old but it’s still widely used today to validate Git repositories, document and digital certificates. We already know SHA-1 is insecure – security experts have been banging on about theoretical attacks facilitated by the algorithm for years. Now Google researchers have demonstrated a practical collision attack is possible. Here’s what you need to know and why you should care.
What Is A Collision Attack? Why Is SHA-1 Especially Vulnerable?
SHA-1 serves a number of functions: browser security, managing code repositories or even just detecting duplicate files in storage. Traditionally it has been used to sign digital certificates, which verifies the identity of the certificate holder. If you’re conducting transactions online, you’d want to make sure that whoever you’re transacting with is who they say they are. Hash algorithms are used to validate those certificates.
A collision attack occurs when two files generate the same hash value; in the case of SHA-1, it’s a 160-bit value. This makes it easy for attackers to forge digital signatures and undermine internet security. We’ve seen this kind of attack in the wild with the MD-5 hash which preceded SHA-1 and is considered extremely weak by today’s standards.
But SHA-1 is still being used today to sign data that is transmitted across the web, such as for document signing, back-up and Git systems.
The Google researchers (working with another security research firm called CWI) managed to perform a collision attack with SHA-1 on two PDF documents (technical details can be found here). The team managed to get the SHA-1 digital signature of the first document and manage to mimick it in the second document:
By crafting the two colliding PDF files as two rental agreements with different rent, it is possible to trick someone to create a valid signature for a high-rent contract by having him or her sign a low-rent contract.
The SHA-1 hash algorithm has already been deprecated and a number of technology vendors like Microsoft and Google; they are phasing out support for SHA-1-signed certificates (which means they will no longer be trusted by their platforms or applications). For HTTPS websites that use SHA-1 certificates, they will no longer be shown as trusted in most web browsers.
SHA-1 is tipped to be replaced by SHA-2, which is more resilient family of algorithms.
Right, The Tech Giants Are On It. Why Do I Still Have To Care About SHA-1?
For the average Joe who takes notice of red padlock icons and warnings from their browsers, this probably wouldn’t affect them much. After all, most major browsers are already depreciating SHA-1. But for those who are in the IT industry or work with systems that still rely on SHA-1, this practical collision attack signals the impending death of the hash algorithm.
The researchers said that any of the following applications that relies on SHA-1 for digital signatures, file integrity or file identification are potentially vulnerable:
- Digital Certificate signatures
- Email PGP/GPG signatures
- Software vendor signatures
- Software updates
- ISO checksums
- Backup systems
- Deduplication systems
There are companies still using SHA-1 to secure databases containing usernames, email addresses and passwords of their customers.
Sure, it took the Google researchers two years and a ton of computing power to get the collision attack working (not to mention the cost of using those resources), but it's not impossible for a well-funded
government nefarious group to take advantage of SHA-1's weaknesses and forge digital certificates, documents or git repositories:
GIT strongly relies on SHA-1 for the identification and integrity checking of all file objects and commits. It is essentially possible to create two GIT repositories with the same head commit hash and different contents, say a benign source code and a backdoored one. An attacker could potentially selectively serve either repository to targeted users. This will require attackers to compute their own collision.
The Google researchers have created an online tool that can check files for SHA-1 collision attack vulnerabilities. You can find it here.
"We hope our practical attack on SHA-1 will increase awareness and convince the industry to quickly move to safer alteratives, such as SHA-256," the researchers said.