A cryptographic standard for online security long known to be vulnerable should be phased out quickly, according to Dutch researchers who worked with Google to successfully break the algorithm.
Developed by the U.S. government in the 1990s, the SHA-1 (Secure Hash Algorithm 1) hash function was designed to help secure and authenticate electronic files and digital signatures. The National Institute of Standards and Technology (NIST) deprecated SHA-1 in 2011, which means it determined the standard should be avoided due to the development of better, more secure crypto techniques.
While deprecation was intended to give organizations time to phase out the use of SHA-1, a number of services, including the Git software version control system, still use the algorithm. Researchers from Google and CWI (Centrum Wiskunde & Informatica) said they would wait 90 days before publishing further details about their SHA-1 findings, giving such users time to transition to new standards.
Steep Drop in Attack Cost
Although its security weaknesses have been recognized for some time, SHA-1 has continued to be used because a real-life attack on the standard was believed to be too difficult and expensive. However, members of the CWI and Google research team said they have now successfully demonstrated the first practical "collision attack" on the SHA-1 function.
Just five years ago, cybersecurity expert Bruce Schneier estimated that the price of an SHA-1 collision attack would be around $700,000. However, by taking advantage of affordable spot prices for Amazon's cloud services, that price today could be no more than $110,000, according to CWI researchers Marc Stevens and Pierre Karpman and Google researchers Elie Bursztein, Ange Albertini and Yarik Markov.
The computing time required to break the crypto was also faster than previous attempts achieved, the research team noted. While it still took about 6,500 CPU years and 100 GPU years, the collision attack was "more than 100,000 times faster than a brute force search," the team said.
Migrate 'as Soon as Possible'
The team's findings demonstrate that it's now theoretically possible -- and affordable -- to attack the SHA-1 standard in a way that could, for instance, enable someone to use the same digital fingerprint for two very different contracts.
"As an example, a landlord could use two colliding rental agreements to trick a prospective tenant into digitally signing a low-rent contract," Ars Technica noted today in an analysis of the SHA-1 research. "The landlord could later claim the tenant signed a contract agreeing to a much higher rental price."
Schneier, who is chief technology officer at Resilient and a fellow at Harvard University's Berkman Klein Center for Internet & Society, has been among the security experts who have long called for users to drop SHA-1 in favor of more secure hashing functions.
"We've long known that SHA-1 is broken," Schneier wrote in a blog post in October 2015, noting that Microsoft as well as all the major browsers had announced plans to stop accepting SHA-1 signatures in 2017.
"Our result proves that the deprecation by a large part of the industry has been too slow and that migration to safer standards should happen as soon as possible," CWI's Stevens said today in a statement.