Stories
Slash Boxes
Comments

SoylentNews is people

PGP Keys, Software Security, Git, and Much More Threatened by New SHA1 Exploit

posted by janrinok on Wednesday January 08 2020, @11:43PM   Printer-friendly
from the more-collisions-than-a-NASCAR-race dept.

upstart writes in with an IRC submission for Bytram:

PGP keys, software security, and much more threatened by new SHA1 exploit:

Three years ago, Ars declared the SHA1 cryptographic hash algorithm officially dead after researchers performed the world's first known instance of a fatal exploit known as a "collision" on it. On Tuesday, the dead SHA1 horse got clobbered again as a different team of researchers unveiled a new attack that's significantly more powerful.

The new collision gives attackers more options and flexibility than were available with the previous technique. It makes it practical to create PGP encryption keys that, when digitally signed using SHA1 algorithm, impersonate a chosen target. More generally, it produces the same hash for two or more attacker-chosen inputs by appending data to each of them. The attack unveiled on Tuesday also costs as little as $45,000 to carry out. The attack disclosed in 2017, by contrast, didn't allow forgeries on specific predetermined document prefixes and was evaluated to cost from $110,000 to $560,000 on Amazon's Web Services platform, depending on how quickly adversaries wanted to carry it out.

The new attack is significant. While SHA1 has been slowly phased out over the past five years, it remains far from being fully deprecated. It's still the default hash function for certifying PGP keys in the legacy 1.4 version branch of GnuPG, the open-source successor to PGP application for encrypting email and files. Those SHA1-generated signatures were accepted by the modern GnuPG branch until recently, and were only rejected after the researchers behind the new collision privately reported their results.

Git, the world's most widely used system for managing software development among multiple people, still relies on SHA1 to ensure data integrity. And many non-Web applications that rely on HTTPS encryption still accept SHA1 certificates. SHA1 is also still allowed for in-protocol signatures in the Transport Layer Security and Secure Shell protocols.

In a paper presented at this week's Real World Crypto Symposium in New York City, the researchers warned that even if SHA1 usage is low or used only for backward compatibility, it will leave users open to the threat of attacks that downgrade encrypted connections to the broken hash function. The researchers said their results underscore the importance of fully phasing out SHA1 across the board as soon as possible.

"This work shows once and for all that SHA1 should not be used in any security protocol where some kind of collision resistance is to be expected from the hash function," the researchers wrote. "Continued usage of SHA1 for certificates or for authentication of handshake messages in TLS or SSH is dangerous, and there is a concrete risk of abuse by a well-motivated adversary. SHA1 has been broken since 2004, but it is still used in many security systems; we strongly advise users to remove SHA1 support to avoid downgrade attacks."

Original Submission

 
This discussion has been archived. No new comments can be posted.
PGP Keys, Software Security, Git, and Much More Threatened by New SHA1 Exploit | Log In/Create an Account | Top | 14 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 1, Informative) by Anonymous Coward on Thursday January 09 2020, @05:59AM (3 children)

    by Anonymous Coward on Thursday January 09 2020, @05:59AM (#941344)

    how we are still using SHA-1 in 2020.

    Starting Score:    0  points
    Moderation   +1  
       Informative=1, Total=1
    Extra 'Informative' Modifier   0  
    Total Score:   1  

  • (Score: 0) by Anonymous Coward on Thursday January 09 2020, @06:24AM (1 child)

    by Anonymous Coward on Thursday January 09 2020, @06:24AM (#941351)

    Improve your non-understanding through broad studies, and you shall learn a lot about human nature.

    • (Score: 1) by nitehawk214 on Thursday January 09 2020, @09:07PM

      by nitehawk214 (1304) on Thursday January 09 2020, @09:07PM (#941595)

      That is an eloquent way of saying "people are lazy and stupid". :)

      --
      "Don't you ever miss the days when you used to be nostalgic?" -Loiosh

  • (Score: 3, Insightful) by Lester on Thursday January 09 2020, @09:58AM

    by Lester (6231) on Thursday January 09 2020, @09:58AM (#941368) Journal

    One of the problems is that there are old CA certificates that were created to expire en 10 or 20 years, those CA keys were used to sign certificates that expired in 10 years. Those certificates must be revoked and so the certificates signed with them, so force everyone to renew certificates. We were naive and thought that algorithms would be secure for 10 years according with Moore's law. We didn't anticipate the expansion of multiprocessing with GPUs, multicore and cloud computing.

    Another problem is backward compatibility. You decide to change the default algorithm, so you make a newer algorithm the default one and pop a warning "you are using an old algorithm that could be deprecated in future versions". And that goes for years but finally some day you decide to deprecate the old algorithm and suddenly lot of people pops here and there complaining that you program or service doesn't work anymore. Backward compatibility is a burden for developers but it is great for users... except in security issues, but many users are not aware of that, so you stick in supporting outdated algorithms.

    GIT is another question, SHA1 is not used as cryptographic item, it is used to identify commits. So it is not such a big problem. Nevertheless I could guess you could replace source with a commit with the same hash containing a backdoor.