In 1995, SHA-1 (Secure Hash Algorithm), the cryptographic hash algorithm designed by the NSA, was published by the United States government as a federal standard for processing information. SHA-1 replaced SHA-0 which was quickly put aside by the NIST (National Institute of Standards and Technology, an agency of the United States Department of Commerce) for reasons of insufficient security.

SHA-1 collision attacks

However, over the years, SHA-1 has not been considered safe against adversaries with significant means, this is what has been suggested by cryptanalysts who have studied theoretical attacks. Also, the American standards institute declared SHA-1 obsolete in 2011. It didn’t take much for the main browsers to decide to depreciate this algorithm: Microsoft, Google and Mozilla announced the end of SHA support -1 on their respective products.

In 2017, a team of researchers from Centrum Wiskunde and Informatica (CWI, Netherlands) and Google announced that they had developed a method to break the SHA-1 algorithm which has long been used to verify authenticity digital documents. As part of their detailed writing, the researchers also published two PDF files as proof of the collision, the two files having identical SHA-1 hashes, but displaying different content.

One of the properties of cryptographic functions is that they are unidirectional; in other words, it is not possible to find the original string from the hash. A second is that, theoretically, two different strings will systematically give two different hashes. It is this theory that the researchers managed to deny.

Google explains that a collision occurs when two separate pieces of data (a document, a binary, or a website certificate) are in the same signature . As explained above, collisions should never occur for secure hash functions. However, if the hashing algorithm has some flaws, such as SHA-1, a well-equipped attacker can create a collision.

Three years later, a team of researchers revealed an attack even stronger than the first. The new collision offers attackers more options and flexibility than those available with the previous technique. It allows you to create PGP encryption keys which, when digitally signed using the SHA-1 algorithm, usurp the identity of a chosen target. More generally, it produces the same hash for two or more entries chosen by the attacker by adding data to each of them. The attack unveiled on Tuesday also costs only $ 45,000 to carry out. The attack revealed in 2017, however, failed to falsify predetermined specific document prefixes and was valued at a cost of $ 110,000 to $ 560,000 on Amazon‘s web services platform, according to the how quickly the opponents wanted to execute it.

The new attack is important. Although SHA-1 has been phased out over the past five years, it is far from completely obsolete. It is still the default hash function for certifying PGP keys in the legacy branch of version 1.4 of GnuPG, the open-source successor to the PGP application for encrypting emails and files. These signatures generated by SHA1 were accepted by the modern GnuPG branch until recently, and were not rejected until after the researchers behind the new collision had communicated their results in private.

And the team explains that: “We calculated the very first collision with the prefix chosen for SHA-1. In summary, this means a complete and convenient termination of the SHA-1 hash function, with dangerous practical implications if you still use this hash function. To put it another way: all practical attacks on MD5 are now also on SHA-1. We have significantly improved the complexity of SHA-1 attacks, with an acceleration factor of around 10 ”.

Source : the research team