A Few Years To Finally Say Goodbye To SHA-1
A Few Years To Finally Say Goodbye To SHA-1
If you are into cybersecurity, you should know that the MD5 hashing method should never be used Why? Well, it 128-bit length is just too short, and where it is fairly easy to create a hash collision, and where we can find the same hash for different messages. In fact, it is so bad, that it is possible to inject data into an image, program, or document, and still produce the same hash.
Recently, though, Mat McHugh showed that he could produce the same hash value for different images, using Hashcat, and for just 65 cents on the Amazon GPU Cloud, and which took just 10 hours to process. For this, he created these two images which generate the same hash signature (Figure 1). If we check the hash signatures we get:
C:\openssl>openssl md5 hash01.jpg
MD5(hash01.jpg)= e06723d4961a0a3f950e7786f3766338
C:\openssl>openssl md5 hash02.jpg
MD5(hash02.jpg)= e06723d4961a0a3f950e7786f3766338
With the easy of creating a collision, no company should now be using MD5 [here]. But, now, NIST is officially deprecating the SHA-1 hashing method [here]:
For this, NIST will publish FIPS 180–5 (a revision of FIPS 180) and remove the SHA-1 specification, and that:
“Modules that still use SHA-1 after 2030 will not be permitted for purchase by the federal government,”
FIPS 180–4 was published by NIST in 2015, and mentions SHA-1 as being a secure hash [here]:
NIST will withdraw this standard, and replace with FIPS 180–5.
SHA-1 has a 160-bit hash length and is significantly stronger against a collision than MD5 (in fact it is over 4 billion times stronger — 4,294,967,296 times stronger). And so, with a lot of computing, the 160-bit collision is now marked as being practically possible, but would still require a massive amount of computing power. SHA-1 has thus been defined as a risk for the future, and the world has been told to deprecate it, before computing resources catch up with it:
SHA-1 is not a favoured son at the present time, and has been on borrowed time when it has shown to have theoretical…medium.com
The signing of a hash on a digital certificate involves an intruder searching for a collision in the signed hash for a modified certificate — and still requires massive computing resources (especially to change bobco to eveco on the certificate). It has been shown that there is a risk on a SHA-1 signed hash, and where we can create a collision in the hash, and where we can create a valid signed hash for a different certificate. The risk of this is currently extremely low, but we know that things will develop, so SHA-1 hash signing is deprecated.
The signing process of a certificate happens where the signer takes a hash of the generated certificate, and then takes their private key and encrypts this hash (such as with RSA). Whoever reads the certificate will then create their own hash, and then decrypt the signed hash with the public key of the signer. If they match, we know that the certificate has not been changed. But what does the certificate contain? Well, it’s the public key of the entity defined in the certificate.
Here’s is part of LinkedIn’s current certificate, with their public key (2K RSA), and with the signature algorithm (SHA256 with RSA) [here]:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:a5:a5:2d:1c:96:55:a4:77:97:ad:fb:17:24:e2:
1a:d4:5e:10:1d:de:fc:6e:80:3d:1a:2f:bd:d0:f3:
b1:bc:55:a8:4c:9b:1e:f5:bb:79:71:d0:e2:2d:f6:
76:67:75:e5:c4:ef:b1:26:b6:8e:bf:02:c1:80:db:
ee:1d:34:c2:ee:01:78:3b:f5:2d:9e:b4:d3:34:a2:
6c:e9:d4:fc:00:03:fc:f2:97:bf:c0:89:d3:3d:4e:
8b:4f:3a:70:f7:90:10:6f:65:9f:f6:4d:98:2d:a7:
14:30:8f:35:0a:46:8a:f3:79:c1:12:58:b7:41:67:
1c:40:33:9a:9d:1a:d3:81:20:65:a3:fe:ee:61:d6:
48:60:c1:e1:93:53:41:a7:b0:50:e5:75:5d:5e:1c:
f5:e2:69:d3:1b:7b:f2:3d:0c:fc:bd:df:8f:4e:a0:
9a:97:4b:e3:18:30:3c:76:75:c9:af:55:fb:6f:4e:
dd:7a:87:9b:84:18:fe:c4:80:12:4c:07:95:0f:b6:
be:71:f2:94:0a:46:bf:3b:18:89:56:d1:29:f5:b3:
27:26:20:82:e0:cc:a2:c2:74:1d:5b:a5:0d:68:3a:
48:1d:6b:3d:7e:ac:73:75:7c:92:63:c8:98:87:6b:
65:44:80:f3:a1:4a:9d:81:eb:75:99:e3:0b:6a:c9:
de:cd
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
7a:64:90:2c:da:c2:b2:00:54:32:bf:57:b3:f1:e1:b5:bf:56:
61:f9:94:66:bb:2c:8f:9a:bb:8c:b4:82:06:a5:47:23:df:96:
99:e6:27:85:dd:bf:8b:fd:4e:4e:aa:eb:33:58:6b:f5:b7:b7:
3e:ce:bf:49:b6:73:90:e6:cc:33:ff:5f:a7:38:08:1b:87:ab:
ba:1e:16:8b:ce:44:09:11:9a:cc:da:94:90:11:da:73:28:a3:
9b:87:6b:d8:2c:d4:27:91:b2:58:c2:7a:2a:99:4d:38:1c:ec:
4d:3f:4f:78:d9:20:f2:2b:b0:73:a8:18:ec:82:f3:e0:60:14:
c3:b1:70:d2:c4:5d:72:a9:17:b1:fc:28:bd:47:49:a7:4f:4e:
8f:4f:04:2e:fa:ec:b2:1e:fb:f3:fc:47:c8:33:3c:78:bb:ed:
fb:d1:4a:c3:93:08:44:2c:c5:c7:1d:11:a0:74:8b:6b:1e:0d:
cf:ae:f8:50:5b:5f:dd:71:e4:30:dd:53:45:cc:e2:1b:45:62:
6e:66:58:3e:b3:3e:e1:05:28:c5:87:8e:ff:6d:ab:4a:5c:7b:
11:18:25:36:4c:e5:26:f1:96:76:49:37:4a:3b:1e:c1:a8:6e:
07:a3:fb:50:3c:09:fb:f3:af:a9:99:a6:69:9a:1c:ff:02:82:
da:65:13:b5And so the intruder must try to change something in the certificate (such as the entity’s name) and then find the same hash that will work. With SHA-2 (which has either a 256-bit, 384-bit or 512-bit hashed value) or SHA-3, it would be virtually impossible at the current time to ever produce a collision.
Conclusions
One of the great things about cryptography is that we tend to be able to age methods out, and seamlessly bring in new ones. Obviously, we need to watch that this does not have a significant effect on products and services. Many systems thus often negotiate a cipher contract and can pick and choose the right cryptography methods for the client and server. We thus need to make sure that SHA-1 disappears from these contracts over the next few years. In one area — digital certificates — there are no publicly issued SHA-1 signed certificates anymore, and most are signed with SHA-256 using RSA and ECC.