According to the scholars, the PoC is can “fully and practically” break SHA-1 and is not complex. SHA-1 is used by older computers to sign certificated for software download authentication. It is designed to stop tampering of certificates by third parties. However, the PoC shows there is a vulnerability in the code-signing encryption platform. “This work shows once and for all that SHA-1 should not be used in any security protocol where some kind of collision resistance is to be expected from the hash function,” the researchers say. “Continued usage of SHA-1 for certificates or for authentication of handshake messages in TLS or SSH is dangerous, and there is a concrete risk of abuse by a well-motivated adversary. SHA-1 has been broken since 2004, but it is still used in many security systems; we strongly advise users to remove SHA-1 support to avoid downgrade attacks.” Leurent and Peyrin re researchers at Inria France and Nanyang Technological University/Temasek Labs, Singapore respectively. They say this is the simplest PoC for this type of attack so far and means it could be implemented by normal bad actors with regular resources. Because of its simplicity and effectiveness, the exploit for SHA-1 puts users of OpenSSL, Git, and GnuPG in danger.
Phasing Out SHA-1
It is worth remembering this vulnerability only affects legacy machines. SHA-1 has become obsolete over the last half decade, largely due to an increasing number of attacks. Indeed, back in 2017, Microsoft Edge started actively blocking websites that used SHA-1 certificates. The SHA-1 hash algorithm is no longer secure due to its many weaknesses. An attacker could spoof content, execute phishing attacks, or perform man-in-the-middle attacks when browsing the web. Microsoft’s distancing from SHA-1 continued in 2019 when the company halted Windows OS updates to machines using the algorithm. “Our work shows that SHA-1 is now fully and practically broken for use in digital signatures,” Leurent and Peyrin wrote in their paper. “We managed to significantly reduce the complexity of collisions attack against SHA-1: on an Nvidia GTX 970, identical-prefix collisions can now be computed with a complexity of 2 to the power of 61.2 rather than 2 to the power of 64.7, and chosen-prefix collisions with a complexity of 2 to the power of 63.4 rather than 2 to the power of 67.” The PoC shows an attack method that would allow an attacker to mimic a legitimate user. This would be achieved by creating a PGP key identical to the victims. With this key, the bad actor could intercept emails and conduct attacks as a third party.