The exploit was developed by Gaëtan Leurent and Thomas Peyrin, academic researchers at Inria France and Nanyang Technological University/Temasek Laboratories in Singapore. They noted that because the attack is much less complex and cheaper than previous PoCs, it places such attacks within the reach of ordinary attackers with ordinary resources.
“This work shows once and for all that SHA-1 should not be used in any security protocol where some kind of collision resistance is to be expected from the hash function,” the researchers wrote. “Continued usage of SHA-1 for certificates or for authentication of handshake messages in TLS or SSH is dangerous, and there is a concrete risk of abuse by a well-motivated adversary. SHA-1 has been broken since 2004, but it is still used in many security systems; we strongly advise users to remove SHA-1 support to avoid downgrade attacks.”
Given the footprint of SHA-1, Leurent and Peyrin said that users of GnuPG, OpenSSL and Git could be in immediate danger. And, in backward compatibility scenarios, users can experience downgraded encrypted connections to the outdated hash function, which opens the door to attacks even in instances where SHA-1 isn’t the default.
SHA-1, Lingering On
The NIST-developed SHA-1 has been phased out over the course of the last five years, as more and more attacks that break it have popped up. Microsoft for instance last year announced that it would no longer deliver Windows OS updates to machines using SHA-1, citing the existence of known collision attacks against SHA-1 as the main reason. Collisions occur when an attacker is able to generate a certificate with the same signature as the original certificate.
All of the major browsers and most applications don’t recognize certificates signed with SHA-1 these days, few certificate authorities still support it, and NIST has deprecated it since 2011, but the latest PoC attack is nonetheless deeply concerning given that for all of that, it remains far from being fully deprecated.
In particular, Pretty Good Privacy (PGP), a widely used encryption program used for signing, encrypting and decrypting texts, emails, files, directories and whole disk partitions, and which plays a big role in email security communications, defaults to using SHA-1.
“It is still the default hash function for certifying PGP keys in the legacy 1.4 version of GnuPG, the open-source successor to PGP application for encrypting email and files,” explained researchers at Venafi, in a post Wednesday analyzing the PoC.
But that’s not the only remaining bastion for SHA-1. Venafi researchers added: “Git, the world’s most widely used system for managing software development among multiple people, still relies on SHA-1 to ensure data integrity. And many non-Web applications that rely on HTTPS encryption still accept SHA-1 certificates. SHA-1 is also still allowed for in-protocol signatures in the TLS and SSH protocols.”
A Major Collision
The exploit, which focused on PGP, is yet another collision attack, but it’s one that significantly lowers the bar for attackers looking to break SHA-1 compared to previous PoCs. Building on previous exploits, which would be expensive and complex to carry out, the researchers focused on driving efficiencies into the attack, in order to make it practical to execute.
“Our work shows that SHA-1 is now fully and practically broken for use in digital signatures,” Leurent and Peyrin wrote in their paper. They added, “We managed to significantly reduce the complexity of collisions attack against SHA-1: on an Nvidia GTX 970, identical-prefix collisions can now be computed with a complexity of 2 to the power of 61.2 rather than 2 to the power of 64.7, and chosen-prefix collisions with a complexity of 2 to the power of 63.4 rather than 2 to the power of 67.”
The attack essentially allows a threat actor to impersonate a legitimate user by creating a PGP key that’s identical to the victim’s key. This then would allow the attacker to intercept email communications, carry out a man-in-the-middle attack, hijack sessions and more.
The researchers explained:
“By exploiting properties of the OpenPGP and JPEG format, we can create two public keys: Key A with the victim name, and key B with the attacker name and picture, such that the identity certificate containing the attacker key and picture has the same SHA-1 hash as the identity certificate containing the victim key and name. Therefore, the attacker can request a signature of his key and picture from a third party (from the Web of Trust or from a [certificate authority]) and transfer the signature to key A. The signature will still be valid because of the collision, while the attacker controls key A with the name of the victim and signed by the third party. Therefore, he can impersonate the victim and sign any document in her name.”
Making matters worse, SHA-1 doesn’t even need to be selected for use for the attack to work – it merely has to be supported by any given implementation.
“We stress that when a protocol supports several hash functions, those attacks are possible as long as SHA-1 is supported by implementations, even if it is not selected during normal use,” according to the paper. “A man-in-the-middle attacker will just force the parties to use SHA-1.”
In practice, achieving the attack takes computational horsepower and processor resources; the researchers said that they paid $756,000 for their trial-and-error process and computations, but the cost could be as low as $50,000 using more advanced GPUs and a known attack methodology. In some cases, the cost could be as low as $11,000.
“This is clearly within reach of reasonable attackers,” they said. “GPU technology improvements and general computation cost decrease will quickly render our attack even cheaper, making it basically possible for any ill-intentioned attacker in the very near future.”
The bottom line is that users, admins and developers should make the switch to the next-generation SHA-2 as soon as possible. Progress is being made: In light of the research findings, the developers of GnuPG have implemented a countermeasure by discontinuing its use in version 2.2; and OpenSSL’s developers said that they’re considering removing support for SHA-1. The paper also noted that GIT developers have been working on replacing SHA-1, and they use a collision detection library to mitigate the risks of collision attacks.
Though GnuPG has removed SHA-1 support for version 2.2, the researchers cautioned in the paper, “the ‘classic’ branch of GnuPG (v1.4) [still] uses SHA-1 by default for identity certifications, and there is still a non-negligible number of keys signed with SHA-1.”