SHA-1 collision attacks are now actually practical and a looming danger

guest · May 13, 2019

SHA-1 collision attacks are now actually practical and a looming danger
Research duo showcases first-ever SHA-1 chosen-prefix collision attack
May 13, 2019
https://www.zdnet.com/article/sha-1...-now-actually-practical-and-a-looming-danger/

Attacks on the SHA-1 hashing algorithm just got a lot more dangerous last week with the discovery of the first-ever "chosen-prefix collision attack," a more practical version of the SHA-1 collision attack first carried out by Google two years ago.

What this means is that SHA-1 collision attacks can now be carried out with custom inputs, and they're not just accidental mishaps anymore, allowing attackers to target certain files to duplicate and forge.
SHA-1 CHOSEN-PREFIX ATTACKS
But last week, a team of academics from France and Singapore has taken the SHAttered research one step further by demonstrating the first-ever SHA-1 "chosen-prefix" collision attack, in a new research paper titled "From Collisions to Chosen-Prefix Collisions - Application to Full SHA-1."
WHAT TO USE?
"The attacks against SHA-1 are only going to get better," Scott Arciszewski, Chief Development Officer at Paragon Initiative Enterprises, and a leading cryptographer, told ZDNet in a separate email.
Click to expand...

"Everyone should switch to (in order of preference):

BLAKE2b / BLAKE2s

SHA-512/256

SHA3-256

SHA-384

Any other SHA2-family hash function as a last resort

"[...] SHA1 should no longer be used anymore. No excuses," Arciszewski said.
Click to expand...

Research paper (PDF): https://eprint.iacr.org/2019/459.pdf

Mr.X · May 13, 2019

BLAKE2 — fast secure hashing

guest · Jan 7, 2020

New 'Shambles' Attack Against SHA-1 Shows It’s Finally Time to Ditch It
Everyone should have stopped using it years ago
January 7, 2020
https://www.tomshardware.com/uk/news/researchers-reveal-new-sha-1-attack

A new collision attack against the SHA-1 hash function shows that SHA-1 attacks are getting significantly cheaper with each passing year and that it should no longer be used for software security. The new attack puts PGP and other software that uses SHA-1 in their authentication schemes at risk of being compromised.
From Shatters to Shambles
The first theoretical collision attack against SHA-1 was demonstrated back in 2005, but it was considered impractical due to the amount of resources it required.
Chosen-Prefix Collision Attacks Getting Much Cheaper, Too
The researchers were able to create a chosen-prefix collision attack for $74,000 when they did their research earlier last year. However, they noted that with further optimization to their software and by taking advantage of lower-priced hardware that has appeared on the market since then, the attack should now cost around $45,000.
Click to expand...

Once More, With Feeling: SHA-1 Is No Longer Secure
In case it wasn’t clear enough that nobody should use SHA-1 anymore for software security, the researchers also made this recommendation explicit in their paper:

“This work shows once and for all that SHA-1 should not be used in any security protocol where some kind of collision resistance is to be expected from the hash function.
Continuing to use SHA-1 in software puts users and customers of software platforms at risk of having their private information forged and stolen. The researchers recommended switching to SHA-2 or stronger alternatives.
Click to expand...

SHA-1 is a Shambles

We have computed the very first chosen-prefix collision for SHA-1. In a nutshell, this means a complete and practical break of the SHA-1 hash function, with dangerous practical implications if you are still using this hash function.
Click to expand...

SHA-1 is a Shambles - First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust
(PDF - 586 KB): https://eprint.iacr.org/2020/014.pdf

guest · Feb 7, 2020

Git developers release test code to transition away from aging SHA-1 hashing
February 6, 2020
https://portswigger.net/daily-swig/...e-to-transition-away-from-aging-sha-1-hashing

Git, the popular distributed software version control system, is taking the first tentative steps in what promises to be a tricky migration between the aging SHA-1 hashing algorithm and a more secure alternative.
Collision avoidance
Hashing functions take an input and process it to give a fixed size hash value or message digest. Security researchers at CWI Amsterdam and Google first demonstrated in 2017 that it was possible for two different files to give the same SHA-1 hash – known as a “collision”.
[...] researchers recently demonstrated a way to append data to two existing documents in such a way that they return the same SHA-1 hash. This is known as a “chosen-prefix collision”.

An analysis by Jonathan Corbet of Linux and free software news site LWN.net outlines the situation:

SHA‑1 is now considered to be broken and, despite the fact that it does not yet seem to be so broken that it could be used to compromise Git repositories, users are increasingly worried about its security.
Click to expand...

guest · May 27, 2020

OpenSSH to deprecate SHA-1 logins due to security risk
Breaking a SHA-1-generated SSH authentication key now costs roughly $50,000, putting high-profile remote servers at risk of attacks
May 27, 2020
https://www.zdnet.com/article/openssh-to-deprecate-sha-1-logins-due-to-security-risk/

OpenSSH, the most popular utility for connecting to and managing remote servers, has announced today plans to drop support for its SHA-1 authentication scheme.

The algorithm was broken in a practical, real-world attack in February 2017, when Google cryptographers disclosed SHAttered, a technique that could make two different files appear as they had the same SHA-1 file signature.
At the time, creating an SHA-1 collision was considered computationally expensive [...]
Click to expand...

By default, the OpenSSH ssh-rsa mode generates these keys by using the SHA-1 hashing function, meaning these keys are susceptible to SHAterred attacks, allowing threat actors to generate duplicate keys.

"This algorithm is unfortunately still used widely despite the existence of better alternatives, being the only remaining public key signature algorithm specified by the original SSH RFCs," OpenSSH devs said today.
The OpenSSH team is now asking server owners to check if their keys have been generated with the default ssh-rsa mode, and generate new ones using a different mode.
Click to expand...

Server owners who rely on OpenSSH to manage remote systems can find additional details on how to test their server for weak SHA-1-based keys in the OpenSSH 8.3 changelog.

In a previous release, in version 8.2, the OpenSSH team also added support for FIDO/U2F-based hardware security keys, which can also be used to log into remote servers in even a safer manner.
Click to expand...

guest · Jun 20, 2020

mood said: ↑

Git developers release test code to transition away from aging SHA-1 hashing
February 6, 2020
https://portswigger.net/daily-swig/...e-to-transition-away-from-aging-sha-1-hashing
Click to expand...

Updating the Git protocol for SHA-256
June 19, 2020
https://lwn.net/SubscriberLink/823352/ea717c1e49390505/

The Git source-code management system has for years been moving toward abandoning the Secure Hash Algorithm 1 (SHA-1) in favor of the more secure SHA-256 algorithm. Recently, the project moved a step closer to that goal with contributors implementing new Git protocol capabilities to enable the transition.
Click to expand...

Fundamentally, Git repositories are built on hash values — presently using the SHA-1 algorithm.
In short, Git uses SHA-1 hashes everywhere to ensure the integrity of the repository's contents by effectively creating a chain of hash values of the objects representing that repository over time, similar to blockchain technology.

The problem with SHA-1, or any hashing algorithm, is that its usefulness erodes if the hashes it produces make collisions likely.
Click to expand...

It has not been an easy task; the original Git implementation hard-coded SHA-1 as the only supported algorithm, and countless repositories need to be transitioned from SHA-1 to SHA-256.
What comes next
With this milestone reached, the end is in sight for a fully working implementation of SHA-256 powered repositories.

With these changes almost complete, it not only provides an alternative to SHA-1, but also makes Git fundamentally indifferent to the hashing algorithm used. This should make Git more adaptable in the future should the need to replace SHA-256 with something stronger arise.
Click to expand...

guest · Oct 1, 2020

Collision avoidance: OpenSSH lays out plans to ditch aging SHA-1 hashing algorithm
Security shortcomings have become too severe to ignore
September 29, 2020
https://portswigger.net/daily-swig/...-plans-to-ditch-aging-sha-1-hashing-algorithm

The developers behind OpenSSH have announced their intention to stop supporting the aging SHA-1 hashing algorithm in the near future.

The older MD5 hashing algorithm has been vulnerable to such a chosen-prefix collision for years. That SHA-1 has shown similar problems is more a reflection of increased computing power in the hands of potential adversaries, rather than inherent design flaws.
Chosen-prefix attacks
The writing is on the wall for SHA-1, and the developers of OpenSSH are getting ready to disavow the technology as a result.

The release notes of OpenSSH 8.4, published on Sunday (September 27), laid out plans to pull support for SHA-1 with the next release.
Click to expand...

Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, a vendor that specializes in the management of SSH and SSL/TLS machine identities, welcomes the OpenSSH project team moves towards ditching SHA-1.

“It’s been known for years now that the SHA-1 algorithm is insecure,” Bocek told The Daily Swig. “NIST called for the elimination of SHA-1 almost 15 years ago, while back in 2017, researchers from Google demonstrated that the SHA-1 algorithm could be cracked with a collision attack – a technique which has become increasingly affordable to cybercriminals ever since.
“OpenSSH’s move is therefore another nail in the coffin for SHA-1, and an important reminder to those still relying on it that they must migrate as soon as possible.”
Click to expand...

Log in or Sign up

SHA-1 collision attacks are now actually practical and a looming danger

guest Guest

Mr.X Registered Member

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

Log in or Sign up

SHA-1 collision attacks are now actually practical and a looming danger

guest Guest

Mr.X Registered Member

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

Useful Searches