Rejection of the standard was too slow. On February 23, researchers, members of the Dutch Institute CWI, as well as experts from Google announced that they were able to crack SHA-1 standard in practice. This standard is used to digitally sign documents and verify the integrity of files code. It used for the protection:
- credit card transactions
- documents transferred in the web
- programs that are distributed online
Marc Stevens, cryptanalyst working at CWI, said that many of the applications are still using the SHA-1, although an official denial from the standard took place in 2011. Standard weaknesses were identified in the distant 2005. Even then, the standard was considered obsolete. However, industry rejection of the SHA-1 is too slow. This case should significantly accelerate the process of transition.
Collisions can lead to falsification of signatures
Calculations of Marc Stevens (CWI) and Elie Bursztein (Google) were started two years ago. The result of a joint effort began breaking SHA-1 standard by using attack collisions. SHA-1 – an algorithm developed by NSA and NIST standardized in 1995 to calculate the checksum of the message. Later, they were used for the calculation of digital signatures, which are the foundation for the HTTPS security, electronic payments, signing documents, files and programs.
Collisions – so called messages with the same checksum. They can lead to a digital signature forgeries. SHA-1 signature, released for one of the files, may be incorrectly used as a trusted signature for any other files with collisions.
How collision was revealed
Detection of SHA-1 collision was the result of vigorous activity related to CWI research for more than seven years. Experts tried to create a practical method of attack with collisions on SHA-1. In 2012 Stevens was developed a theoretical attack that became the springboard for future developments in this area.
Elie pointed out that the search for collisions in practice requires a lot of manpower and technical resources. It was necessary to create an attack that would have given the bottom line. Total had to spend 9,223,372,036,854,775,808 calculations for SHA-1, which would take 6,500 years of computing processor and 100 years of GPU Computing. However, it’s still 100 000 times faster than an attack by brute force. For specialists took advantage of existing infrastructure, Google serving many projects – for example, Alpha Go, Google Photo, Google Cloud.
Previously similar attacks were made on MD5 standards, which are a precursor to the SHA-1. In 2015, Stevens, along with several specialists found that the search for the SHA-1 collision may require about $ 75K- $ 120K. To do this, it planned to use cheap GPU power of Amazon EC2.
Collisions are used to create two different PDF-files with the same checksum SHA-1, but the content of files was different. After this revealing of conflict the team will wait for 90 days to release the PDF generator that will allow creating the PDF-document with the collision.
Protection against collision
To prevent misuse of fake PDF, the team has released a free tool for scanning documents on using collisions. This tool is based on a special technique developed by Stevens to determine whether that document was created precisely for the purpose of the attack with collisions. Protect PDF documents is now automatic for users of Gmail and Google Drive. To protect against attacks with collisions need to get away from SHA-1 standard to the standard SHA-2, or SHA-3.
For the HTTPS protocol transition from SHA-1 to SHA-2 began in 2015. Starting this year browsers marked SHA-1 certificates as unsecure. All backup systems and documents signatures must also be switched to the SHA-2.