Relevant Items

SHA-1 Freestart Collisions | BLOG

The Freestart collision for full SHA-1 paper was released by Marc Stevens, Pierre Karpman and Thomas Peyrin. This is not a collision attack on the SHA-1 function itself, but on the compression function that underlies it. The research paper states "Freestart collisions, like the one presented here, do not directly imply a collision for SHA-1. However, this work is an important milestone towards an actual SHA-1 collision and it further shows how graphics cards can be used very efficiently for these kind of attacks." As such Bruce Schneier advises “don't panic, but prepare for a future panic.” The research has also revised the estimates of when a collision attack on SHA-1 might be expected.   Previous estimates suggested that the best known collision attack on SHA-1 requiring 261 compression function evaluations, would cost approximately $700,000 in 2015. Revised estimates from the current research, suggest that a collision could be found in a few months at a cost of up to $120,000.  This attack would result in an identical-prefix collision, not the more powerful chosen-prefix collision that for example allowed creation in 2008 of a rogue CA certificate using a collision in MD5. Identical-prefix collisions allow for two different files to have the same signature. Examples would be two different code files, PDF documents or digital certificates. Chosen-prefix collisions were at the heart of Flame's attack on Windows Update. Consideration of this attack, probably drove the implementation of the SHA-1 deprecation policy announced by Microsoft in 2013. Although the SHA-1 deprecation policy did not provide much tolerance for error, CAs have mitigated a SHA-1 collision by putting serial number or date entropy into the issued SSL/TLS certificates. In most cases a rogue CA has also been mitigated, by issuing certificates from a technically restricted intermediate CA. In this case, the certificate for the intermediate certificate has a path length value of zero, which will not allow trust to be propagated to a subordinate CA. The results of the research clearly reinforce the need to continue to transition away from SHA-1. All public trust certification authorities (CAs) support migration to stronger SHA-2 hash algorithms. These CAs will also stop issuing SHA-1 signed certificates effective January 1, 2016.