The Freestart collision for full SHA-1 paper was released by Marc Stevens, Pierre Karpman and Thomas Peyrin. This is not a collision attack on the SHA-1 function itself, but on the compression function that underlies it.

The research paper states "Freestart collisions, like the one presented here, do not directly imply a collision for SHA-1. However, this work is an important milestone towards an actual SHA-1 collision and it further shows how graphics cards can be used very efficiently for these kind of attacks." As such Bruce Schneier advises “don't panic, but prepare for a future panic.”

The research has also revised the estimates of when a collision attack on SHA-1 might be expected.   Previous estimates suggested that the best known collision attack on SHA-1 requiring 261 compression function evaluations, would cost approximately $700,000 in 2015. Revised estimates from the current research, suggest that a collision could be found in a few months at a cost of up to $120,000.  This attack would result in an identical-prefix collision, not the more powerful chosen-prefix collision that for example allowed creation in 2008 of a rogue CA certificate using a collision in MD5.

Identical-prefix collisions allow for two different files to have the same signature. Examples would be two different code files, PDF documents or digital certificates.

Chosen-prefix collisions were at the heart of Flame's attack on Windows Update. Consideration of this attack, probably drove the implementation of the SHA-1 deprecation policy announced by Microsoft in 2013.

Although the SHA-1 deprecation policy did not provide much tolerance for error, CAs have mitigated a SHA-1 collision by putting serial number or date entropy into the issued SSL/TLS certificates. In most cases a rogue CA has also been mitigated, by issuing certificates from a technically restricted intermediate CA. In this case, the certificate for the intermediate certificate has a path length value of zero, which will not allow trust to be propagated to a subordinate CA.

The results of the research clearly reinforce the need to continue to transition away from SHA-1. All public trust certification authorities (CAs) support migration to stronger SHA-2 hash algorithms. These CAs will also stop issuing SHA-1 signed certificates effective January 1, 2016.

Bruce Morton

Bruce Morton

Bruce Morton is a pioneering figure in the PKI and digital certificate industry. He currently serves as Director for Certificate Services at Entrust Datacard, where he has been employed since 1999. His day-to-day responsibilities include managing standards implementations, overseeing Entrust Datacard’s policy authority, and monitoring Entrust Certificate Service for industry compliance.