The Freestart collision for full SHA-1 paper was released by Marc Stevens, Pierre Karpman and Thomas Peyrin. This is not a collision attack on the SHA-1 function itself, but on the compression function that underlies it.

The research paper states "Freestart collisions, like the one presented here, do not directly imply a collision for SHA-1. However, this work is an important milestone towards an actual SHA-1 collision and it further shows how graphics cards can be used very efficiently for these kind of attacks." As such Bruce Schneier advises “don't panic, but prepare for a future panic.”

The research has also revised the estimates of when a collision attack on SHA-1 might be expected.   Previous estimates suggested that the best known collision attack on SHA-1 requiring 261 compression function evaluations, would cost approximately $700,000 in 2015. Revised estimates from the current research, suggest that a collision could be found in a few months at a cost of up to $120,000.  This attack would result in an identical-prefix collision, not the more powerful chosen-prefix collision that for example allowed creation in 2008 of a rogue CA certificate using a collision in MD5.

Identical-prefix collisions allow for two different files to have the same signature. Examples would be two different code files, PDF documents or digital certificates.

Chosen-prefix collisions were at the heart of Flame's attack on Windows Update. Consideration of this attack, probably drove the implementation of the SHA-1 deprecation policy announced by Microsoft in 2013.

Although the SHA-1 deprecation policy did not provide much tolerance for error, CAs have mitigated a SHA-1 collision by putting serial number or date entropy into the issued SSL/TLS certificates. In most cases a rogue CA has also been mitigated, by issuing certificates from a technically restricted intermediate CA. In this case, the certificate for the intermediate certificate has a path length value of zero, which will not allow trust to be propagated to a subordinate CA.

The results of the research clearly reinforce the need to continue to transition away from SHA-1. All public trust certification authorities (CAs) support migration to stronger SHA-2 hash algorithms. These CAs will also stop issuing SHA-1 signed certificates effective January 1, 2016.

Bruce Morton

Bruce Morton

Bruce Morton has worked in the public key infrastructure and digital certificate industry for more than 15 years and has focused on SSL and other publicly trusted certificates since 2005. He has been an active member of the CA/Browser Forum that released guidelines for extended validation (EV) certificates and Baseline Requirements for SSL certificates. Bruce oversees the governance and compliance of Entrust’s publicly trusted PKI.