Google and CWI announced SHAttered, an attack on the SHA-1 cryptographic hash function. The attack was demonstrated by allowing the cryptographic signature on a good PDF to be the same as on a bad PDF. In other words, they forged the signature.
As computing power and research continue to grow, hash functions will become weak over time. Over the last 15 years, we have seen efforts to strengthen signing algorithms in the movements from MD5 to SHA-1 to SHA-2. For SSL/TLS certificates, SHA-1 deprecation started with an announcement from Microsoft in 2013. The result is the certification authorities (CAs) stopped signing SHA-1 certificates for 2016. In 2017, browsers and operating systems will no longer trust SHA-1 certificates.
The hash function allows a file to be represented cryptographically with a fixed length number. Each file hashed should have its own unique hash. If a file is checked for integrity, the hash from the author is compared to the hash created by the recipient. If they are the same, the file is authentic, but if they differ, the file has been compromised. The hash is used to create digital signatures including those used for signing digital certificates, code and documents such as PDFs.
The SHAttered team provided an infographic and a paper to explain the attack to most audiences. The attack was performed by computing collision blocks and adding them to a bad PDF. The correct collision blocks allowed the bad PDF to have the same SHA-1 hash as a good PDF.
Over 9,223,372,036,854,775,808 or over 9 quintillion SHA-1 computations had to be calculated to achieve the collision. This would take 110 years on a single GPU running 24/7 or about $110,000 using cloud resources. This appears to be more aggressive than Bruce Schneier’s SHA-1 collision prediction, which estimated a cost of $173,000 in 2018.
Public trust certificates have already addressed this security issue. SSL/TLS certificates migrated to SHA-2 with serial numbers including 64-bits of entropy. Most CAs would have also extended this policy to other certificates such as code signing, S/MIME, document signing, time-stamping and OCSP.
The bigger issue is the signatures that certificate subscribers are putting on signing files. Even if the subscriber has a SHA-2 document signing certificate, they might sign the document with aSHA-1 signature. Creating a vulnerability where the user could have a signed file that could be compromised using SHAttered in the future. Please sign with SHA-2.
9 quintillion sounds like a lot of attempts, but the cryptographer’s adage is “attacks always get better, they never get worse.” The SSL/TLS move to SHA-2 was timely, but probably a little late for crypto- security safety. Browsers, servers and CAs should now consider supporting SHA-3 to prepare for the event of deprecating SHA-2.
Also note that for SHAttered, Google will wait 90-days (say May 24, 2017) before releasing code that allows anyone to create a pair of PDFs that hash to the same SHA-1 value. Google has added protections in Gmail and GSuite and have provided a free detection system. Hopefully Adobe will also provide some protection.