In January, a pair of researchers published details of the first practical chosen prefix collision on SHA-1, showing that the aged hash algorithm, which had already far outlived its usefulness, was now all but useless. All of the major browsers had already abandoned SHA-1, as had most of the large certificate authorities, but it is still in use in many other places, including embedded systems and some cryptography systems.
One of the more widely deployed applications that still supports SHA-1 is OpenSSH, the open source implementation of the SSH protocol that is included in a huge number of products, including Windows, macOS, many Unix systems, and several popular brands of network switches. On Wednesday, the OpenSSH developers said that a future version of the app will drop support for the use of the RSA public key algorithm, which uses SHA-1.
“It is now possible to perform chosen-prefix attacks against the SHA-1 algorithm for less than USD$50K. For this reason, we will be disabling the "ssh-rsa" public key signature algorithm by default in a near-future release,” the OpenSSH developers said in the release notes for version 8.3 on Wednesday.
“This algorithm is unfortunately still used widely despite the existence of better alternatives, being the only remaining public key signature algorithm specified by the original SSH RFCs.”
The attack that Gaetan Leurent and Thomas Peyrin published against SHA-1 is not simple and the researchers spent a couple of months on the computations necessary to produce the collision. In practical terms, the attack would allow an adversary to produce an identical SHA-1 digest for two unique files. An attacker could use this technique to produce a forged but legitimate certificate or impersonate another user by creating a duplicate PGP key. At the time the research was published, several popular open source projects still had at least partial support for SHA-1, including GnuPG and OpenSSL, in addition to OpenSSH. GnuPG implemented some countermeasures to the attack, while OpenSSL removed support for SHA-1-signed certificates.
But until now, OpenSSH had still included support for SHA-1, an algorithm that was designed 25 years ago, in an era when only governments and maybe a handful of research institutions had computers powerful enough to have any chance of breaking it. That hasn’t been the case for many years, as Leurent and Peyrin showed, using a combination of commodity gaming PCs and rented GPUs for their attack.
A few weeks after the publication of the SHA-1 collision research, the OpenSSH team indicated that it would be removing support for the algorithm, while at the same time adding support for the use of U2F harddware security keys as a second factor for authentication. That move added an extra layer of defense against credential-theft attacks and gave users more options for strong authentication.
One of the major implications of OpenSSH dropping support for RSA and SHA-1 by extension is that embedded devices that rarely, if ever, get updates and implement OpenSSH may be exposed indefinitely. Embedded Linux is a popular operating system for resource-constrained devices, and OpenSSH is a good option for remote secure login to those devices.