UPDATE--SHA-1, the 25-year-old hash function designed by the NSA and considered unsafe for most uses for the last 15 years, has now been “fully and practically broken” by a team that has developed a chosen-prefix collision for it.
The development means that an attacker could essentially impersonate another person by creating a PGP key that’s identical to the victim’s key. The technique that the researchers developed is quite complex and required two months of computations on 900 individual GPUs, so it is by no means a layup for most adversaries. SHA-1 has been phased out of use in most applications and none of the major browsers will accept certificates signed with SHA-1, and NIST deprecated it in 2011. But the new result shows that SHA-1 is no longer fit for use.
The new collision is the work of researchers Gaetan Leurent and Thomas Peyrin, and while SHA-1 isn’t widely used anymore, it has potential consequences for users of GnuPG and OpenSSL, among other applications.
“Our work show that SHA-1 is now fully and practically broken for use in digital signatures. GPU technology improvements and general computation cost decrease will quickly render our attack even cheaper, making it basically possible for any ill-intentioned attacker in the very near future,” the researchers said in their new paper, published this week.
“SHA-1 usage has significantly decreased in the last years; in particular web browsers now reject certificates signed with SHA-1. However, SHA-1 signatures are still supported in a large number of applications. SHA-1 is the default hash function used for certifying PGP keys in the legacy branch of GnuPG (v 1.4), and those signatures were accepted by the modern branch of GnuPG (v 2.2) before we reported our results.”
“We note that classical collisions and chosen-prefix collisions do not threaten all usages of SHA-1."
There are several potential scenarios in which the new collision could be implemented in an attack, the most likely of which is someone impersonating another user by creating an identical PGP key. But the researchers said there are other possibilities, as well.
"Another important scenario is the handshake signature in TLS and SSH which were vulnerable to the SLOTH attack when MD5 was supported, and could now be attacked in the same way when SHA-1 is supported. However, the attack is still far from practical in this setting because we need to compute the collision in a few minutes at most," Leurent said in an email.
There could also be attacks similar to the MD5 Rogue CA or the attack used by the Flame malware to break windows updates, but that only works is someone is still signing certificates with SHA-1, and using predictable serial numbers. We are not aware of a CA doing this, but it may still exist somewhere.
The chosen-prefix collision is distinct from the SHA-1 collision developed by a team of researchers from Google and the Cryptology Group at Centrum Wiskunde and Informatica in the Netherlands. That work from 2017 showed that it was possible to create two distinct files that would have the same SHA-1 digest and resulted in the browser manufacturers deprecating SHA-1. In the new research, Leurent and Peyrin were able to show that SHA-1 should not be used for digital signatures, either.
“Using our SHA-1 chosen-prefix collision, we have created two PGP keys with different UserIDs and colliding certificates: key B is a legitimate key for Bob (to be signed by the Web of Trust), but the signature can be transferred to key A which is a forged key with Alice’s ID. The signature will still be valid because of the collision, but Bob controls key A with the name of Alice, and signed by a third party. Therefore, he can impersonate Alice and sign any document in her name,” the researchers said.
For many individual users, the new collision likely won’t have any practical effect, as the major browsers have already moved on from SHA-1, as have the major certificate authorities. However, the research does have implications for PGP users because PGP keys could be forged under some circumstances. And any SHA-1 certificates with predictable serial numbers also would be vulnerable.
"Currently, the concrete impact is mostly for people who use the PGP web of trust. If they trust SHA-1 signatures, an attacker could impersonate their contacts," Leurent said.
However, if there are still some automated systems (such as system updates) accepting and issuing SHA-1 certificates (either PGP certificates, or X.509 certificates issued with predictable serial numbers), this could become a more dangerous attack vector.
Leurent and Peyrin notified the developers of GnuPG and OpenSSL of their findings and GnuPG has implemented a countermeasure already, while OpenSSL’s developers are considering removing support for SHA-1.
This story was updated on Jan. 8 to add comments from Leurent.