A new collision attack against the SHA-1 hash function shows that SHA-1 attacks are getting significantly cheaper with each passing year and that it should no longer be used for software security. The new attack puts PGP and other software that uses SHA-1 in their authentication schemes at risk of being compromised.
From Shatters to Shambles
The first theoretical collision attack against SHA-1 was demonstrated back in 2005, but it was considered impractical due to the amount of resources it required.
By 2017, a team of Google security experts demonstrated the first practical attack against SHA-1, called “SHAttered.” Carrying out the attack cost $110,000 using rented cloud compute resources, which is much less than what people thought it would cost at the time.
However, Google’s attack still wasn’t all that practical, because an attacker wouldn’t have control over what data collided. A more useful attack would be using a “chosen prefix” such as a name or other identity-relevant information from a digital certificate, for instance. That could allow an attacker to forge a similar certificate with different identity data, as well as any other type of document that would normally be protected against forgery by a SHA-1 signature.
Such an attack was recently revealed by a team of researchers from France and Singapore and was called “Shambles,” mainly to emphasize the fact that there’s no saving SHA-1 and that everyone should stop using it.
Chosen-Prefix Collision Attacks Getting Much Cheaper, Too
The researchers were able to create a chosen-prefix collision attack for $74,000 when they did their research earlier last year. However, they noted that with further optimization to their software and by taking advantage of lower-priced hardware that has appeared on the market since then, the attack should now cost around $45,000.
By 2025, they predict it should cost about $10,000. The researchers noted that classic collision attacks such as SHAttered already cost about $11,000.
Over the past few years, many OS and browser vendors, including Google and Microsoft, have started to deprecate support for the SHA-1 algorithm as new attacks were either discovered or predicted against it.
This last attack to be uncovered may put a nail in SHA-1’s coffin, as it makes it that much more obvious that SHA-1 is no longer acceptable for use in software security. PGP communications are most at risk due to the recently discovered SHA-1 collision attack, as now well-funded adversaries could impersonate anyone that has created their PGP signature using the SHA-1 algorithm.
Once More, With Feeling: SHA-1 Is No Longer Secure
In case it wasn’t clear enough that nobody should use SHA-1 anymore for software security, the researchers also made this recommendation explicit in their paper:
“This work shows once and for all that SHA-1 should not be used in any security protocol where some kind of collision resistance is to be expected from the hash function.
Continued usage of SHA-1 for certificates or for authentication of handshake messages in TLS or SSH is dangerous, and there is a concrete risk of abuse by a well-motivated adversary. SHA-1 has been broken since 2004, but it is still used in many security systems; we strongly advise users to remove SHA-1 support to avoid downgrade attacks.”
Continuing to use SHA-1 in software puts users and customers of software platforms at risk of having their private information forged and stolen. The researchers recommended switching to SHA-2 or stronger alternatives.