Microsoft plans St Valentine's Day massacre for SHA‑1

End of the line for weak hash as web giants finally act

gun

The death knell for the SHA‑1 cryptographic hash function will echo around the web now that all the main browser builders have decided to cut off support – only 12 years after its flaws were first discovered.

On Friday, Mozilla and Microsoft both announced that support for SHA‑1 in HTTPS certificates would be dropped – Moz with build 51 of Firefox in January and Microsoft on February 14 for its Edge and Internet Explorer 11 browsers. Google has already said Chrome will shun SHA‑1-signed SSL/TLS certs from build 56, due out by the end of January.

"The SHA-1 hash algorithm is no longer secure. Weaknesses in SHA‑1 could allow an attacker to spoof content, execute phishing attacks, or perform man-in-the-middle attacks when browsing the web," Redmond said. "Though we strongly discourage it, users will have the option to ignore the error and continue to the website."

SHA-1 will still hang around, like a fart in a spacesuit, for many years to come because some people are lazy enough not to make the change. The delays have been driving some of the tech community up the wall, given that SHA‑1 was proven to be deeply flawed back in 2005 and has been getting progressively more insecure since then.

The hash algorithm was published in 1993 as SHA‑0 by the US National Institute of Standards and Technology (NIST). Researchers at the National Security Agency did some tweaking to its compression function and turned out SHA‑1 two years later. It was made mandatory for all US government crypto-code and became a default standard.

It was a decade before researchers realized there were potential problems. In 2005, Xiaoyun Wang and Hongbo Yu from Shandong University and Yiqun Lisa Yin from Princeton University published a paper showing it was possible to find collisions (two messages that hash to the same hash value) in 269 operations, and possibly as low as 233 – not the 280 operations first envisaged.

This was worrying, but not necessarily fatal – it would still take an enormous amount of computing power to defeat, although nowhere near as much as first thought. But as time went on, computing power increased and the advent of virtualization made more processing available to anyone with a credit card. It became clear that decryption times would drop.

The number of operations needed to cause a collision continued to decrease and remained largely theoretical. Nevertheless, NIST recommended that government users upgrade to SHA‑2 (the hash published ten years earlier) as early as 2012, but there were plenty of hold-outs, even in the US military.

In 2015, a paper (dubbed The ShAppening) published by Marc Stevens of the Dutch research institute Centrum Wiskunde, with Pierre Karpman and Thomas Peyrin from Singapore's Nanyang Technological University, showed you could break SHA‑1 with just $75,000 of compute power.

This finally got the industry to remove its collective digit and start setting some decent security standards. It has taken them long enough, and now it's time to find the laggards and get them fixed. ®


Biting the hand that feeds IT © 1998–2017