Dev writes Ethereum code for insecure SHA-1 crypto hash function

Interaction with legacy systems but not all think it's a good idea

Weapon of the information wars from Shutterstock

Using Ethereum's programming language Solidity, a dev has controversially written code for making data authentication signatures with the insecure SHA-1 cryptographic hash function.

Nick Johnson, the London-based Ethereum developer who authored the code, told The Register: "SHA1 is still used by a lot of legacy systems, including many SSL/TLS certificates, parts of DNSSEC, and Git. Being able to verify hashes produced in those systems lets us interact with them on the Ethereum blockchain."

But not all agree that's a good idea. University College London postdoctoral blockchain researcher Patrick McCorry told The Register: "This comes down to a security vs compatibility argument.

"Attacks only get better and we as a community should do our best to move away from broken algorithms." But he conceded that "many protocols in the web still rely on SHA-1 and this works OK because the cost (and time) to find a collision is still absurdly high".

The US National Security Agency and National Institute of Standards and Technology came up with the basic algorithms for making the SHA-1 signatures in the 90s. They're widely used for proving that data – from software code to emails and website certificates – hasn't been altered.

But in February, researchers found a way to change a PDF and leave its SHA-1 signature the same – a "collision" – which means SHA-1 is now essentially useless for proving documents haven't been altered.

An issue was opened in November 2016 on the Ethereum GitHub repo for a precompiled contract for the SHA-1 hashing algorithm, in order to verify different services on-chain at lower cost than running it on the network.

Johnson admitted: "SHA-1 should definitely not be used for new applications. There are a lot of existing systems out there that use it, however, and it's useful to be able to interact with those systems without waiting for them to upgrade to a newer hash function that is supported by Ethereum."

While it boasts a decentralised system for running applications from video games to digital ledgers with a little bit of extra privacy than everyday apps, Ethereum is certainly not watertight. The network rolled back its ledger to undo a $50m heist in 2016 and a hackathon just last month found a few new ways for writing malicious smart contracts that can steal funds.

"If we want contracts that are compatible with existing (and legacy) infrastructure then it needs to be supported," McCorry said. ®


Biting the hand that feeds IT © 1998–2017