SHA-1 is still a commonly used hashing algorithm for internal network encryption, despite the fact that it has long been deprecated for external use by all major browser makers. And there’s a good reason for that — the browser makers’ actions, SHA-1, has been demonstrated to be pretty weak over the past few years. The standard was first published in 1995, and cryptographic algorithms are seldom strong after 24 years.
“While browsers have not trusted publicly issued TLS certificates using SHA-1 since 2017, they have still supported SHA-1 certificates issued by private CAs inside of enterprises. This was possible since previously SHA-1 deprecation only applied to certificates issued from a root Certification Authority included in the operating system default trust store. Unfortunately, it’s very common for organizations to use private CAs issue SHA-1 certificates—public distrust of SHA-1 certificates was always just the tip of the iceberg.”
Why is it a bad idea for enterprises to continue to us SHA-1? A series of SHA-1 attacks started in 2005. But the first major dent in SHA-1’s armor was “The Shappening” in October 2015. Thomas Peyrin, Marc Stevens, and Pierre Karpman debuted a collision attack on SHA-1’s compression function that requires a mere 257 SHA-1 evaluations. In 2010, Marc Stevens had to spend nearly $3 million USD (from a research budget, not his own money) on cloud CPUs for HashClash. But “The Shappening” was an improved technique that made SHA-1 seem weaker than ever. From their findings:
“We recommend that SHA-1 based signatures should be marked as unsafe much sooner than prescribed by current international policy. Even though freestart collisions do not directly lead to actual collisions for SHA-1, in our case, the experimental data we obtained in the process enable significantly more accurate projections on the real-world cost of actual collisions for SHA-1, compared to previous projections. Concretely, we estimate the SHA-1 collision cost today (i.e., Fall 2015) between $75,000 and $120,000 renting Amazon EC2 cloud computing over a few months. By contrast, security expert Bruce Schneier previously projected (based on calculations from Jesse Walker) the SHA-1 collision cost to be about $173,000 by 2018. Note that he deems this to be within the resources of a criminal syndicate.”
Then there was CWI (Centrum Wiskunde & Informatica) and Google’s SHAttered in February 2017. It really… broke stuff.
“It is now practically possible to craft two colliding PDF files and obtain a SHA-1 digital signature on the first PDF file which can also be abused as a valid signature on the second PDF file.
For example, by crafting the two colliding PDF files as two rental agreements with different rent, it is possible to trick someone to create a valid signature for a high-rent contract by having him or her sign a low-rent contract.”
By the beginning of 2017, web browser support for SHA-1 was dropping faster than horse-drawn carriage demand in the early 20th century. Mozilla dropped SHA-1 support in Firefox 51and Google dropped SHA-1 support in Chrome 56, both in January of that year. A few months later, Microsoft dropped SHA-1 support in both Edge and Internet Explorer. That was a very good thing.
Microsoft is making sure that all deployments of their operating systems, even their legacy operating systems, must support SHA-2 code signing by July 16, 2019, rendering SHA-1 completely obsolete. Many organizations still deploy SHA-1 internally, so Microsoft’s move should have a noticeable effect.
“To protect your security, Windows operating system updates are dual-signed using both the SHA-1 and SHA-2 hash algorithms to authenticate that updates come directly from Microsoft and were not tampered with during delivery. Due to weaknesses in the SHA-1 algorithm and to align to industry standards Microsoft will only sign Windows updates using the more secure SHA-2 algorithm exclusively.
Customers running legacy OS versions (Windows 7 SP1, Windows Server 2008 R2 SP1, and Windows Server 2008 SP2) will be required to have SHA-2 code signing support installed on their devices by July 2019. Any devices without SHA-2 support will not be offered Windows updates after July 2019. To help prepare you for this change, we will release support for SHA-2 signing in 2019. Windows Server Update Services (WSUS) 3.0 SP2 will receive SHA-2 support to properly deliver SHA-2 signed updates. Refer to the Product Updates section for the migration timeline.”
On June 5th, Apple announced a number of new TLS certificate requirements for iOS 15 and macOS 10.15, including dropping SHA-1 support. “TLS server certificates and issuing CAs must use a hash algorithm from the SHA-2 family in the signature algorithm. SHA-1 signed certificates are no longer trusted for TLS.”
Mark Miller says: “Apple is being very clear in this bulletin about what supported vs. not supported means. The decision to deprecate could mean anything from preventing the user from visiting a site with a deprecated certificate all the way to: we’re going to warn you and it is unsafe but you can still do it. Unfortunately, there are plenty of places still messing around with SHA-1; even worse there plenty of sites that still don’t utilize TLS/SSL at all. It is well past time to always use the strongest reasonable encryption available to demonstrate trust in who you are.”
Michael Thelander says: “This is an important step that will keep end users from shooting themselves in the figurative foot by clicking ‘trust anyway’ when the see certificate warning errors. The better news is that the latest bulletin is that Apple has redefined TLS security: they’ve defined stronger and longer key sizes; they’ve restated the need for SHA-2 or higher; they’ve defined trusted usage of DNS server names in the certificate fields. In addition, they defined new trust guidelines around key usage and validity periods that take effect July 1 of this year. These steps mean Apple sees validity in Gartner’s claim that ‘70% of all attacks will use SSL’ by next year and are being proactive in their response.”
And Kevin Bocek adds: “The new OSX and iOS updates will now no longer accept even internally issued certificates using SHA-1; this is a great reminder that organizations need to be agile enough to update certificates or CAs when necessary. While it may sound like a very basic capability, most organizations don’t have the visibility or automation necessary to find and replace SHA-1 certificates easily.”
So, those in the know about cryptography and machine identities have made it clear. We all must say goodbye to SHA-1 and removing it from all of our deployed technologies is worth the effort right now, whatever the challenges may be. Sayonara!