Vulnerability in SHA-1 proven

23 February 2017

SHA-1 certificates vulnerable to impersonation in theory is nothing new. Back in 2014, shifting to the new SHA-2 algorithm was already being encouraged. Today, a Dutch researcher cracked SHA-1 in practice.

What does this mean?

After years of research, Dutch researcher Marc Stevens from CWI Amsterdam (Research Institute for Mathematics and Computer Science) cracked the SHA-1 algorithm in practice. In order to crack SHA-1, Google allowed him to do 9.2 trillion calculations on their servers. This process took months, but it did prove that SHA-1 is crackable in practice.

Qualitative hashing functions distinct themselves in having a low chance of giving out the same hash. Relating a fingerprint to a hash is unique, which prevents the possibility of giving out a single hash twice. Stevens managed to give two PDF files the same fingerprint, resulting in cracking SHA-1 in practice.

What is SHA-1?

Certificate authorities generate SSL certificates and sign these digitally. In order to sign a certificate, multiple algorithms are available. Among others SHA-1 and SHA-2 are used for this. Weaknesses and vulnerabilities had been found in the SHA-1 algorithm, resulting in the National Institute of Standards and Technology (NIST) advising to sign certificates with SHA-2 since 2014. Certificate authorities are no longer providing SSL certificates signed with SHA-1, and browsers no longer support older certificates that have been signed using this weak algorithm.

What’s going to happen to SHA-1?

Although SHA-1 hasn’t been supported for a long time, certificates signed using SHA-1 are still in circulation to this day. According to Netcraft statistics, about 135.000 SHA-1 certificates were in use in January 2017. Unfortunately, mostly older systems are not compatible with SHA-2, forcing them to use the unsafe alternative SHA-1. This research proves that switching to a newer and safer alternative is urgent. Are you still using a SHA-1 certificate? Make sure to get it replaced with a SHA-2 certificate free of charge.

More information can be found on https://shattered.io/

point up