The decline of SHA-1 certificate is set to be accelerated by Microsoft. A recent announcement on the MS WIndows website details how, while Windows was set to block SHA-1 signed TSL certificates as of the first of January 2017, the computer giant has decided to speed up that process to June 2016.
This decision, in part, was taken off the back of the publication of new research by an international team of crypto-analysts that showed SHA-1's heightened vulnerability
SHA-1 is a cryptographic tool used in a variety of things including website signing, secure credit card transactions, electronic banking and is used as wide and as far afield as the Nintendo-Wii.
Created in 1995, the SHA-1's decline has been a long time coming. Proven to be theoretically crackable since 2005, certain departments of the US government urged employees to stop using it as far back as 2006.
The killing blow was struck, according to Window's own account, by the findings of an international research project released last month. Named the SHAppening, after the high profile leaks of intimate celebrity photos showed just how easy it is to break through SHA-1's full inner layer. The researchers predicted that those with malicious intent would soon be able to fake SHA-1 digital signatures, allowing them to certificate dangerous malware and allow it to parade as legitimate software or users on a large scale.
The importance of this development is shown in sharp relief by looking at how much harder it was to fake those signatures just a couple of years ago. In 2012, security expert, Bruce Schneier noted that SHA-1 would be crackable for around US $700,000 (apx £460,000) in 2015, which would then decrease to US$173,000 (£115,000) in 2018. While possible for criminal syndicates to perform, it was often considered prohibitively expensive. The SHAppening research however showed that using a freestart collision attack on SHA-1's compression function would allow potential attackers to perform attacks for much less than initially estimated. Using modern graphics cards, the researchers estimate that attacker could carry out this kind of attack for between US $75,000 and US $120,000 (£50,000 to £80,000) ; not only are attacks cheaper than expected, they're cheaper sooner than they were expected, implying SHA-1 is already widely vulnerable.
Marc Stevens, part-author of the SHAppening and a researcher at CWI, a Netherlands-based research centre spoke to SCmagazineUK.com. He said that “our new estimations significantly lower the resources needed to break SHA-1, implying it is in principle already within the resources of criminal syndicates today. Though even with low attack costs, there are still significant hurdles to actually abuse SHA-1 attacks. Nevertheless we advise the industry to stop playing with fire and simply to migrate to SHA-2 as soon as possible.”
There have been no reported attacks on, SHA-1's successor SHA-2. Stevens assured SC that “SHA-2 is secure: it has a significantly improved design over SHA-1 and is not vulnerable to current cryptanalytic techniques.” While SHA-1 only has 160-bit output size, SHA-2 has a 256-bit output size.
This development comes quickly after Mozilla, the manufacturers of the widely-used browser FireFox, announced a similar intention to start blocking SHA-1 sooner rather than later. The company stated in a late-october blog post “In light of recent attacks on SHA-1, we are also considering the feasibility of having a cut-off date as early as July 1, 2016.”
Microsoft noted on its announcement that it would “continue to coordinate with other browser vendors to evaluate the impacts of this timeline based on telemetry and current projections for feasibility for SHA-1 collisions.”