This is 2015. Has SHA1 been exploited or cracked yet?

Question

went to Qualys SSL lab and tested one web site. One of the findings says the site is signed with weak algorithm SHA1withRSA and I did some research all are saying we should change to SHA-2. may i know if SHA1 has really been hacked or cracked or exploited yet to warrant a change to SHA2?

thanks

The accepted answer (by Tom Leek) was accurate for 2015. As of 2017, SHA-1 collision attacks are possible (see my answer below) — Aaron, Feb 23 '17 at 16:42
As this question is on Google's first page and I don't have enough points to post a comment, I'm posting an update answer as SHA-1 has just recently been broken by Google: http://www.theverge.com/2017/2/23/14712118/google-sha1-collision-broken-web-encryption-shattered — viniciusmunich, Mar 03 '17 at 06:39

score 19 · Answer 1 · edited Mar 17 '17 at 13:21

As of 2017, SHA-1 should no longer be considered secure. Google and Marc Stevens' group at CWI reported success with collision attacks against the full, non-reduced-round SHA-1, based on Stevens' more limited 2015 results referenced in Nicola Miotto's answer. For the Google announcement, click here.

This does not mean SHA-1 is fully broken, but just compromised. There are three types of attacks on hash algorithms, in order of increasing difficulty/complexity:

Collision Attack: Find any two distinct inputs x and x' that hash to the same output: h(x) = h(x').
Second Preimage Attack: Given some input x and its hash value h(x), find another input x' that also hashes to h(x); i.e. h(x) = h(x')
First Preimage Attack attack: Given a hash value y, find an input x such that x hashes to y: h(x) = y.

The findings only report success with the first scenario. Collision attacks allow an attacker to present two different files as having the same hash signature, thus pretending that they are the same file. This attack has limited utility, and cannot, for example, be used to decrypt SSL/TLS traffic or reverse hashed passwords into their plaintext equivalents. However, if CAs are not careful to add randomness as required after MD5 was similarly broken for collision an attacker might be able to alter a valid certificate to a different identity and/or rights and thereby forge certificates and/or signatures, and if they can also MitM traffic, to impersonate SSL/TLS servers.

fixed link, but also changed impact; revert or re-edit if you disagree — dave_thompson_085, Mar 03 '17 at 08:33

score 15 · Accepted Answer · answered Apr 22 '15 at 16:13

No actual break involving SHA-1 and using a structural weakness of SHA-1 has been currently fully demonstrated in academic conditions, let alone in the wild.

The best we have right now is a theoretical collision attack that should allow an attacker to compute a SHA-1 collision with effort "about 2⁶¹", which is huge but still substantially less than the 2⁸⁰ resistance expected from a "perfect" hash function with 160-bit output. While 2⁶¹ is within reach of existing technology, it is too expensive for even rich universities to casually indulge into that kind of experiment. So no actual collision has been produced yet. Moreover, for a practical attacker, computing a collision rarely grants a lot of power -- the attacker must usually compute a collisions with some degree of control on the contents of the colliding messages, which may be harder (or not).

Another parameter is that even if SHA-1 is perfect, its output size (160 bits) implies a maximum bound to its collision resistance at about 2⁸⁰, which is half a million times 2⁶¹ (so quite more expensive), but at the same time not ultimately expensive. A 2⁸⁰ computation can be envisioned with existing technology and resources available on Earth without needing to invoke some sci-fi stuff or breaking laws of physics.

Since switching algorithms in deployed applications takes a lot of time (hey, we are still trying to get people to stop using SSL 3.0 and instead go to TLS 1.0, more than 15 years after TLS 1.0 was published), we'd better get it going now, so that SHA-1 is really phased out when technology has improved to the point that the 2⁸⁰ effort has become feasible in practice.

thank you for the detailed answer. Guess I will purchase new certs with SHA2 signing in future. I will in the meantime use the reasons here to justify staying on SHA-1. — Pang Ser Lark, Apr 23 '15 at 00:09
A compelling reasons for switching to SHA-256 for _certificates_ is that some modern browsers (especially Chrome) are beginning to emit warnings when they see SHA-1 used in the signature of a certificate. Regardless of whether SHA-1 is weak or not, using it incurs the risk of scaring users away (especially when users are _prospective customers_). — Tom Leek, Apr 23 '15 at 12:49
It also now appears that Apple is disallowing SHA-1. By default, when an iOS 9 (still in beta) application connects to a web server, it will fail the connection if SHA-1 is used. — Daniel, Aug 05 '15 at 00:11
@TomLeek - could you consider updating your answer with respect to 2017 — Rory Alsop, Mar 03 '17 at 08:37

score 6 · Answer 3 · answered Oct 27 '15 at 10:06

6

According to recent findings, SHA-1 collision is not a simple theory anymore. Take a look at the paper and the website. As stated in the slashdot post

Researchers from Dutch and Singapore universities have successfully carried out an initial attack on the SHA-1 hashing algorithm by finding a collision at the SHA1 compression function

They estimate the SHA-1 collision cost between 75K$ and 120K$ with a few months of computation on EC2. It's maybe time to update.

answered Oct 27 '15 at 10:06

Nicola Miotto

682
6
10

Are you sure? I've taken 500 GB volume, divided by 512 bytes and took SHA-1 hashes from each block. It took about 20 minutes with simple AMD CPU. Not even ASIC. Let's imagine, I have an operator's gateway and ASIC. Simple tech sheet shows that I can take at least 2 ghs. – ETech Mar 03 '17 at 07:56

score 3 · Answer 4 · answered Feb 23 '17 at 16:47

3

Yes, here are two different files with the same SHA1 hash: shattered-1.pdf and shattered-2.pdf

$:~/Documents$ md5sum shattered-*
ee4aa52b139d925f8d8884402b0a750c  shattered-1.pdf
5bd9d8cabc46041579a311230539b8d1  shattered-2.pdf
$:~/Documents$ sha1sum shattered-*
38762cf7f55934b34d179ae6a4c80cadccbb7f0a  shattered-1.pdf
38762cf7f55934b34d179ae6a4c80cadccbb7f0a  shattered-2.pdf

answered Feb 23 '17 at 16:47

user140242

63
1

5

This answer is remarkably short on useful information. – Xander Feb 23 '17 at 20:15
See [this answer](https://security.stackexchange.com/a/152329/128750) for details of the exploit and how to generate colliding files. – Tom Hale Aug 16 '20 at 09:36

Tom Hale · Answer 5 · 2017-02-25T07:29:34.017

2

This is 2017. A collison and a means of generating it is now available. You can download two different PDFs with the same SHA1 and prove it to yourself.

Apache SVN has an issue where two files with the same SHA1 will cause corruption, says this Ars Technica article.

edited Feb 25 '17 at 07:29

answered Feb 25 '17 at 07:20

Tom Hale

2,545
3
9
11

This is 2015. Has SHA1 been exploited or cracked yet?

5 Answers5