[cryptography] Should Sha-1 be phased out?
iang at iang.org
Sat Oct 17 06:37:22 EDT 2015
On 15/10/2015 20:50 pm, Michael Kjörling wrote:
> On 14 Oct 2015 13:39 -0400, from kevinsisco61784 at gmail.com (Kevin):
> To answer the question in the subject line: SHA-1 is already being
> phased out, particularly in areas where collision resistance matters.
In general, yes. Since around 2000 and the release of SHA2 family, SHA1
has been a target for replacement for any collision weakness.
> Just like MD5, there are still situations in which SHA-1 provides a
> fully adequate level of security even _if_ finding collisions was
> actually easy, and there are mitigative strategies that can be used to
> make finding useful collisions much harder (such as using multiple
> hash algorithms in tandem, or iterative hashing). A major use for even
> a cryptographic hash algorithm where collisions can be found
> reasonably easily is as a compression function for password hashing.
> With the above said, new designs that need collision resistance should
> obviously use more secure hash algorithms, and even more than that,
> should probably plan ahead for when _those_ algorithms reach the end
> of their useful life and allow for a migration strategy. SSL/TLS
> certificates allow for a migration strategy, which is why the fact
> that we no longer trust previously MD5 and now SHA-1 doesn't
> immediately break everything.
> For SHA-1 sunsetting, see for example , , both of which are over
> a year old. SHA-1 is on schedule to be sunset for TLS certificates at
> the end of 2016; the major browsers don't consider SHA-1 based
> certificates which are valid after 1 Jan 2017 to be trustworthy, which
> with the one-year commonly selected validity period of CA-signed
> certificates means we are only a few months away from starting to see
> this in practice. It's possible that this schedule is overly
> optimistic in light of recent events, but even so, that's moving SHA-1
> from basically ubiquitous to actually untrusted in two and a half
> years, which is already quite fast. It would seem likely to me that
> accelerating the sunset of SHA-1 at this point would cause massive
> disruption, considering that people probably are making plans based on
> the announced dates.
> : https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/
> : https://googleonlinesecurity.blogspot.com/2014/09/gradually-sunsetting-sha-1.html
Certificates are a basically horrible example, albeit quite truthful and
full of perception.
The basic problem of SHA1 in certificates is that it isn't or shouldn't
be vulnerable to a collision attack.
1. Certificates are prepared in advance and should be unpredictable to
the attacker. Following the old diktat of "never sign anything you
didn't write yourself" certificates should have a nonce field in them.
Since the attack on RapidSSL it has been required that certs should have
that a nonce in them. They therefore should be invulnerable to
2. One should be more concerned at high value targets. What this means
is in short: sub-root certs and EV certs. It should be easy to prepare
these more securely. Especially, cheap white end-user certs are not of
particular value in the grand scheme of things.
3. In particular roots are not vulnerable to a collision attack at all.
The signature on them could use ROT13 and it would still not be
vulnerable to a collision attack. That's because the strength of the
root comes from its manual placement in the root file, not from its
signature. Indeed, the only reason it is delivered as a cert (and in
this case a self-signed one) is because in the various x.509* things
there isn't a standard for delivering a public key, nor a root list.
Which is probably marketing more than engineering.
That said, these nuances are too deep for the certificate bureaucracy
and the buying public (devs) so we are seeing wholesale prejudice
against any and all use of weaker message digests. This extends to
browsers that reject perfectly safe root certificates because they use
old message digests, and to libraries that try and deprecate the entire
algorithm thus causing things like HMAC to stop working...
Once the herd gets moving, it's a fearsome thing. It's a little like
Adi Shamir's aphorism that only the simplest crypto survives: only the
simplest security messages can be be sold. SHA1 is being buried, and if
he'd only stop saying "I'm not dead yet" we could get on with the ceremony.
The counter-strategy then is that when there comes a chance to refresh
the crypto - use that opportunity. Replace the whole sodding lot with
the latest stuff.
That is, don't replace it with SHA2. Use SHA3. In 2025, the herd will
be stampeding all over SHA256's tired old bones. You'll be grateful for
having retired it in good time, and will have the space, peace and quiet
to think about using SHA4.
More information about the cryptography