WolkyTech

RIP SHA-1: When developers pull out support, the hashing algorithm approaches death

Security

Two open-source Secure Shell libraries have ended support for Secure Hash Algorithm 1 (SHA-1), which has been used for the past 20 years to verify the integrity of software, digital signatures, and other data, due to longstanding security concerns. Ars.

Ars Technica reports that developers using the OpenSSH and Libssh libraries will no longer be able to use SHA-1 for digitally signing cryptographic keys starting this week.

The announcement came in the form of release notes and code updates published by OpenSSH and libssh, confirming the end of SHA-1 for many.

SHA-1 is a cryptographic hash function first developed in 1995 and used to generate a "digest" of a hash. This digest can be distinguished by message, file, and function.

Any string or data theoretically generates a unique SHA-1 hash. In other words, the input "password" will produce the hash output "5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8."

However, the input "Password" with a capital P gives a completely different output of "8BE3C943B1609FFFBFC51AAD666D0A04ADF83C9D."

While SHA-1 has proven useful to many people, researchers have shown how it can be leveraged by cybercriminals to create forged digital signatures.

In 2005, it was demonstrated that with sufficient computing power, it is possible to find two different inputs that yield the same SHA-1 output. This means that a relatively unobtrusive attacker can spoof a cryptographic signature using SHA-1.

This year, SHA-1 has certainly come to an end; in January, researchers identified a new collision attack at a cost of only $45,000.

This attack is a "chosen-prefix" attack, which is very serious because it is possible to modify existing input and still obtain the same SHA-1 hash. An attacker can use this method to alter documents or software in such a way as to pass SHA-1-based integrity checks.

In its explanation for removing SHA-1, OpenSSH mentions this research: "It is now possible to perform a chosened-prefix attack against the SHA-1 algorithm for less than US$50,000. For this reason, we plan to disable the 'ssh-rsa' public key signature algorithm by default in a near future release"

OpenSSH further noted that there are better alternatives, including the RSA SHA-2 signature algorithm rsa-sha2-256/512 from RFC8332. These algorithms have the advantage of using the same key type as "ssh-rsa", but use the secure SHA-2 hashing algorithm. [These have been supported since OpenSSH 7.2 and are already in use by default if the client and server support them.