PGP keys, digital security for documents and software and much more threatened by existing SHA-1 exploits

Several years ago, SHA1 was already in the news as hash collision could be proven. That means the SHA1 calculation method could result in the same checksum (or hash) for different objects (i. e. PDF document) despite having different content.

That put SHA1 or SHA-1 on the graveyard of obsolete technology and SHA-2 family took over.

This article came out February 2017, roughly 3 years ago!

A new, devastating SHA-1 exploit has been found

“We have computed the very first chosen-prefix collision for SHA-1. In a nutshell, this means a complete and practical break of the SHA-1 hash function, with dangerous practical implications if you are still using this hash function. To put it in another way: all attacks that are practical on MD5 are now also practical on SHA-1. Check our paper here for more details.”

Of course, that doesn’t mean implementations are getting replace and updated immediately. Nevertheless, the reality check is kind of frustrating:

  • GnuPG: enables PGP/GnuPG impersonation; A countermeasure has been implemented in commit edc36f5, included in GnuPG version 2.2.18 (released on the 25th of November 2019): SHA-1-based identity signatures created after 2019-01-19 are now considered invalid.
  • CAcert: CAcert is one of them main CAs for PGP keys. There are a large number of keys with recent SHA-1 signatures from CAcert on public keyservers. They are planning a switch to a secure hash function for key certification in the future.
  • OpenSSL: They are considering disabling SHA-1 at security level 1 (defined as 80-bit security) after our attack. Since security level 1 is the default configuration, this would prevent SHA-1 usage for certificates, and for handshake signatures. Debian Linux had previously set the default configuration to security level 2 (defined as 112-bit security) in the latest release (Debian Buster); this already prevents dangerous usage of SHA-1.

What is affected?

Any usage where collision resistance is expected from SHA-1 is of course at high risk. Directly affected by chosen-prefix collisions are:

  • PGP keys can be forged if third parties generate SHA-1 key certifications
  • X.509 certificates could be broken if some Certificate Authorities issue SHA-1 certificates with predictable serial numbers

Please note that classical collisions and chosen-prefix collisions do not threaten all usages of SHA-1. In particular, HMAC-SHA-1 seems relatively safe, and preimage resistance (aka ability to invert the hash function) of SHA-1 remains unbroken as of today. Yet, cryptographers recommend to deprecate SHA-1 everywhere, even when there is no direct evidence that this weaknesses can be exploited.

What to do?

Remove any use of SHA-1 in your product as soon as possible and use instead SHA-256 or SHA-3.

That can also be done quite simple and even more comprehensive by using functionality. CodeNotary digital identities use SHA-256 and are stored tamperproof with additional attributes.