SHAttered: Not All It's Cracked Up to Be

NYU graduate student Santiago Torres-Arias has a one-word message for those who might be shaken up by Google’s February 23 announcement of “the first practical technique” for attacking systems based on SHA-1, and that word is “relax.” While acknowledging that the attack, carried out by researchers at Google and the CWI Institute in Amsterdam, represents an “important milestone for the history of cryptographic hash algorithms,” he was quick to point out that just because the attack CAN be done, it is unlikely to become the path of choice for malicious parties looking to bring down systems secured by cryptographic hash algorithms.

The SHAttered attack, documented in a technical article written by researchers Marc Stevens, et al., seems to negate conventional wisdom that breaking SHA-1 required expenditures of too much time, computational power and money. SHA-1 is a hash algorithm, developed by the National Security Agency and published by the National Institute of Standards and Technology, that can generate a “fixed length fingerprint,” as Torres-Arias labels it. The presence of these unique fingerprints serves as proof that a file has not been been tampered with, and the inherent difficulty of creating two different files with identical SHA-1 numbers has served as an effective deterrent. As a result, for several decades SHA-1 was the de facto standard for use in secure signing systems.

Torres-Arias, who shared his comments in an informal interview this week, does not deny the significance of the SHAttered attack, given that “it was the first such attack that was not theoretical in nature.” Despite the emergence of less brittle alternatives—-spurred on by studies in 2005 that first suggested that SHA-1 could be broken—-the algorithm continues to be used in a number of prominent settings. One such setting is the popular Git version control system. If the algorithm can now be broken in practice—thanks to the Google/CWI researchers’ ability to alter a PDF document without affecting its SHA-1 number, thus making it possible to create collisions-—it does increase the threat to these holdovers. Pointing out that, “it took us 12 years to go from a warning to be able to hash two files and get the exact same value,” and with further research “attacks are only going to grow more effective,” Torres-Arias is quick to add that “there is no reason to continue using SHA-1 for newer applications.”

So, why then, is Torres-Arias suggesting that the SHAttered attack is not something to lose sleep over, or indeed, perhaps not even, as other writers have suggested, “the last nail in the coffin” for the use of SHA-1 in existing systems like Git? The researcher, who has spent a lot of time studying potential weaknesses in Git, and even documented one such flaw (unrelated to its use of SHA-1) in a presentation at the Usenix Security Conference last year, points to four mitigating factors to consider before hitting the proverbial panic button.

Point 1: Since SHA-1 was already known to be “broken,” its use is already in decline. Though there are a few systems that continue to use SHA-1, Torres-Arias emphasizes that NIST itself deprecated the system six years ago, so, in a sense, the SHAttered findings come as no surprise. In the case of Git, he explained, the decision was made back in 2005 that, because of backwards compatibility, SHA-1 would not be replaced because it would be too costly to do so. That doesn’t mean these systems are completely ignoring the warnings. As Torres-Arias points out, “there are already works in the making to both harden Git’s use of SHA-1 and replace the hashing algorithm,” adding to any would be hackers, “don’t get your hopes up.”

Point 2: The SHAttered attack requires a particular confluence of factors to fall into place in order to work. A whole sequence of things would need to occur for this attack to be successful, starting with the resources to stage the collision. Google’s own announcement points out that, even though their attack was more than 100,000 times faster than a brute force attack would be, it still took 9 quintillion SHA-1 computations to complete. Torres-Arias equates the financial costs of such an effort to “two years of your life and four semesters tuition at NYU.” And, afterwards, “you still would need to trick the system into the accepting the malicious file, and create a random file that won’t break,” which according to Torres-Arias, is pretty difficult in its own right. The attack uses a PDF file because, “it will tell the parser to ignore the random junk holding the collision blocks,” while a Word document or other file types would not.

Point 3: The collision is only the beginning. “Even if you do get as far as the collision, you still need to break into the server, and change the benign file for a malicious one,” Torres-Arias says, adding “then you have to hope that people don’t notice the switch, and that nobody uploads a newer version that could supercede it.”

Point 4: There are other attacks that can do the same damage with much less effort. Torres-Arias ticked off a number of attacks that are simpler to do, and much more effective, including submitting a patch that has a back door, opening a man-in-the middle connection, or breaking into a version control system, none of which requires the same combination of computing power, money, and excellent timing to put all the pieces in place.

In short, while the SHAttered attack is worthy of attention, this particular threat is better filed under “more-interesting-than-scary.”

You can read Torres-Arias’ full analysis of the SHAttered attack on his own blog site.