In association with heise online

Don't panic

Nonetheless, crypto-experts such as Schneier and Kaliski expect that people will continue to be able to use SHA-1 without having to be worried. After all, 269 is still a tremendous number. If special hardware is used, one hash operation can be executed in around 40 cycles [1].

Even if their test hardware could be accelerated from 33 MHz to 4 GHz, the process would still take 170,000 years. And even if a giant cluster of such machines were used, no collisions would be found within a realistic timeframe of a few years. However, the surprising breakthrough of Wang et al. makes it clear that we can no longer afford to sit back and relax.

The second reason to keep cool is just as important, if not even more so: hackers will have to execute a pre-image attack to manipulate, for instance, a contract that has been digitally signed. In other words, hackers will have to find a second, manipulated contract with the same hash value as the real contract. In principle, the number of operations needed is thus far greater (2160). Indeed, as far as we know all attacks to date have only concerned collisions, and Wang et al. does not change that. There are no known methods to reduce significantly the number of operations needed for pre-image attacks.

Therefore, current digital signatures and signatures for documents that people create themselves are not in danger for the time being. On the other hand, attacks on digital signatures are possible for collisions that can be found in a realistic period of time when hackers can determine the hash value of the original themselves. The following example illustrates this possibility in a somewhat simplified fashion.

Cheating in poker with contracts

An intelligent hacker creates two contracts: one of them with the correct price for a house; the other, a much higher figure. As this hacker knows that he can find a collision in 2x hash operations, he makes a number of cosmetic modifications, for example by adding spaces at the end of a line. By executing all possible combinations of these modifications, this hacker creates 2x versions of each contract. The possibility that two of them will have the same hash value is very great. The hacker then has the victim sign a copy of the contract with the correct purchase price. But he can change the text without changing the hash value later and take the victim to court.

The new attack on SHA-1 may reduce the effort that hackers will have to go to in order to find a collision by a factor of 2,000. Nonetheless, their chances of success remain, fortunately, infeasible in practice. For instance, attacks on SHA-1 signatures would take advantage of deleted paragraphs in Word files to add blocks with random variations to the document. For this reason, it is generally a good idea to make a cosmetic change to a document before it is digitally signed.

In addition, pre-image attacks cannot be used to crack methods in which digital signatures precede encryption. If you cannot access the plain language text, you can't even circumvent an MD4 sum. This is why SSH and IPSec remain secure. HMAC sums also remain unaffected. These are hashes that can only be calculated if a secret key is known. They are set up in a way that a hacker cannot calculate a collision without the key.

SHA-1 attacks also do not affect the security provided by passwords, which are only saved as hash values in many systems. For the time being, there is no risk of a password being calculated for a given hash value; rather, dictionary attacks remain the greatest threat here.

Print Version | Permalink:
  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit