Exploit Fully Breaks SHA-1, Lowers the Attack Bar

sha-1 collision attack

Users of GnuPG, OpenSSL and Git could be in danger from an attack that’s practical for ordinary attackers to carry out.

A proof-of-concept attack has been pioneered that “fully and practically” breaks the Secure Hash Algorithm 1 (SHA-1) code-signing encryption, used by legacy computers to sign the certificates that authenticate software downloads and prevent man-in-the-middle tampering.

The exploit was developed by Gaëtan Leurent and Thomas Peyrin, academic researchers at Inria France and Nanyang Technological University/Temasek Laboratories in Singapore. They noted that because the attack is much less complex and cheaper than previous PoCs, it places such attacks within the reach of ordinary attackers with ordinary resources.

“This work shows once and for all that SHA-1 should not be used in any security protocol where some kind of collision resistance is to be expected from the hash function,” the researchers wrote. “Continued usage of SHA-1 for certificates or for authentication of handshake messages in TLS or SSH is dangerous, and there is a concrete risk of abuse by a well-motivated adversary. SHA-1 has been broken since 2004, but it is still used in many security systems; we strongly advise users to remove SHA-1 support to avoid downgrade attacks.”

Given the footprint of SHA-1, Leurent and Peyrin said that users of GnuPG, OpenSSL and Git could be in immediate danger. And, in backward compatibility scenarios, users can experience downgraded encrypted connections to the outdated hash function, which opens the door to attacks even in instances where SHA-1 isn’t the default.

The NIST-developed SHA-1 has been phased out over the course of the last five years, as more and more attacks that break it have popped up. Microsoft for instance last year announced that it would no longer deliver Windows OS updates to machines using SHA-1, citing the existence of known collision attacks against SHA-1 as the main reason. Collisions occur when an attacker is able to generate a certificate with the same signature as the original certificate.

All of the major browsers and most applications don’t recognize certificates signed with SHA-1 these days, few certificate authorities still support it, and NIST has deprecated it since 2011, but the latest PoC attack is nonetheless deeply concerning given that for all of that, it remains far from being fully deprecated.

In particular, Pretty Good Privacy (PGP), a widely used encryption program used for signing, encrypting and decrypting texts, emails, files, directories and whole disk partitions, and which plays a big role in email security communications, defaults to using SHA-1.

“It is still the default hash function for certifying PGP keys in the legacy 1.4 version of GnuPG, the open-source successor to PGP application for encrypting email and files,” explained researchers at Venafi, in a post Wednesday analyzing the PoC.

But that’s not the only remaining bastion for SHA-1. Venafi researchers added: “Git, the world’s most widely used system for managing software development among multiple people, still relies on SHA-1 to ensure data integrity. And many non-Web applications that rely on HTTPS encryption still accept SHA-1 certificates. SHA-1 is also still allowed for in-protocol signatures in the TLS and SSH protocols.”

The exploit, which focused on PGP, is yet another collision attack, but it’s one that significantly lowers the bar for attackers looking to break SHA-1 compared to previous PoCs. Building on previous exploits, which would be expensive and complex to carry out, the researchers focused on driving efficiencies into the attack, in order to make it practical to execute.

“Our work shows that SHA-1 is now fully and practically broken for use in digital signatures,” Leurent and Peyrin wrote in their paper. They added, “We managed to significantly reduce the complexity of collisions attack against SHA-1: on an Nvidia GTX 970, identical-prefix collisions can now be computed with a complexity of 2 to the power of 61.2 rather than 2 to the power of 64.7, and chosen-prefix collisions with a complexity of 2 to the power of 63.4 rather than 2 to the power of 67.”

The attack essentially allows a threat actor to impersonate a legitimate user by creating a PGP key that’s identical to the victim’s key. This then would allow the attacker to intercept email communications, carry out a man-in-the-middle attack, hijack sessions and more.

The researchers explained:

“By exploiting properties of the OpenPGP and JPEG format, we can create two public keys: Key A with the victim name, and key B with the attacker name and picture, such that the identity certificate containing the attacker key and picture has the same SHA-1 hash as the identity certificate containing the victim key and name. Therefore, the attacker can request a signature of his key and picture from a third party (from the Web of Trust or from a [certificate authority]) and transfer the signature to key A. The signature will still be valid because of the collision, while the attacker controls key A with the name of the victim and signed by the third party. Therefore, he can impersonate the victim and sign any document in her name.”

Making matters worse, SHA-1 doesn’t even need to be selected for use for the attack to work – it merely has to be supported by any given implementation.

“We stress that when a protocol supports several hash functions, those attacks are possible as long as SHA-1 is supported by implementations, even if it is not selected during normal use,” according to the paper. “A man-in-the-middle attacker will just force the parties to use SHA-1.”

In practice, achieving the attack takes computational horsepower and processor resources; the researchers said that they paid $756,000 for their trial-and-error process and computations, but the cost could be as low as $50,000 using more advanced GPUs and a known attack methodology. In some cases, the cost could be as low as $11,000.

“This is clearly within reach of reasonable attackers,” they said. “GPU technology improvements and general computation cost decrease will quickly render our attack even cheaper, making it basically possible for any ill-intentioned attacker in the very near future.”

The bottom line is that users, admins and developers should make the switch to the next-generation SHA-2 as soon as possible. Progress is being made: In light of the research findings, the developers of GnuPG have implemented a countermeasure by discontinuing its use in version 2.2; and OpenSSL’s developers said that they’re considering removing support for SHA-1. The paper also noted that GIT developers have been working on replacing SHA-1, and they use a collision detection library to mitigate the risks of collision attacks.

Though GnuPG has removed SHA-1 support for version 2.2, the researchers cautioned in the paper, “the ‘classic’ branch of GnuPG (v1.4) [still] uses SHA-1 by default for identity certifications, and there is still a non-negligible number of keys signed with SHA-1.”

Concerned about mobile security? Check out our free Threatpost webinar, Top 8 Best Practices for Mobile App Security, on Jan. 22 at 2 p.m. ET. Poorly secured apps can lead to malware, data breaches and legal/regulatory trouble. Join our experts to discuss the secrets of building a secure mobile strategy, one app at a time. Click here to register.

Suggested articles


  • Aspie on

    Wasn't this cracked in 2017?
  • Jay Asbury on

    Git would require getting the altered commits into a repo and the altered code would need the compile.
  • The Dude on

    To get Key A's name, which I'm taking to mean their valid SHA-1 hash, you'll need to be sniffing the connection, and it'll need to be over an unencrypted connection. This is the barrier to achieving this attack. If the victim is on a private network, or is using an encrypted proxy, tor, vpn, SSH, DoH, or anything else that's similar, the difficulty of this attack becomes unachievable 2^64+2^whatever additional security measure is taken. Probably 2^128+. I feel like that those universities have just thrown away a million dollars on research that moore's law would have achieved in less than 5 years now anyway... As stated, collision techniques have been known about for over 15 years already. And a *possible* half million price tag for implementing this technique of attack isn't anything remarkable over that, now ancient, research.
  • dwc on

    SHA-1 code-signing encryption? legacy computers? For an article to miss some of the fundamentals of the concepts of hashing and encryption, it does not reflect well on a cybersecurity news site.
  • Ivo Hanuska on

    Yes, it was. But collision generation required high amount of computing power. Current attack is simple and well described. So it is much more dangerous. SHA-1 collision descriptions are described quite a long time, but this crack is first really feasible to use
  • Anonymous on

    Great article! Informative, easy to read and understand. Thank you!
  • Anonymous on

    @Jay Asbury: Making valid source code is just as trivial as making JPEG valid
  • Jan on

    "Though GnuPG has removed SHA-1 support for version 2.2 [...]" $gpg --version gpg (GnuPG) 2.2.19 libgcrypt 1.8.5 Copyright (C) 2019 Free Software Foundation, Inc. ... Supported algorithms: Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256 Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2 Looks like it isn't removed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.