Tech companies continue to back away from SHA-1 like it’s an infectious disease.
Microsoft, which already had plans to deprecate the crusty cryptographic algorithm by the start of 2017, decided this week to move up that deadline six months. The company said it’s considering whether it will start blocking SHA-1-signed TLS certs in June 2016 instead.
The move coincides with a similar announcement from Mozilla, which said on Oct. 20 that it too is considering a July 1, 2016 cutoff for accepting SHA-1 certs in Firefox.
“We will continue to coordinate with other browser vendors to evaluate the impact of this timeline based on telemetry and current projections for feasibility of SHA-1 collisions,” wrote Kyle Pflug, a program manager for Microsoft Edge, the successor to Internet Explorer.
The rush to deprecate was given an extra nudge early last month when a team of cryptographers published an academic paper that said it’s quite possible for a well-resourced attacker, i.e., an intelligence agency such as the NSA or state-sponsored Russian or Chinese hackers, to create a practical SHA-1 collision attack by the end of this year.
This beats previous projects by almost three years, and set into motion this wave of activity in putting SHA-1 officially out to pasture.
Microsoft in 2013 was among the first providers to announce its intention to move away from SHA-1, as well as the RC4 stream cipher. Theoretical collisions against SHA-1 where two inputs of a hash function generate the same hash have been described for more than a decade. Mozilla, Google and others were not far behind.
Mozilla’s original plan was the add warnings to the Web console alerting developers that SHA-1 certificates were a bad idea. It also planned as of Jan. 1, 2016 to show an “Untrusted Connection” error in Firefox for sites signed with SHA-1 after that date, and after Jan. 1, 2017 to show the same error message whenever its browser ran into a SHA-1 cert.
That changed after the publication of the report “Freestart collision for full SHA-1.”
“We are re-evaluating when we should start rejecting all SHA-1 SSL certificates (regardless of when they were issued),” Mozilla said in its Oct. 20 announcement.
The academic paper, written by researchers Marc Stevens, Pierre Karpman and Thomas Peyrin, respectively of the Centrum Wiskunde & Informatica of the Netherlands, Inria of France, and the Nanyang Technological University of Singapore, describes tweaks to existing attacks and advances in analyzing of the algorithm that drastically reduce the cost and potential time to generate a collision. Those factors in combination with the relative continued health of Moore’s law, which states the computer processing power doubles every two years, significantly reduce the time to create a collision attack.
The original estimates for practical SHA-1 collisions were published by cryptographer Bruce Schneier in 2012 when he projected that the cost to create a practical SHA-1 collision would be $700,000 by 2015 and $143,000 by 2018, two figures that are within reach of well-funded hacking teams.
The new projections, given the relative inexpensive cost of procession power afforded by Amazon EC2, for example, reduces the costs to between $75,000 and $125,000 and the time down to as few as three months.