Why so slow to move off SHA-1?
We all know the gears of government grind slowly, but when it comes to the arcane world of government encryption standards, “slowly” can mean something else entirely. When government time meets technology time, sparks can fly.
Take SHA-1, for example. That 160-bit hash algorithm has been at the heart of vital web security protocols such as Secure Sockets Layer (SSL) and Transport Layer Security (TLS) since shortly after it was developed by the National Security Agency in the 1990s. It has also been a core member of the FIPS standards published by National Institute of Standards and Technology.
However, it’s been under fire for nearly a decade. In 2005, a professor in China demonstrated an attack that could be successfully launched against the SHA-1 hash function, a feat that led to a lot of soul searching within the encryption community. Less than a year later, NIST was urging agencies to begin moving away from SHA-1 and toward stronger algorithms.
At the beginning of 2011, NIST went even further and put what seemed the final kibosh on the beleaguered algorithm by stating definitely that “SHA-1 shall not be used for digital signature generation after December 31, 2013.”
But earlier this year, stories began to emerge pointing out that despite the NIST statement, many government entities were still generating new SSL certificates using SHA-1 in favor of stronger versions.
In a February survey, web services company Netcraft found that fully 98 percent of all the SSL certificates used on the web used SHA-1 signatures, and less than 2 percent used the 256-bit SHA-256. The company also pointed out that a huge number of those certificates as originally issued would still be valid beyond the start of 2017.
It’s not that the security provided by these certificates has so far proven to be porous, but a so-called collision attack could open up valid certificates to be substituted by ones constructed by attackers, allowing them to circumvent web browser verification checks.
It would be time-consuming and need a lot of computing power, but the increasingly market-driven nature of the threat industry is making that less of a barrier. Researchers have shown how the price of an SHA-1 attack will rapidly shrink over the next few years.
That’s all driving a sense of inevitability about the continuing use of SHA-1. Companies such as Microsoft and Google said some time ago they would start winding down the use of the algorithm in their products, and now the browser companies are getting on board.
The developers of Chrome, for example, recently said they will start sunsetting the use of SHA-1 beginning with a release due in November, and on Sept. 23 those in charge of Mozilla-based browsers such as Firefox said they also will be “proactively” phasing out their support of certificates that use SHA-1 signatures.
What’s a government agency to think of this? There have certainly been confusing signals along the way. In 2012, the year after it said it wanted agencies to move away from SHA-1, NIST announced the winner in a competition to create a secure hash algorithm that could eventually be the basis of a new federal SHA-3 standard.
But at the same time, NIST downplayed the need for a new standard in the shorter term, saying SHA-2 seemed to be working just fine (though NIST recent issued a request for comments on a new FIPS 202 that will validate the use of SHA-3). Meanwhile. the current version of NIST secure hash standards (FIPS PUB 180-4) still lists SHA-1 as valid for use in government applications. At the rate the private sector seems to be moving, however, it seems that will soon be impractical.
Posted by Brian Robinson on Sep 26, 2014 at 10:21 AM