Deprecating SHA-1 — Why, What and When

As some of you may already know, in September Incapsula began the process of replacing all SHA-1 SSL certificates with the more secure SHA-2 version. This transition is on schedule and will be completed within the following week. In addition, all new SSL certificates issued by Incapsula will use the SHA-2 algorithm.

Our decision to discontinue SHA-1 support is in line with the industry trend, which acknowledges the potential weakness of the SHA-1 cryptographic algorithm.

In November 2013 Microsoft was the first to announce its timetable for phasing out SHA-1 certificates. According to this timetable, MSN platforms will stop supporting SHA-1 as of January 1, 2017.

More recently, Google and Mozilla announced that their browsers will no longer trust SHA-1 encrypted SSL certificates with expiration dates past December 31, 2016.

To ensure the best possible experience for your users, we recommend that you make sure all your web applications are compatible with SHA-2.

For any questions regarding SHA-1 migration process please contact us at: support@incapsula.com

About SHA-1 Hashing

The SHA-1 hash algorithm plays a critical role in securing SSL communications, where it is used to verify a certificate’s integrity.

The algorithm is generally employed to transform large blocks of data into 160 bit long values (hashes), each being unique to the encrypted content.

For example, using SHA-1 to hash this online copy of Albert Einstein’s Theory of Relativity yields this:

F3C146CE295FE311748B1F952A7701273F533E2D

However, running the algorithm on a slightly modified version of the same text provides a different output. For example, simply removing the last asterisk character (*) changes the hash to:

78BFF8D6E366DF77A8C4C85BF04CB3407F9A87A

Looking at both outputs one can immediately tell that the second version does not conform to the original.

Finding out exactly how these two versions differ is immaterial. For integrity validation purposes, just knowing that the inputs are different is enough to raise the red flag.

This is essentially how SSL certificates are verified. The idea is for the certificate authority (CA) to store the original hashes of all issued certificates on publicly-available servers. There the hashes can be accessed by any browsers, operating systems, and other SSL-reliant platforms.

When a SSL connection is initiated, the platform runs the SSL certificate through the SHA-1 algorithm and compares the output with the public record.

If both values match, the certificate is deemed untampered. If the hashes are different, then the certificate cannot be trusted.

Digital Signature Diagram

The Problem with SHA-1 Encryption

Over time, encryption standards tend to become less effective for two main reasons:

  • Security vulnerabilities identified by researchers
  • Plummeting costs of computing power, enabling the feasibility of theoretical vulnerabilities

In case of SHA-1, the algorithm was found to be more susceptible than expected to collision attacks, which are designed to fabricate the same hash value for different input data.

As mentioned, each hash is supposedly unique. However, with a high enough number of attempts, it is theoretically possible for another data input to produce the same hash.

Originally, SHA-1 collision probability was assumed to be one in 280 attempts. However, in recent years, security researchers began pointing out that the actual number could be much lower.

The most efficient example of SHA-1 collision attack is considered to have been presented by Marc Stevens in his Leiden University PhD thesis.

In his paper, Stevens described a methodology which could theoretically drop SHA-1 complexity down to a ~260.

Stevens went on to calculate the cost of computing resources required to execute a successful collision attack. Back in 2012 he estimated that the price tag for breaking a single SHA-1 hash would be $2.77M.

Moving a few years forward, with the rapidly declining costs of cloud computing, SHA-1 collision attacks are now also getting a price reduction. In fact, keeping pace with Moore’s law, the decreasing execution cost of such an attack is estimated to hit $173K by 2018 (and $43K by 2021).

With these ‘bargain bin’ prices, the concern is that some attackers might soon consider hash breaking to be a worthwhile investment.

Not Without Precedent

Some may question the practicality of paying hundreds of thousands of dollars for a counterfeit SSL certificate, but the idea is not without precedent.

In 2012, global security authorities became aware of a successful collision attack against MD5, a SHA-1 predecessor.

The fabricated MD5 hashes were used to validate false Microsoft update certificates responsible for spreading the infamous Flame malware under the guise of a legitimate MSN update.

Flame is highly sophisticated modular malware discovered in 2012. Flame was used to steal data from infected Windows operating computers and is believed to be part of a well-coordinated state-run cyber espionage operation.

Geographical location of Flame infections

Geographical locations of Flame infections detected by Kaspersky Lab

Flame is still considered to be one of the most complex and effective pieces of malware to date. At the time of its discovery, the estimated cost of a MD5 collision attack was $200K.

Keep your finger on the pulse

Sign up for updates from Imperva, our affiliated entities and industry news.