• Tag Archives cryptography
  • Cryptographers Demonstrate Collision in Popular SHA-1 Algorithm

    On February 23rd, a joint team from the CWI Amsterdam and Google announced that they had generated the first ever collision in the SHA-1 cryptographic hashing algorithm. SHA-1 has long been considered theoretically insecure by cryptanalysts due to weaknesses in the algorithm design, but this marks the first time researchers were actually able to demonstrate a real-world example of the insecurity. In addition to being a powerful Proof of Concept (POC), the computing power that went into generating the proof was notable:

    We then leveraged Google’s technical expertise and cloud infrastructure to compute the collision which is one of the largest computations ever completed.

    Here are some numbers that give a sense of how large scale this computation was:

    • Nine quintillion (9,223,372,036,854,775,808) SHA1 computations in total
    • 6,500 years of CPU computation to complete the attack first phase
    • 110 years of GPU computation to complete the second phase

    The CWI Amsterdam and Google researchers launched shattered.io, a site explaining the attack and linking to two distinct pdf files: shattered-1.pdf and shattered-2.pdf with different contents but the same SHA-1 checksum.

    What is SHA-1, anyway?

    SHA-1 is part of a class of algorithms known as collision-resistant hashing functions, which create a short digest of some arbitrary data. That can be a piece of text, a database entry, or a file, just to name a few examples. For instance, the SHA-1 result or ‘checksum’ of the first sentence in this paragraph is 472825ab28b45d64cd234a22398bba755dd56485. Creating a digest of data is useful in many contexts. For example, making a cryptographic signature for a digest is more convenient and faster than signing the entire contents of a message, a fact that many cryptographic systems have taken advantage of. Lots of software uses this type of hashing function, and relies on the collision-resistance property to verify that the contents of the original message haven’t been corrupted or tampered with.

    Sunsetting SHA-1

    While a brute-force attack (simply trying all the possibilities until a collision is found) remains impractical, low-level analysis of the algorithm has revealed deep fractures in its design. Over time, as these theoretical attacks against the algorithm have gotten better, many have moved away from SHA-1 to guarantee security. In 2014, the CA Browser Forum (an organization which comprises the trust-roots for the web) passed a ballot which prevented new HTTPS certificates from being issued using SHA-1 after 2015. And earlier this year, the major browsers started to remove support for HTTPS sites which serve SHA-1 certificates. In general, companies and software projects were moving away from relying on SHA-1. Next-generation hashing algorithms such as SHA-256 and SHA-3 have been available for a long time, and provide far better guarantees against collisions.

    So what’s the big deal?

    Unfortunately, the migration away from SHA-1 has not been universal. Some programs, such as the version control system Git, have SHA-1 hard-baked into its code. This makes it difficult for projects which rely on Git to ditch the algorithm altogether. The encrypted e-mail system PGP also relies on it in certain places.

    While initially promising to deprecate SHA-1 in a similar time-frame as the other browsers, Internet Explorer has pushed that date back to mid-2017. This means that sites with certificates signed by the insecure function will still be trusted for IE users. And while the collision was demonstrated on two pdf files, there is nothing stopping others from crafting a malicious X.509 certificate with the same checksum as a valid certificate, and using that to impersonate a legitimate HTTPS site. History (and Moore’s law) shows us that this only becomes easier over time. The first full collision of the then-popular MD5 hashing algorithm was demonstrated in August 2004. Less than seven months later, an X.509 collision was shown.

    Last year, we pointed out that a SHA-1 collision in 2017 was entirely foreseeable, and will happen again in the future. To have robust protections against cryptographic vulnerabilities, software projects have to take these vulnerabilities seriously before they turn into demonstrated attacks, when they are still theoretical but within the realm of possibility. Otherwise, the time it takes to migrate away from these insecure algorithms will be well used by attackers, as well.

    Source: Cryptographers Demonstrate Collision in Popular SHA-1 Algorithm | Electronic Frontier Foundation

  • Attorney General Nominee Sessions Backs Crypto Backdoors

    As the presidential campaign was in full swing early last year, now-President Trump made his feelings on encryption clear. Commenting on the Apple-FBI fight in San Bernardino, Trump threatened to boycott Apple if they didn’t cooperate: “to think that Apple won’t allow us to get into [the] cell phone,” Trump said in an interview. “Who do they think they are? No, we have to open it up.”

    For that reason, we were curious what Trump’s nominee for Attorney General, Sen. Jeff Sessions (R-AL) would say about the role of encryption.

    At his confirmation hearing, Sessions was largely non-committal. But in his written responses to questions posed by Sen. Patrick Leahy, however, he took a much clearer position:

    Question: Do you agree with NSA Director Rogers, Secretary of Defense Carter, and other national security experts that strong encryption helps protect this country from cyberattack and is beneficial to the American people’s’ digital security?

    Response: Encryption serves many valuable and important purposes. It is also critical, however, that national security and criminal investigators be able to overcome encryption, under lawful authority, when necessary to the furtherance of national-security and criminal investigations.

    Despite Sessions’ “on the one hand, on the other” phrasing, this answer is a clear endorsement of backdooring the security we all rely on. It’s simply not feasible for encryption to serve what Sessions concedes are its “many valuable and important purposes” and still be “overcome” when the government wants access to plaintext. As we saw last year with Sens. Burr and Feinstein’s draft Compliance with Court Orders Act, the only way to give the government this kind of access is to break the Internet and outlaw industry best practices, and even then it would only reach the minority of encryption products made in the USA.

    As we’ve done for more than two decades, we will strongly oppose any legislative or regulatory proposal to force companies or other providers to give Sessions what he’s demanding: the ability to “overcome encryption.” Code is speech, and no law that mandates backdoors can be both effective and pass constitutional scrutiny. If Sessions follows through on his endorsement of “overcoming” encryption, we’ll see him in court.

    Source: Attorney General Nominee Sessions Backs Crypto Backdoors | Electronic Frontier Foundation

  • Obama’s Silence on Crypto Could Set the Stage For Bad Policies to Come

    One year ago today, the 100,000th person added their name to a public petition calling on President Obama to categorically reject any attempt to add backdoors to our devices or otherwise undermine encryption.

    Since then, crickets.

    Obama has promised to reply to petitions on his We the People platform that receive over 100,000 signatures. But the only response our hugely popular petition received was a nonresponse asking for more input.

    Since then, the issue has become even more pressing. While the urgency of the Apple encryption battle may have abated, the conversation around forcing tech companies to assist the government in obtaining access to unencrypted data has continued.

    Julian Sanchez, a senior fellow at the Cato Institute, wrote last month that the misguided Feinstein-Burr proposal—which sought to force tech companies to render unencrypted communications at law enforcement’s request—has been revised by the authors with an intent to find a version they could push through Congress with less opposition. Sanchez wrote: “Their offices have been circulating a series of proposed changes to the law, presumably in hopes of making it more palatable to stakeholders,” and then he detailed the adjustments to the fundamentally flawed proposal.

    This should worry anybody who believes in strong digital security and fears attempts to undermine it.

    The backdoor issue is part of a larger conversation our country is having about digital security right now. We saw renewed public interest in cybersecurity last week when major websites like Twitter, Amazon, and Paypal suffered outages as their DNS provider Dyn came under a series of DDoS attacks. This highlights how the choices independent corporations make around security can have huge ramifications for the general public. We now know that the attacks last week were at least partially reliant on the security choices made by companies like Hangzhou Xiongmai, whose default settings made it trivial for their products to be taken over and turned into a zombie hoard that helped take down some of the Web’s favorite sites. In light of this demonstration of how poor security can cripple core Internet services, it’s even more important that the U.S. government champion best practices. We need the Administration to be leading our country along the path of strong security practices, uncompromised crypto, and engineering design that’s resistant to attack.

    EFF, Access Now, and others sent a letter to the president today, urging him again to respond to the 100,000 individuals who spoke out in defense of encryption. As we explain in our letter, the world is watching the United States to see how we’ll address this issue:

    Around the world, governments have capitalized on the lack of leadership in support for encryption and implemented harmful laws and policies. China specifically cited to the rhetoric in the U.S. last December when it passed a new law that likely bans end to end encryption, with no upper limit on fines for non-compliant companies. The UK is on the fringe of passing a law that would, practically, have the same impact. And from Brazil to Russia to India we are seeing other actions that will undermine the security of the global Internet.

    Obama has tried to paint himself as a tech-savvy president who champions civil liberties. As he prepares to leave office in a few months, he has a golden opportunity to stand up for digital security. That means doing more than quietly indicating he wouldn’t support a backdoor bill; it means affirmatively describing a policy of the federal government that doesn’t seek to undermine encryption.

    Over 100,000 people have been waiting for Obama’s leadership on this vital issue for a year now. His continued silence on the matter could leave open questions about how and when the Justice Department will seek future methods of undermining our security. But a strong statement from the White House today could ensure his Justice Department stops its nonsensical and short-sighted war on secure communications. It will also set the right standard for the next president to take office.

    We’re all counting on you, Mr. President.

    Source: Obama’s Silence on Crypto Could Set the Stage For Bad Policies to Come | Electronic Frontier Foundation