All these applications strongly rely on the properties of hash functions: They’re easy to compute, but it’s infeasible to generate a document with a given hash, change a document without changing the hash and find two different messages with the same hash.
Attacks Against Hash Functions
Attacks against hash functions try to break at least one of their properties. The following two types of attacks have been publicly discussed in recent years.
The pre-image attack works by calculating up to 2160 SHA-1 hashes with randomly chosen input data. As the SHA-1 hash value consists of 160 bits (20 bytes), there are exactly 2160 different possible values and you will more than likely find two different input strings with the same hash value. However, doing this with the fastest available hardware today, this would take billions of years. In practice, if your list of password hashes would be compromised, attackers could use the pre-image attack to find a password for a given hash. This would give them access to your system.
The collision-attack is a bit cheaper. You need about 280 attempts to find two different input strings with the same SHA-1 hash value. However, this number is also quite far away from what you can do with today’s computers.
The SHA-1 Discussion
In 2005, a team of Chinese researchers published a paper describing a mathematical method to reduce the number of attempts for a collision-attack from 280 to 269. Even though 269 is still a huge number, this reduces the number of attempts by 211 (that is, 2,048). Yes, it doesn’t break SHA-1, but it’s at least a start and further research might again decrease this number in the near future. The original paper is available here. As SHA-256 produces hash values of 32 bytes (256 bits), the effort of breaking it is still magnitudes higher. So SHA-256 can be considered as being safe for today and the foreseeable future.
As computer security expert Bruce Schneier wrote in his blog post from February 2005, “Jon Callas, PGP’s CTO, put it best: ‘It’s time to walk, but not run, to the fire exits. You don’t see smoke, but the fire alarms have gone off.’ That’s basically what I said last August. It’s time for us all to migrate away from SHA-1.”
NIST Special Publication 800-131A
Based on this discussion, NIST already changed its recommendations. The NIST Special Publication 800-131A, dated January 2011 and titled “Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths” states that the use of the SHA-1 hash function is disallowed after December 31, 2013, except for non-digital signature applications. You can read the full document here. This has a direct impact on government customers and companies selling security products to governmental customers.
If you’re already supporting secure connections in your IT environment, you’re most likely using SSL or its successor TLS for secure Telnet, FTP and HTTPS. Most applications today support protocol versions up to TLS Version 1.0.
One of the basic properties of a secure SSL/TLS connection is the SSL cipher suite. A cipher suite consists of three parts:
• An algorithm for authenticating the two communication partners
• An algorithm for encrypting the data that goes over the line