About this time last year, Google stated their direction to end support for SHA1 certificates warning that their compromise is eminent. At the time, we raised the concern that the approach to warning users of deprecated PKI certificates using the SHA-1 hash algorithm was concerning. This was based on the guidance of the industry as to when a viable collision attack would be viable.
At the time, this was and still seems like a heavy lift simply for the number of sites potentially affected by the need to update their certificate.
This month, a group of researchers have provided additional guidance that the cost of creating a SHA-1 collision is lower and available earlier than originally anticipated.[i] In their paper[ii], they document that a low priced GPU cluster could create a freestart collision in 10 days. While this style of compression collision is short of a full SHA-1 collision, the results can be applied to the earlier frameworks represented in their paper to extrapolate a full collision attack using Amazon EC2 would cost between $70k and $125k based on today’s standards.
This significantly amplifies the earlier guidance provided by industry analysts that SHA-1 needs to be fully deprecated, as full collision attacks are now financially and technically feasible.
- SEC.FAIL Google Deprecates SHA-1
- Netcraft Current SHA-2 Adoption Rate
- NIST Special Publication 800-131A Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths
- Bruce Schneier on the SHA-1 weakness
- Google Gradually Sunsetting SHA-1
The CAB Forum members apparently decided to withdraw the ballot to extend the issuance of SHA-1 based certificates hash. We should expect these certificates to no longer be issued as of the end of 2015. See cabforum.org for more information.
[i] “This website contains latest news and background information regarding the SHA-1 freestart collision work from Marc Stevens (CWI, the Netherlands), Pierre Karpman (Inria, France and NTU Singapore) and Thomas Peyrin (NTU Singapore).”
[ii] Freestart collision for full SHA-1 https://docs.google.com/viewer?url=https%3A%2F%2Fsites.google.com%2Fsite%2Fitstheshappening%2Fshappening_article.pdf%3Fattredirects%3D0