{"id":6780,"date":"2017-02-24T14:00:44","date_gmt":"2017-02-24T22:00:44","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/02\/24\/news-571\/"},"modified":"2017-02-24T14:00:44","modified_gmt":"2017-02-24T22:00:44","slug":"news-571","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/02\/24\/news-571\/","title":{"rendered":"SHA-1: 9,223,372,036,854,775,808 Reasons Not To Worry"},"content":{"rendered":"

Credit to Author: Mark Nunnikhoven (Vice President, Cloud Research)| Date: Fri, 24 Feb 2017 20:52:12 +0000<\/strong><\/p>\n

\"\"<\/p>\n

The SHA-1 hash function is broken. This isn\u2019t news. What is news is that a practical attack has been demonstrated<\/a>\u00a0 Keep in mind that \u201cpractical\u201d is used in cryptographers terms and those terms don\u2019t necessarily have an impact on your daily IT use.<\/p>\n

The news<\/a> has been making the rounds as IT teams, journalists, and everyday users are trying to understand the potential impact. This is an understandably difficult announcement to grasp. Encryption is complex. Even the simplest explanations (PDF<\/a>) are still tough to handle.<\/p>\n

It\u2019s this deeply technical combination of mathematics and computer science that make cryptography a foundational pillar of digital security and one of it\u2019s most challenging aspects.<\/p>\n

SHA-What?<\/h2>\n

The SHA-1 algorithm is one of many different hash functions. A hash function is a one-way method for taking an arbitrary set of data and reducing it down to a fixed size that we call a digest or a hash. Similar to the way that a DNA sequence represents a whole person\u2026sort of (I warned you it was complex).<\/p>\n

The key take away is that every hash is supposed to be unique. If you change the original data in any way, you should<\/b> get a completely different hash. This announcement proves that this is no longer true for SHA-1.<\/p>\n

That\u2019s an important development because we use hash functions for a lot of different things. A few simple examples:<\/p>\n\n\n\n\n
<\/td>\n\n
    \n
  • checking that a file your downloaded was the one your intended to<\/li>\n
  • making sure that a security certificate (like those used on secure websites) is valid<\/li>\n
  • as a digital signature<\/li>\n
  • verifying passwords<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n
<\/td>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Hash functions are important in the digital world. Anytime there\u2019s a security issue with one, it\u2019s a big deal.<\/p>\n

Or is it?<\/p>\n

Limited Lifespan<\/h2>\n

It turns out that we\u2019ve known that this announcement would happen for a long time. The only question was the exact timing. Brute force attacks (trying every possible combination until you find the right one) were an expected attack method. Because they would take so long to run (12,000,000+ years on a single GPU) they weren\u2019t considered feasible\u2026for obvious reasons.<\/p>\n

The announcement from the teams at Google<\/a> and CWI<\/a> demonstrates a new attack that is 100,000 times more efficient. Bringing the total attack time down<\/b> to 9,223,372,036,854,775,808 computations or 110 years on a single GPU running 24\/7.<\/p>\n

As you can imagine, with easy access to cloud resources you can run the attack much faster than that if you have the resources. The teams estimate it would take at least $110,000 to successfully execute.<\/p>\n

Given that price tag, this limits the number of attackers who can leverage this technique. For most organizations this doesn\u2019t change the threat model. This announcement will have more impact at the nation state level where resources aren\u2019t such a concern.<\/p>\n

The good news here is that these standards are made with an explicit understanding that the math won\u2019t hold up forever and that computation is always getting cheaper.<\/p>\n

That\u2019s why the SHA-2 family of algorithms was published in 2002<\/a>. That family (SHA-256, SHA-384, and SHA-512) is widely available in most security products. Not stopping there, the SHA-3 family was also published in 2015<\/a>.<\/p>\n

SHA-3 isn\u2019t a direct replacement for SHA-2 but more of an insurance policy against a new attack vector being discovered.<\/p>\n

Given the high cost of the attack, what does this week\u2019s announcement really mean?<\/p>\n

Strong Signal<\/h2>\n

This announcement is a reminder that the foundations of digital security aren\u2019t timeless. They need to be updated and reviewed on a regular basis, with hashing algorithms, that\u2019s built in the standards process.<\/p>\n

The challenge here is in the infrastructure and tools that rely on SHA-1. Just because there\u2019s a new standard available doesn\u2019t mean it has been implemented. If teams aren\u2019t paying attention and updating their code, issues could arise.<\/p>\n

Even with all the coverage around this announcement, I haven\u2019t seen any direct issues that users would have to worry about. The most common issue cited is that git<\/a> (an extremely popular source control tool) relies on SHA-1 hashes for each commit.<\/p>\n

As Linus Torvalds (the original author of the tool) points out<\/a>, there isn\u2019t much of a chance of this attack being successful against a git repository. This is a great example of applying context and perspective to a vulnerability.<\/p>\n

Despite this, the git project\u2014and others\u2014should have moved away from SHA-1 already. For projects that haven\u2019t, planning a migration should be at the top of their to-do list. The cost to run the attack is only going to drop making it more likely that someone will exploit it for nefarious purposes.<\/p>\n

Next Steps<\/h2>\n

For computer scientists, mathematicians, and cryptographers, the details of this announcement are really interesting. For the rest of us, it\u2019s a reminder that we need to regularly review and update our technologies.<\/p>\n

Technology innovates at a furious paces. Computing capacity has never been cheaper. There\u2019s a massive upside for the industry and our communities. The downside? We need to ensure that we regularly review and update the foundations of digital security.<\/p>\n

What do you think about the SHA-1 announcement? Let me know on Twitter where I\u2019m @marknca<\/a> or in the comments.<\/p>\n

http:\/\/feeds.trendmicro.com\/TrendMicroSimplySecurity<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Credit to Author: Mark Nunnikhoven (Vice President, Cloud Research)| Date: Fri, 24 Feb 2017 20:52:12 +0000<\/strong><\/p>\n

\"\"The SHA-1 hash function is broken. This isn\u2019t news. What is news is that a practical attack has been demonstrated\u00a0 Keep in mind that \u201cpractical\u201d is used in cryptographers terms and those terms don\u2019t necessarily have an impact on your daily IT use. The news has been making the rounds as IT teams, journalists, and…<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10378,10413],"tags":[10422,11063,10439],"class_list":["post-6780","post","type-post","status-publish","format-standard","hentry","category-security","category-trendmicro","tag-current-news","tag-data-privacy","tag-encryption"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6780","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=6780"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6780\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=6780"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=6780"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=6780"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}