Today, a group of eight researchers from across the security industry released a research report on SHA-1 that demonstrates for the first time, a “hash collision” for the full SHA-1 hash algorithm (called “SHAttered”). This is a significant step toward understanding this type of security issue, a milestone in cryptanalysis that has been underway for the past decade. The report website also includes a tool co-authored by my colleague Dan Shumow (Senior Software Development Engineer, Security & Cryptography, Microsoft Research) that can be used to detect the presence of a collision in a file.
SHA-1 is used in digital certificates (TLS) and code signing applications. By taking advantage of SHA-1, a potential attacker could spoof content, perform phishing attacks, or perform “man-in-the-middle” attacks.
Anticipating a point in time when there would be capability to create a practical “collision,” Microsoft has been working with the industry since 2012 to encourage customers and partners to phase out the SHA-1 hash algorithm. We’ve also provided guidance to consumers and developers about the possible risk when they encounter websites and downloads that use SHA-1. The research and creation of an example provides a way for organizations to assess what additional protections they could consider to protect against these types of potential security threats.
We’re proud of the work Microsoft researchers have done in collaboration with external experts on cryptanalysis over the years. Specifically, Dan’s research has focused on hash collision detection, and he co-created code that can be used to check files for the cryptanalytic collision attack on SHA-1 noted in the report. Dan partnered with Marc Stevens of Centrum Wiskunde & Informatica (CWI), and they made the code publicly available online in various places, including on GitHub, starting in 2015. The code is a performance improvement of the previous concept of counter-cryptanalysis to detect potential SHA-1 collision attacks using a single file from a colliding file pair.
As predicted years ago, today’s news is further evidence that use of SHA-1 as an encryption technology is at its end. For those already on the path away from SHA-1, we recommend they stay the course and accelerate where possible if they depend on SHA-1 in critical encryption scenarios.
Phillip Misner, Principal Security Group Manager, Microsoft Security Response Center