Modern cryptography amounts to nothing without authentication. That is, if an eavesdropper can alter the ciphertext in such a way that it corresponds to some particular message when decrypted, then although they cannot directly read the contents of the message, they can do even better – change it according to their needs.
What is more, usually one does not have to wild-guess how the ciphertext should be altered. For example, a ciphertext given by one of the most common modes of symmetric encryption called ‘CBC’ can be altered to correspond to whatever one wants, without any need for the secret crypto key.
Luckily, there are methods to digitally sign the messages in such a way that the recipient will know if the ciphertext has been tampered with. It can be thought of a kind of wax seal which ensures that an envelope of a letter has not been opened.
Digitally, signing is usually done via algorithms called ‘cryptographic hash functions’. These are a kind of algorithms that take messages of arbitrary length and produce fixed-length outputs. There is no way to theoretically prove that the output (or the ‘hash’) is unique for each message, but if the function is good, then it is practically implausible that an attacker may find another message that produces the same hash.
However, if an attacker does manage to find another message producing the same hash (via the same algorithm), then they are said to have successfully performed a collision attack.
The most widely used cryptographic hash function today is called SHA-1. It is mainly used to ensure the authenticity of SSL certificates. SSL is used whenever you login to your e-mail, bank, social network or any other account where there’s data to be protected. Certificates are issued by central entities called “Certificate Authorities” (CAs) – they ensure that you are in fact communicating with the site you want to communicate, and not an impostor.
However, if CAs did not hash the certificate, anyone can forge it and appear legitimate even being an impostor. With a good hash function this is practically implausible. But if a successful collision can be performed, a fake certificate will appear legitimate because the two will produce the same hash.
It has been known for quite some time that SHA-1 is theoretically weak. That is, collision attacks can be performed on SHA-1 in principle, but are still implausible without vast computational resources.
However, the latter are growing more and more accessible, and as a consequence the attacks that seemed implausible due to computational limitations become more and more feasible. In 2012, Jesse Walker estimated that a collision attack against SHA-1 would cost $2M in 2012, $700K in 2015 and $43K in 2021. This suggests that the attack will take long to be performed by a script-kiddie at home but soon will be quite accessible to a well-financed organization.
For this reason Google has announced that they will be gradually sunsetting SHA-1. This will be done by issuing a series of HTTPS security warnings in the Chrome web browser. Starting from now, the visual display on the left of the internet address will label sites that use SHA-1 as “secure, but with minor errors”. This November the label will change to “neutral, lacking security”, and starting from 2015, sites that use SHA-1 will be labeled “affirmatively insecure”.
The alternative family of algorithms, SHA-2, is ready to use. In fact, recently NIST has announced a SHA-3 set of crypto hash algorithms. However, this does not mean that SHA-2 is deprecated. So far it has been doing fairly well. The problem is that in order to update from SHA-1 to SHA-2, the website or the CA need to change the certificate – and that is usually not a pleasant experience. However, Google’s move in pressuring websites to upgrade might force admins to make this unpleasant move for the sake of users’ security.
Gradually sunsetting SHA-1, Google Online Security Blog, source link.
Why Google is Hurrying the Web to Kill SHA-1, Eric Mill, source link.