10/19/2014

why it is urgent to kill totally SHA1 to protect SHA2 from fake certs made with SHA1 (how it is done)

this is a good explanation

"To which I asked: "How can an attacker who can generate SHA-1 collisions make a fake cert for a cite using SHA-256? And if that's true, how does updating to SHA-256 help anybody?"

 

@schoen replied:

 

Take a look at the analogy of MD5, the previous obsolete hash algorithm
used to generate digital certificates.

http://www.win.tue.nl/hashclash/rogue-ca/

There, the attacker would generate two certificates whose content had the same MD5 value. One certificate might be for legitimate.org (which the attacker had registered), while another certificate might be for victim.com (which belongs to a third party). Because the certificates' content has the same MD5 value, if a CA signs that MD5 value, it is effectively signing both certificates (in the sense that a browser can't tell that the attacker is lying if the attacker presents the CA's signature together with the victim.com certificate instead of the legitimate.org certificate). The CA doesn't realize that it's signing the victim.com certificate because it never sees that certificate and doesn't even know that it exists.

The effectiveness of that attack doesn't depend on what kind of certificate victim.com already has (if any) or on any of the algorithms that were intentionally used by victim.com. Even if victim.com was using SHA-256 for its cert (issued by AwesomeCA Ltd., let's say), the attacker can still get some other CA (Ancient Algorithms, Inc.?) to issue the colliding MD5 cert that refers to victim.com, and then use that cert in an attack.

The same kinds of risks then apply to SHA-1, if we think that the same kinds of attacks will be feasible against SHA-1 that were feasible against MD5.

So the benefit of upgrading is (as you describe it correctly on the site) that people who are trying to phase out the old algorithms can actually do so. If everybody or most everybody upgrades, then certs that use the old algorithms look suspicious (and eventually people can stop accepting them, or stop accepting some of them in particular contexts). If nobody or few people upgrade, then there's no way to distinguish between a legitimate cert with an old algorithm and a fake cert with an old algorithm. You could think of this as an ecosystemic benefit rather than a benefit to each individual site that upgrades its cert.

There are some cases in which you can maybe get an individual site benefit, having to do with cert pinning, where you try to stop other people from accepting some purported certs for your domain if the provenance of those certs is not what you expect. I guess most site operators don't currently use those mechanisms, though.

 

I'll update the copy to make this point more clear, and to link to http://www.win.tue.nl/hashclash/rogue-ca/, which is an excellent depiction of the problem.
https://github.com/konklone/shaaaaaaaaaaaaa/issues/25

you should also read this because Google has decided to start begin taking action, beginning with Chrome https://konklone.com/post/why-google-is-hurrying-the-web-to-kill-sha-1

all important belgian websites still use sha1 even the most important one - except if they are changing this while upgrading their ssl certificates (use ssllabs.com to test)

Permalink | |  Print |  Facebook | | | | Pin it! |

The comments are closed.