Dangerous SHA-1 crypto function will die in SSH linking millions of computers

Developers of two open source code libraries for Secure Shell—the protocol millions of computers use to create encrypted connections to each other—are retiring the SHA-1 hashing algorithm, four months after researchers piled a final nail in its coffin.

The moves, announced in release notes and a code update for OpenSSH and libssh respectively, mean that SHA-1 will no longer be a means for digitally signing encryption keys that prevent the monitoring or manipulating of data passing between two computers connected by SSH—the common abbreviation for Secure Shell. (Wednesday’s release notes concerning SHA-1 deprecation in OpenSSH repeated word for word what developers put in February release notes, but few people seemed to notice the planned change until now.)

“Chainsaw in a nursery”

Cryptographic hash functions generate a long string of characters that are known as a hash digest. Theoretically, the digests are supposed to be unique for every file, message, or other input fed into the function. Practically speaking, digest collisions must be mathematically infeasible given the performance capabilities of available computing resources. In recent years, a host of software and services have stopped using SHA-1 after researchers demonstrated practical ways for attackers to forge digital signatures that use SHA-1. The unanimous agreement among experts is that it’s no longer safe in almost all security contexts.

“Its a chainsaw in a nursery,” security researcher Kenn White said of the hash function, which made its debut in 1995.

Nearly a decade ago, researchers started warning that SHA-1 was growing increasingly vulnerable to collisions, the cryptographic term when two or more inputs generate the same outputted digest. By then, the world had already seen firsthand how damaging such attacks could be when nation-sponsored hackers used a collision on the also-weak MD5 algorithm to hijack Microsoft’s Windows Update system.

While the requirements for that sort of collision attack were higher for SHA-1, it was only a matter of time until they came into reach. In 2017, SHA-1 succumbed to a less powerful form of collision attack that cost as little as $110,000 to produce. In the months prior and following the research, a raft of browsers, browser-trusted certificate authorities, and software update systems all abandoned the algorithm. Other services and software offerings continued using SHA-1.

The chosen few

The final death knell for SHA-1 sounded in January, when researchers unveiled an even more powerful collision attack that cost as little as $45,000. Known as a chosen prefix collision, it allowed attackers to impersonate a target of their choosing, as was the case in the MD5 attack against Microsoft’s infrastructure.

It was in this context that OpenSSH developers wrote in release notes published on Wednesday:

It is now possible to perform chosen-prefix attacks against the SHA-1 algorithm for less than USD$50K. For this reason, we will be disabling the “ssh-rsa” public key signature algorithm by default in a near-future release.

This algorithm is unfortunately still used widely despite the existence of better alternatives, being the only remaining public key signature algorithm specified by the original SSH RFCs.

It’s arguable that the deprecations come woefully late, given the reliance by millions of organizations on SSH to connect to corporate networks, Amazon and Azure cloud services, and all manner of other computers populating the Internet. Complicating matters is the use of SSH in network switches and low-cost embedded machines that run ATMs and industrial control systems. Embedded systems frequently don’t receive updates because they’re in far-off places that make it difficult to troubleshoot in the event something goes wrong.

In an email, Gaëtan Leurent, an Inria France researcher and one of the co-authors of the January research, said he didn’t expect OpenSSH developers to implement the deprecations quickly. He wrote:

When they completely disable SHA-1, it will become impossible to connect from a recent OpenSSH to a device with an old SSH server, but they will probably take gradual steps (with big warnings) before that. Also, embedded systems with an SSH access that have not been updated in many years probably have a lot of security issues, so maybe it’s not too bad to disrupt them…

In any case, I am quite happy with this move, this is exactly what we wanted to achieve 🙂

With OpenSSH and libssh finally announcing their deprecation plans, the list of SHA-1 holdouts is shorter but by no means gone. The aging function is still supported in recent versions of OpenSSL, the code library that many websites and Internet services use to implement HTTPS and other encryption protocols. The latest version of the GNU Compiler Collection, released earlier this month, was digitally signed using SHA-1.

Leurent said that the EMV standard for payment cards also uses SHA-1 but that the standard used a “weird system for signature that doesn’t seem directly affected by chosen-prefix collisions.” Git also supports SHA-1, but only for data integrity, which most experts say doesn’t pose a security threat.