Security shortcomings have become too severe to ignore
The developers behind OpenSSH have announced their intention to stop supporting the aging SHA-1 hashing algorithm in the near future.
OpenSSH, a set of open source utilities based on the Secure Shell (SSH) protocol, a technology typically used for server management, is preparing to ditch SHA-1 in favor of more secure, modern alternatives such as SHA-2.
Web browser vendors such as Mozilla dropped support for SHA-1 SSL certificates back in 2017, with software repository site Git starting down the same road, as the algorithm’s shortcomings become too severe to ignore.
Hash from chaos
Hashing functions like SHA-1 work by processing an input to give a fixed size hash value, or message digest.
This message digest can be compared to ascertain if two files, documents, digital certificates, or executable files are the same without a computationally expensive byte-by-byte comparison.
However, this process falls apart in cases where two different files give the same hash value.
Security researchers at CWI Amsterdam and Google demonstrated in 2017 that it was possible for two different files to give the same SHA-1 hash – a cryptographic shortcoming known as a “collision”.
That’s bad enough, but worse was to follow when computer scientists worked out how to add additional data to two existing documents in such a way that they return the same SHA-1 hash, a “chosen-prefix collision”.
The older MD5 hashing algorithm has been vulnerable to such a chosen-prefix collision for years. That SHA-1 has shown similar problems is more a reflection of increased computing power in the hands of potential adversaries, rather than inherent design flaws.
Finding a chosen-prefix collision is a serious number crunching process that, at current exchange rates, is likely to cost as much as $50,000 per collision. That might seem a lot, but unlike mining for cryptocurrencies, the cost will drop over time with the availability of increasingly powerful computers.
The writing is on the wall for SHA-1, and the developers of OpenSSH are getting ready to disavow the technology as a result.
The release notes of OpenSSH 8.4, published on Sunday (September 27), laid out plans to pull support for SHA-1 with the next release.
“It is now possible to perform chosen-prefix attacks against the SHA-1 algorithm for less than $50K,” the notes explain. “For this reason, we will be disabling the ‘ssh-rsa’ public key signature algorithm by default in a near-future release.”
The developers went on to note that the SHA-1 algorithm is still widely used, despite the availability of alternatives such as SHA-2, support by OpenSSH since the 7.2 release, and others supported for even longer.
The developers of OpenSSH said that they were taking steps to make the migration process as straightforward as possible.
“We intend to enable UpdateHostKeys by default in the next OpenSSH Release,” team OpenSSH explained.
“This will assist the client by automatically migrating to better algorithms. Users may consider enabling this option manually.”
Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, a vendor that specializes in the management of SSH and SSL/TLS machine identities, welcomes the OpenSSH project team moves towards ditching SHA-1.
“It’s been known for years now that the SHA-1 algorithm is insecure,” Bocek told The Daily Swig. “NIST called for the elimination of SHA-1 almost 15 years ago, while back in 2017, researchers from Google demonstrated that the SHA-1 algorithm could be cracked with a collision attack – a technique which has become increasingly affordable to cybercriminals ever since.
“OpenSSH’s move is therefore another nail in the coffin for SHA-1, and an important reminder to those still relying on it that they must migrate as soon as possible.”