SHA-1 is a cryptographic hash function that authenticates the SSL connections used to secure HTTPS websites (such as banks, webmail, and online stores). It creates a unique fingerprint of a valid SSL certificate that can be validated by any browser. If the certificate is tampered with, this will be immediately detected (even the tiniest change is detectable), and the connection refused.
This is important in preventing a Man-in-the-middle (MitM) attack, where an adversary may attempt to divert your connection from a website to one of its own servers instead (for example by hacking your router). If an adversary can crack the hash of a website’s genuine SSL certificate, then it can reverse the hash to create a forged certificate, causing browsers to authenticate the connection as genuine.
Unfortunately, it has been known since at least 2012 that SHA-1 has major weaknesses. Because of this, all major browsers are set to stop accepting (“sunsetting”) SHA-1-based signatures starting 1 January 2017.
In October 2015, however, a new paper was released which argued that SHA-1 could be compromised by real-world attacks before that date. It seems that SHA-1 is more prone to collision attacks than previously thought. As with all fingerprints, an SHA-1 hash is only secure if it is unique. A collision attack tries to find two inputs producing the same hash value. If this succeeds, the attacker can use the hash to create forged SSL certificates.
The international team of security researchers behind this latest paper found that graphics cards can use a technique known as “boomeranging” to find SHA1 collisions. This dramatically reduces earlier estimates from renowned cryptographer Bruce Schneier about the time and money required to pull off such an attack. The new figure places such a feat within the capabilities of a well-financed group of hackers, and could be performed within the timescale of a few months.
“Our new GPU-based projections are now more accurate and they are significantly below Schneier’s estimations. More worrying, they are theoretically already within Schneier’s estimated resources of criminal syndicates as of today, almost two years earlier than previously expected, and one year before SHA-1 being marked as unsafe in modern Internet browsers. Therefore, we believe that migration from SHA-1 to the secure SHA-2 or SHA-3 hash algorithms should be done sooner than previously planned.”
Microsoft is the first major browser developer to act on this information. It has now officially announced plans to retire support for TLS certificates signed by the SHA-1 hashing algorithm in the next four months,
“Starting with the Windows 10 Anniversary Update, Microsoft Edge and Internet Explorer will no longer consider websites protected with a SHA-1 certificate as secure and will remove the address bar lock icon for these sites. These sites will continue to work, but will not be considered secure.
This update will be delivered to Microsoft Edge on Windows 10 and Internet Explorer 11 on Windows 7, Windows 8.1 and Windows 10, and will only impact certificates that chain to a CA in the Microsoft Trusted Root Certificate program. Both Microsoft Edge and Internet Explorer 11 will provide additional details in the F12 Developer Tools console to assist site administrators and developers.”
Does this SHA-1 vulnerability affect OpenVPN?
The eagle-eyed of you out there may have noticed that SHA-1 is often used to authenticate OpenVPN connections. So should you be worried?
The short answer is no. OpenVPN authenticates packets using a hash-based message authentication code (HMAC), which uses a cryprographic hash (such as SHA-1) in combination with a secret cryptographic key (see RCF 2104 for details).
In other words, the SHA-1 hash function is only a part of the HMAC-SHA1 algorithm used by OpenVPN to authenticate packets, and is much less vulnerable to collision attacks of the type described above.
For example, you would need to break HMAC in order to reach the underlying hash before you even begin to start collisions attempts on it. Mathematical proof of this is available in this paper.
The vulnerability of SHA-1 to collision attacks is serious, and threatens the backbone of internet security (HTTPS). It is therefore great that Microsoft is acting quickly to address the issue, a move that the other browser developers will hopefully follow soon.
OpenVPN users should not be worried that SHA-1 is used to authenticate data packets, however, as it is only one component of the HMAC authentication used by OpenVPN, and HMAC is not vulnerable to this form of attack.