Bulletproof TLS Newsletter #25
SHA-1 is broken
28 February 2017
Author: Hanno Böck

This issue was distributed to 34,537 email subscribers.

Bulletproof TLS Newsletter is a free periodic newsletter bringing you commentary and news surrounding SSL/TLS and Internet PKI, designed to keep you informed about the latest developments in this space.

In this issue:

  1. SHA-1 is broken
  2. Short news

SHA-1 is broken

It’s been expected for a long time, now it’s finally happened: the research team from Marc Stevens at CWI Amsterdam teamed up with Google to create two files with the same SHA-1 hash. Hash functions like SHA-1 are an important building block of almost all cryptographic protocols. If collisions are found, they are considered broken for most cryptographic use cases.

While this is an important result, it wasn’t unexpected: In 2005 Xiaoyun Wang and her team found major weaknesses in SHA-1. Since then it was clear that breaking SHA-1 was just a matter of resources.

SHA-1 is used in TLS for several purposes. Certificate signatures utilized the hash function in the past, but pressure from browser vendors made certificate authorities switch to the stronger SHA256. However, there are still regular requests for exceptions in order to support old hardware. In response to the collision, Firefox has completely disabled support for SHA-1 signatures in certificates.

Signatures within the TLS handshake also often use SHA-1. TLS 1.1 uses a combination of SHA-1 and MD5. The newer TLS 1.2 allows different hash functions, but still provides an option for SHA-1. The weaknesses of these constructions have been investigated in the SLOTH research published last year.

Short news