Two open-source Secure Shell libraries have pulled support for the Secure Hash Algorithm 1 (SHA-1), used for the past 20 years to verify the integrity of software, digital signatures and other data, due to longstanding security concerns.
According to a report by Ars Technica (opens in new tab), developers using the OpenSSH and Libssh libraries will no longer be able to access SHA-1 for digitally signing their encryption keys from this week.
- Best antivirus: your online security sorted
- Best VPN: pick the best provider for privacy and geo-spoofing
- Just in: HBO Max is live - everything you need to know
SHA-1, a cryptographic hash function first developed in 1995, is used for producing hash "digests," each 40 hexadecimal characters long. The digests are meant to be distinct for every message, file and function.
Any string of text or data will, in theory, produce a unique SHA-1 hash. So the input "password" results in the hash output "5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8".
But the input "Password," with a capital P, gives us the far different output "8BE3C943B1609FFFBFC51AAD666D0A04ADF83C9D".
While SHA-1 has proven useful to many, researchers have shown how it can be leveraged by cyber criminals for creating forged digital signatures.
In 2005, it was demonstrated that with enough computing power, one could find two different inputs that resulted in the same SHA-1 output -- a hash "collision." That means an attacker of relatively modest means could spoof a cryptographic signature using SHA-1.
This year has certainly signalled the end of the road for SHA-1. In January, researchers identified a new collision attack that cost only $45,000.
That was a "chosen-prefix" attack, which is very serious because it means that it's possibly to modify an existing input yet still end up with the same SHA-1 hash -- a potential boon to forgers, crooks and malicious hackers crooks everywhere. An attacker could use this method to tamper with a document or software in a way that would pass SHA-1-based integrity checks.
Better alternatives out there
In its explanation for removing SHA-1, OpenSSH referenced this research: “It is now possible to perform chosen-prefix attacks against the SHA-1 algorithm for less than USD$50K. For this reason, we will be disabling the 'ssh-rsa' public key signature algorithm by default in a near-future release.”
OpenSSH went on to point out that there are better alternatives out there, including RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. It added: “These algorithms have the advantage of using the same key type as "ssh-rsa" but use the safe SHA-2 hash algorithms.
“These have been supported since OpenSSH 7.2 and are already used by default if the client and server support them.”