Last week I listed the several cryptographic events of a very busy week. One of these was NIST’s selection of the new generation Secure Hash Algorithm, SHA-3.
Starting in 2004, researchers started presenting some concrete results for what had already been serious concerns about the MD5 hash function and its derivatives. These were quickly followed by published weaknesses in SHA-0 and SHA-1. A page of mine has far more detail if you’re curious.
We had SHA-2 by late 2007, a set of hash functions SHA-2-224, SHA-2-256, SHA-2-384, and SHA-2-512, with eponymous output lengths. The SHA-2 set of functions has some similarity to SHA-1 (although it is not as closely derived as SHA-1 was from MD5), so there was concern that significant weaknesses might be discovered in SHA-2 as well. NIST announced a public competition in November, 2007 to develop a new SHA-3. One requirement was that SHA-3 be nothing like its predecessors.
We now have a SHA-3, so what happens?
Not much, at least not quickly. SHA-1 is fairly well entrenched, and in many situations it still has not replaced MD5!
Meanwhile, Marc Stevens’ research plus some estimated budgeting indicates that a 1.3-million-dollar investment platform could find SHA-1 collisions in a few months.
One experiment with Amazon EC2 GPU-based compute clusters reported 650 million tries/second on an EC2 cg1.4xlarge instance. Stevens shows slightly above 260 SHA-1 computations are needed. Let’s assume it would take 261. At $1.30/hour for a cg1.4xlarge, that would cost US$ 1,281,022. With 225 of these cluster instances running simultaneously, the job would complete in just under six months. Spin up more simultaneous instances and it runs faster at the same cost.
NIST’s current recommendation is that SHA-2 is fine for now. Notice that it’s SHA-2, not SHA-1 and definitely not MD5!
What should you do?
Ask your CA (that is, your Certificate Authority, Verisign or similar) to provide certificates based on SHA-2 and RSA keys of 2048 bits.
More critically, verify that you are not relying on MD5 for any critical applications. Venafi’s free MD5 Certificate Risk Assessment tool can help you catalog all certificates on your network and find which certificates and keys are out of compliance.
Some people see cryptography’s explicit basis on math to be a drawback. But it’s really a benefit, you can calculate precisely what your risk really is!
Learning Tree’s Cloud Security Essentials course discusses the need for this sort of careful analysis as part of your security design.