"From January 1, 2011 through December 31, 2013, the use of SHA-1 is deprecated for digital signature generation. The user must accept risk when SHA-1 is used, particularly when approaching the December 31, 2013 upper limit. SHA-1 shall not be used for digital signature generation after December 31, 2013." NIST in the document.
Digital signatures facilitate the safe exchange of electronic documents by providing a way to test both the authenticity and the integrity of information exchanged digitally. Authenticity means when you sign data with a digital signature, someone else can verify the signature, and can confirm that the data originated from you and was not altered after you signed it.
A digital certificate is essentially a bit of information that tells the Web server is trusted. Digital signatures are usually applied to hash values that represent larger data.
A Cryptographic hash function like MD5 and SHA-1 can transform input of an arbitrary length to an output of a certain number of bits, typically 128 or 160 bits. The output is called the hash value.
SHA-1 is a hashing algorithm that is currently enjoying widespread adoption. SHA-1 is a 160-bit hash functions, whose job is to ensure the integrity of a given piece of data. Different data yield unique hash values, and any change to a given piece of data will result in a different hash value. This was designed by the National Security Agency (NSA) to be a part of the Digital Signature Algorithm.
But in 2005, Cryptographic weaknesses were discovered in SHA-1. Hashes are designed to minimize the probability that two different pieces of data yield the same hash values, but yes, it is possible that two different data can have the same hash value, according to Cryptographic hash collision theory.
In February 2005, three female Chinese researchers - Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu have reduced the amount of time needed to find two documents with the same signature. Brute-force is the best way to find such collision points, where two messages can have the same hash value.
The Strength of digital signature is determined by the cryptographic key i.e. 160-bit for SHA-1. There are 2160 possible SHA-1 hash values and mathematical theory of Chinese researchers tell us that the chances that any two different pieces of data computing to the same value should be about 1 in 269, and the process is about 2,000 times faster than brute force.
At that time, it was predicted that practically doing so would take thousands of years, but today with modern cloud computing technology, such crypto attacks would cost only $700,000, which is an affordable project for well funded hacking group or Intelligence agencies like the NSA, GCHQ.
So it is potentially possible to exploit the SHA-1 crypto hash to spoof any digital signatures, and this is the reason that SHA-1 is being phased out of most governmental applications, and that NIST has recommended that SHA-1 not be used after 2013.
The Strength of digital signature is determined by the cryptographic key i.e. 160-bit for SHA-1. There are 2160 possible SHA-1 hash values and mathematical theory of Chinese researchers tell us that the chances that any two different pieces of data computing to the same value should be about 1 in 269, and the process is about 2,000 times faster than brute force.
At that time, it was predicted that practically doing so would take thousands of years, but today with modern cloud computing technology, such crypto attacks would cost only $700,000, which is an affordable project for well funded hacking group or Intelligence agencies like the NSA, GCHQ.
So it is potentially possible to exploit the SHA-1 crypto hash to spoof any digital signatures, and this is the reason that SHA-1 is being phased out of most governmental applications, and that NIST has recommended that SHA-1 not be used after 2013.
"An attacker able to find SHA-1 collisions could carefully construct a pair of certificates with colliding SHA-1 hashes: one a conventional certificate to be signed by a trusted CA, the other a sub-CA certificate able to be used to sign arbitrary SSL certificates. By substituting the signature of the CA-signed certificate into the sub-CA certificate, certificate chains containing the attacker-controlled sub-CA certificate will pass browser verification checks. This attack is, however, made more difficult by path constraints and the inclusion of unpredictable data in the certificate before signing it." Netcraft expert said.
For the use of digital signatures, we need the collision resistance property of the hash function. So, the latest Digital certificates of NIST are now verified by VeriSign, and using SHA-2 (SHA-256) with RSA in their certificates.
However, in the same document, NIST also published a deadline of December 31, 2013 for switching over 1024 to 2048-bit certificate.
In February 2013, Symantec announced a multi-algorithm SSL certificates for Web servers that go beyond traditional crypto to include what's known as the Elliptic Curve Cryptography (ECC) Digital Signature Algorithm (DSA).
ECC offers greater security as compared to other prevalent algorithms and 10,000 times harder to break than an RSA-bit key, i.e. Symantec ECC-256 certificates will offer equivalent security of a 3072-bit RSA certificate.
"In total, more than 98% of all SSL certificates in use on the Web are still using SHA-1 signatures. Netcraft's February 2014 SSL Survey found more than 256,000 of these certificates would otherwise be valid beyond the start of 2017 and, due to the planned deprecation of SHA-1, will need to be replaced before their natural expiry dates."But not only NIST, other US government organizations are also using an outdated hashing algorithm, including Obamacare website healthcare.gov, donogc.navy.mil and several others.
In February 2013, Symantec announced a multi-algorithm SSL certificates for Web servers that go beyond traditional crypto to include what's known as the Elliptic Curve Cryptography (ECC) Digital Signature Algorithm (DSA).
ECC offers greater security as compared to other prevalent algorithms and 10,000 times harder to break than an RSA-bit key, i.e. Symantec ECC-256 certificates will offer equivalent security of a 3072-bit RSA certificate.
