US Military Websites Still Relying On SHA-1

An anonymous reader writes: Netcraft confirms many U.S. Department of Defense websites, including a remote access service used by the Missile Defense Agency, are more vulnerable to man-in-the-middle attacks than most consumer websites. The weaker than previously-thought SHA-1 algorithm is the main culprit, with the DoD today being the most prolific user of SHA-1 signed SSL certificates, even though NIST banned new use of this signature algorithm two years ago. Most of the vulnerable certificates to be issued recently are used by .mil websites, which are operated by agencies, services and divisions of the DoD. All of these sites are consequently vulnerable to attack by enemy governments and criminals who can stump up enough cash ($75,000) to crack the certificates.

Re:Gonna need a reference here...

[Alwin+Henseler]

"... US$75,000 and $120,000 to mount a viable attack using freely available cloud-computing services"

That would be the quick & dirty method then, I suppose? (which admittedly is often the method of choice for black hats)

But speaking as devil's advocate here: if I were serious / determined enough to throw 75~100K$ at 'cracking some code', wouldn't it make more sense to buy some serious FPGA boards and do it in hardware? This looks like the kind of job where an FPGA-based setup could do it a lot faster, cheaper, or more efficient than some software running on cloud services.

Sure setting that up is specialist work. But hey with 75K to blow on it you can hire and/or bribe people, right? And buy a few $5 wrenches while you're at it... ;-)

Btw. that might also mean that for a determined attacker (one that makes the effort to investigate methods more efficient than a software-based method using cloud services), this 75K figure may actually be lower. Read: if there's profit to be made from doing it, someone probably will - soon enough.

Re:Well Of Course They Are

[vtcodger]

A real, bona fide, practicing, reliability engineer explained to me once that military procurement procedures are intentionally biased toward older technologies and minimal upgrading. He said (and I believe him) that the military's nightmare scenario is that they will do something like installing 50000 computer boards in equipment scattered worldwide in poorly accessible equipment only to find that the ROMs they have used lose their memory after three or four years.

Obviously, that's primarily a hardware concern. but it's far from clear that it doesn't have considerable validity for software as well. And it's the way their process is set up.

Personally, I'm far from convinced that the current civilian -- ship now, we'll fix the problems in production -- approach to systems work is going work out well in the long run.

Re:Gonna need a reference here...

[swillden]

A quick search found "SHA-1 hashing algorithm could succumb to $75K attack, researchers say" (08 Oct 15) http://www.pcadvisor.co.uk/new... "... US$75,000 and $120,000 to mount a viable attack using freely available cloud-computing services" "... someone can create two different files that have the same hash, it's possible to digitally sign one" Try searching for 75K or $75,000 by date and see what other public news can be found :)

Which doesn't allow a web site's certificate to be "cracked". The article is bogus.

The $75K-$120K figure is the estimated cost to find a SHA-1 hash collision. That is, to find two inputs that hash to the same value. The inputs will be random byte strings. Researchers have demonstrated that with such a collision it is possible to create two certificates that have the same signature, but in order to do that they also have to construct the RSA signing keys in a particular way.

But collisions do not enable the construction of fake certificates that appear to be signed by an arbitrary, unknown, private key. For that, you'd need to be able to find an input that hashes to a specific value. This is a completely different -- and dramatically harder -- problem than finding two inputs that hash to the same value. In addition, you'd probably need to find an input with a particular structure that hashes to a particular value, which is harder yet.

Good cryptographic hash functions have both "collision resistance" and "second pre-image resistance". SHA-1's collision resistance has been broken, which does make it insecure for certain uses, in algorithms that depend on collision resistance, but doesn't directly affect other uses -- like digital certificates -- that depend only on second pre-image resistance. It does hint that perhaps there is a weakness that may someday allow a second pre-image attack, which makes moving away from SHA-1 a good idea. But it has no direct impact on the security of CA certificates.