It’s been a raucous few months in crypto circles. In a staid, mathematical world long accustomed to incremental changes, new developments are coming as fast as Chrome browser updates.
I’m not sure what’s behind the breaks, but crypto cracking suddenly seems to have accelerated. Here’s a quick roundup of what’s been going down -- and advice for those of you still relying on the SHA-1 hash algorithm.
First of all, researchers recently revealed that 512-bit RSA keys can be broken in four hours for $75. Yes, 512-bit RSA keys have been known to be unusably weak for a long time, but the researchers found that nearly 7 percent of websites and more than 10 percent of email servers still use them. (Even bleeding-edge DNSSec adopters work with them.) What has changed? Anyone can rent a slice of cloud computer time, throw in some GPUs, and break the keys for less than what you might pay to check two pieces of luggage at the airport.
For more than a decade, we’ve been told that elliptical curve cryptography (ECC) is supposed to replace RSA. That advice is so last month. Now the NSA recommends that everyone skip over ECC, though the reasons aren’t clear. The NSA blames quantum computing gains, but others feel the agency must have discovered some math that shortcuts the hard equations meant to provide protection.
Even if you have appropriately sized keys, it turns out that cracking a large percentage of Diffie-Hellman exchanges can probably be accomplished by more parties than we thought. It turns out that many encryption programs use the same shared prime number -- and many more share only two or three of them. The authors of a blog post discussing the underlying landmark paper on this subject say it best: “… one-time investment in massive computation [which the NSA and others likely have] would make it possible to eavesdrop on trillions of encrypted connections.” This would back up statements from 2012 by NSA expert James Bamford.
You may have reliably secure algorithms good for the long run, but vendors can’t seem to get deployments right. This month we learned that cracking self-encrypting Western Digital hard drives is child’s play. As with so many implementations before it, the company created a virtual door with an impossible-to-penetrate lock combination, then stored the combination under the doormat. If it isn’t the crypto or crypto solution itself isn't broken, some other protocol can be used to roll back the fix.
October hasn’t been all bad news. Apple told the government that its device encryption doesn’t have a backdoor and Google announced that its mobile encryption is turned on by default without a backdoor. On top of that, the Obama administration announced that the government wouldn’t ask for a mandated backdoor in U.S. encryption products. Of course, with all the NSA compute power, maybe they don’t need one.
Your friendly SHA-2 reminder
The biggest news that directly impacts most crypto users is the continued weakening of the SHA-1 hash algorithm. Many software vendors have asked their customers over the last year to move from SHA-1 to SHA-2 for digital signatures as soon as possible. Many browsers and PKI products are mandating that move by Jan. 1, 2016 -- or Jan. 1, 2017 at latest -- for SSL/TLS, code signing, and a handful of other certificate types.
The latest SHA-1 weakening is called a freestart collision. It isn’t a usable collision, but it’s a step in that direction. These days most encryption breaks happen in a somewhat predictable cycle, from the first published theoretical weakness to full usable exploit, with each step representing new orders of magnitude along the way.
Consider how SHA-1’s predecessor, MD5, was broken. Released in 1991, the first theoretical flaw was found in 1996. Then, from 1996 to 2008, incremental, theoretical cracks further weakened MD5’s protection. Finally, in 2008, researchers created a fake certificate, and in 2012, a fake cert was deployed in the wild using the Flame malware program.
SHA-1 is in the “further weakening” stage. I’m no crypto expert, but my best guess is a real-life break will arrive in the next five years. Will it be next year? I don’t think so, but with cryptoanalysis on a hot streak and cloud computing power only getting cheaper, I wouldn’t wait too long.
Some vendors -- Mozilla, for example -- responded to the news by moving their SHA-1 deprecation treatment from Jan. 1, 2017 to Jan. 1, 2016. As security luminary Bruce Schneier says, “Don’t panic, but prepare for future panic.”
Here’s your warning: Start now and prepare to move everything from SHA-1 to SHA-2. At the very least, take inventory of every item that relies on encryption and figuring out if it can be moved to SHA-2, if it hasn’t already. This will consume the bulk of the time in the migration project. Then move, but keep your SHA-1 Certification Authority PKI server around if you’re worried about what you’ll break transitioning to SHA-2.
However, don’t rush so fast that you cause critical operational interruption. We’re not in the period of a real-world, usable SHA-1 break yet. If you get started today, though, you’ll have a better chance of completing that effort by the time it counts.