29

From the shattered website:

You can use the online tool above to submit files and have them checked for a cryptanalytic collision attack on SHA-1. The code behind this was developed by Marc Stevens (CWI) and Dan Shumow (Microsoft) and is publicly available on GitHub.

It is based on the concept of counter-cryptanalysis and it is able to detect known and unknown SHA-1 cryptanalytic collision attacks given just a single file from a colliding file pair.

And later:

Is Hardened SHA-1 vulnerable?

No, SHA-1 hardened with counter-cryptanalysis (see ‘how do I detect the attack’) will detect cryptanalytic collision attacks. In that case it adjusts the SHA-1 computation to result in a safe hash. This means that it will compute the regular SHA-1 hash for files without a collision attack, but produce a special hash for files with a collision attack, where both files will have a different unpredictable hash.

finally from the GitHub pages - which I assume is called "hardened" SHA-1 above:

... More specifically they will detect any cryptanalytic collision attack against SHA-1 using any of the top 32 SHA-1 disturbance vectors with probability 1:

I(43,0), I(44,0), I(45,0), I(46,0), I(47,0), I(48,0), I(49,0), I(50,0), I(51,0), I(52,0), 
I(46,2), I(47,2), I(48,2), I(49,2), I(50,2), I(51,2), 
II(45,0), II(46,0), II(47,0), II(48,0), II(49,0), II(50,0), II(51,0), II(52,0), II(53,0), II(54,0), II(55,0), II(56,0),
II(46,2), II(49,2), II(50,2), II(51,2)

What precisely are these vectors? Could there be other vectors that are vulnerable? How much protection does "hardened" SHA-1 offer?

Maarten Bodewes
  • 96,351
  • 14
  • 169
  • 323

1 Answers1

24

Hardened SHA-1 detects collisions built of a certain form, If someone were to find a collision using brute-force birthday attack (currently not feasible) the detection would not work.

The vectors are specific small differences which may help to convert a near collision into a full collision.

The details are in the paper: https://marc-stevens.nl/research/papers/C13-S.pdf

This will detect an attack which has a similar construction to the attack performed. Future cryptanalysis may however lead to other forms of attack. It is worth mentioning that any hash function may be vulnerable to new kinds of attacks though. SHA-3 may also be vulnerable to attacks that are yet unknown.

Hardened SHA-1 tries to be identical to SHA-1 almost all the time with a probability of differing in honest usage of less than $2^{-90}$. Yet it should be resilient to attacks by detecting them and changing the output to something that differs.

SHA-1 has been collision free until very recently. Hardened SHA-1 should be secure in this regard; much more secure then SHA-1. It is obviously better than thoroughly broken options such as MD5.

Hardened SHA-1 tries to be backwards compatible with SHA-1. If you don't need this backward compatibility don't use it, use SHA-3 or SHA-2, even if you have to truncate to 160 bits.

D. Pardal
  • 143
  • 1
  • 7
Meir Maor
  • 12,053
  • 1
  • 24
  • 55