Recently, Google and CWI Institute in Amsterdam announced that they successfully created a “hash collision” using the SHA-1 encryption algorithm. Ralph Poore, PCI Council’s Director of Emerging Standards explains how this impacts payment card security.
Can you explain at a high-level what cryptographic hash functions are and how they secure data?
Ralph Poore: Hash functions produce a string that is called a “hash value,” “message digest,” “digital fingerprint,” “digest” or “checksum”. Specifically, a hash function converts a variable-length input to a fixed-length output in a way that allows that output to represent the original input. A cryptographic hash function is a special class of hash function with properties that make it suitable for use in cryptography. It is designed to be a one-way function, that is, a function that cannot be inverted in a computationally feasible way. The resulting hash (sometimes called a message digest or digital fingerprint) can be used for detecting changes in messages or files and for many information-security applications, e.g., digital signatures, message authentication codes (MACs), and other forms of authentication.
The ideal cryptographic hash function has the following properties:
- The hash for any given data is extremely easy to calculate.
- Given a hash value, it is computationally difficult to calculate a message which has that hash value. (Pre-image resistance)
- Given a message, it is computationally difficult to calculate another message which has the same hash value. (Second pre-image resistant)
- It is computationally difficult to calculate two different messages to have the same hash. (Collision Resistant)
When these conditions are met, the best attack is a brute-force calculation of every possible message until you find one that creates the same hash as the one you have. This message is either the original message or a synonym of the original message. If the size of the hash is large, for example 256 bits, then the brute-force approach is currently computationally infeasible (this is a moving target; what is cost-prohibitive today may not be in twenty years, for example).
Recently, the CWI Institute in Amsterdam and Google announced that they were able to create a “collision” using the SHA-1 hash. Can you explain what this means?
Ralph Poore: This means that advances in mathematics and in computation capabilities have made it feasible to violate one of the underlying principles for a secure hash in the case of SHA-1. Authentication and integrity protections previously provided by SHA-1 are no longer considered trustworthy since it may now be computationally feasible to create changed messages, files, or programs that SHA-1 would falsely verify as unchanged or as authentic.
What is the Council’s position on the use of SHA-1?
Ralph Poore: The Council has advised against the use of SHA-1 for authentication purposes. As early as July 2011, PTS POI Security Requirements warned and then disallowed SHA-1 for digital signatures. SHA-1 used in digital signatures is not considered “Strong Cryptography” for purposes of PCI DSS or P2PE. Refer to PCI PTS FAQ and PCI DSS FAQ 1435.
How could the continued use of SHA-1 impact the security of payments?
Ralph Poore: Since SHA-1 was widely used in digital signatures that supported device authentication, firmware and application authentication, user authentication, and message authentication, the potential exists for counterfeit devices, modified software (e.g., malware), identity theft, and forged messages—any of which could facilitate fraud.
Who in the payment security environment does this impact?
Ralph Poore: This impacts cardholders, merchants, vendors, processors, and financial institutions to the extent that they currently rely on SHA-1 in digital signatures or similar authentication services.
What steps need to be taken to migrate away from SHA-1?
Ralph Poore: First, an organization must determine if and where SHA-1 is used. This inventory permits the organization to identify the remediation projects they will need. Where SHA-1 is used in protocols that already support the SHA-2 or SHA-3 families, only configuration changes (and potentially the use of new certificates) are needed to correct this. If files, software, or stored messages are relying on SHA-1, then the digital signature, message authentication code, or equivalent will need to be recalculated with the replacement algorithm (e.g., SHA-256).
Can you recommend any supporting resources to help explain this issue?
Ralph Poore: For more information refer to:
- Google Security Blog: Announcing the first SHA1 collision
- PCI Security Standards Council: PTS POI Security Requirements, PCI PTS FAQ and PCI DSS FAQ 1435
- National Institute of Standards and Technology: NIST’s Policy on Hash Functions
About Ralph Poore:
Ralph Spencer Poore, PCIP, CFE, CISA, CISSP, CHS-III, and ISSA Distinguished Fellow
Director, Emerging Standards at PCI Security Standards Council, Ralph has over 35 years of information security experience including over twenty years of applied cryptography.