back to article YOU... SHA-1 NOT PASS! Microsoft magics away demonic hash algorithm from Windows updates, apps

Microsoft is preparing to once and for all drop support for the SHA-1 hash algorithm. Redmond this week said that on Monday, August 3, Windows downloads signed using SHA-1 will no longer be offered by the Windows app'n'updates download center, the last step in a SHA-2 transition that has been going on for more than a year now …

  1. stiine Silver badge

    I wonder if they're going to take this opportunity to simple delete everything that was signed with SHA1, Or are they going to resign everything with SHA2? I'm betting on the former.

    1. Lee D Silver badge

      If they had half a brain, they'd simply sign everything with SHA2 in a *different* field. And continue to do that for whatever algorithms they switch to in the future.

      Then, even with old obsolete programs, the chances of a file not only being maliciously crafted to match the SHA1 of a file, but also its MD5 and a CRC and whatever-else are increasingly slim, and things that only check other hashes would continue to work as normal. This would then allow a smooth transition where at no point did you *need* to suddenly re-sign everything you use, but could slowly move over and additionally-sign them with SHA2 as time goes by, and legacy clients would be "vulnerable" but still work.

      But, of course, they won't.

      Then, even if someone found a SHA-2 collision, the chances of it also being able to collide its SHA-1, MD5, CRC, etc. *as well* with the same malicious file are infinitesimally small, especially when they are entirely different algorithms.

  2. Pascal Monett Silver badge
    Facepalm

    "a legacy cryptographic hash that many in the security community believe is no longer secure"

    Um, sorry, no. It is not a question of belief. It has been mathematically demonstrated to not be secure.

    That's kind of like saying that many believe that the Sun is going to rise tomorrow.

    Duh.

    1. Roopee
      Headmaster

      Re: "a legacy cryptographic hash that many in the security community believe is no longer secure"

      "Secure" is not a mathematical concept, it involves judgement of risk. For example you might argue that your new mega lock is 'secure' because the key is impossible to copy, but if I've got a battering ram that can destroy the door it matters not whether the key is copyable...

      If it has taken many years and huge resources to come up with two documents that have the same hash, as it says in the article, and assuming that it hasn't suddenly become easier to generate another pair, I'd argue that the hash algorithm is secure enough for most purposes - and that can reasonably be called a belief, in the sense that it is an opinion.

    2. Anonymous Coward
      Anonymous Coward

      Re: "a legacy cryptographic hash that many in the security community believe is no longer secure"

      its a problem if that is your only method of signing. Cisco display an MD5 signature (even less secure!) on their IOS download pages but the IOS es themselves have 2 different SHA hashes embedded in them, so when we you get the router to 'verify' the files both need to match

      1. poohbear

        Re: "a legacy cryptographic hash that many in the security community believe is no longer secure"

        FWIW Gentoo does a three-way check:

        Blake-2B

        SHA512

        File size

        Curiously the same two hash functions I picked for one of my projects.

    3. Adam 1

      Re: "a legacy cryptographic hash that many in the security community believe is no longer secure"

      I don't think anyone should be thinking of secure as a binary is/isn't. Rather, it is a judgement call on whether it would be worth an attackers time and money to pull off the attack.

      The last research I have seen puts the cost of a chosen prefix sha1 collision in the $50K compute price range with a couple of months of running time.

      So for intercepting some https traffic or signing a piece of malware so it looks legitimate, it's obviously becoming a real potential problem and we need to be moving to stronger hashes. But for defining your branches in git, it serves its purpose and will continue to do so.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020