OpenSSH to remove SHA-1 as cracking cost drops

Start the switch to better algorithms.

The Secure Hash Algorithm 1 cryptographic function, designed by the United States National Security Agency in 1995 and widely used to this day despite warnings that it can be cracked, will be disabled in the popular OpenSSH toolkit for signing public keys soon.

OpenSSH is a open source implementation of the Secure Shell (SSH) remote access protocol, and SHA-1 is the only remaining public key signature algorithm specified in the original Request for Comment (RFC) documents.

While SHA-1 was shown to be vulnerable to cracking since 2005, it is only recently that the computing power required has become cheap enough to make attacks that allow forging of cryptographic signatures feasible.

"It is now possible to perform chosen-prefix attacks against the SHA-1 hash algorithm for less than USD$50K."

"For this reason, we will be disabling the "ssh-rsa" public key signature algorithm that depends on SHA-1 by default in a near-future release," the OpenSSH team wrote in the release notes for versions 8.2, 8.3 and 8.3p1 of the toolkit.

The attack referred to was demonstrated by Gaëtan Leurent and Thomas Peyrin with their "SHA-1 is a Shambles" research published this year.

Leurent and Peyrin noted that the cost of performing chosen-prefix collision attacks on SHA-1 will continue to drop, making the algorithm increasingly insecure to use.

"By renting a GPU [graphics processing unit or video card] cluster online, the entire chosen-prefix collision attack on SHA-1 costed [sic] us about 75k USD," the research states.

"However, at the time of computation, our implementation was not optimal and we lost some time (because research).

"Besides, computation prices went further down since then, so we estimate that our attack costs today about 45k USD.

"As computation costs continue to decrease rapidly, we evaluate that it should cost less than 10k USD to generate a chosen-prefix collision attack on SHA-1 by 2025.

"As a side note, a classical collision for SHA-1 now costs just about 11k USD," Leurent and Peyrin wrote."

While OpenSSH has warned about SHA-1 going away since February this year, it has not specified when exactly this will happen.

All major browser vendors removed support for SHA-1 in 2017.

Leurent and Peyrin suggests developers should remove SHA-1 support in their software and products as soon as possible, and switch to the more secure SHA-256 or SHA-3 algorithms.

OpenSSH advised that servers that use the weak ssh-rsa public key algorithm for host authentication and which don't make other key types available sholuld be upgraded.

The crypto developers will also enable the UpdateHostKeys features in OpenSSH by default, to allow clients to automatically migrate to better algorithms than SHA-1.

UpdateHostKeys can also be enabled manually in OpenSSH by users.

The removal of SHA-1 support is expected to create problems for connecting to older, unsupported equipment on which the secure shell protocol software cannot be easily upgraded.

SHA-1 was deprecated from the Australian Signals Directorate's list of approved cryptographic algorithms in 2011 and the US government's National Institute of Standards and Technology said it should not be trusted beyond January 2014.

Nevertheless, the Australian Bureau of Statistics decided to support SHA-1 in the bungled 2016 Census, to allow users with older systems complete online forms.