This article explains the impact of this attack on the SHA-1 algorithm on Check Point customers.
What is SHA-1?
SHA-1 (Secure Hash Algorithm 1) is a cryptographic hash function used in a variety of security protocols and systems. Uses of hash functions include digital certificate signatures, e-mail message signing (PGP or S/Mime), package hashes for verification, in-protocol signatures, message authentication codes, and even software source control.
What is a collision attack?
A cryptographic hash function is expected to have two properties:
- Given one message, it should not be possible to generate a second, different message, such that both have the same hash value.
This property is called pre-image resistance.
- It should not be possible to generate two messages that have the same hash value.
This property is called collision resistance.
A collision attack consists of generating two files with the same hash value.
Is this attack new?
No. The first attack on SHA-1 with a complexity of 269 hash operations was published in 2005 by Wang, Yin, and Yu [link].
An improved attack with complexity of 261 hash operations was described by Marc Stevens in 2013 [link].
The only new thing is that Google has used enough hardware to perform the attack described by Marc Stevens in 2013.
So what uses of SHA-1 are vulnerable?
Anything that relies on collision resistance: certificate signatures and e-mail signatures.
What uses of SHA-1 are not vulnerable?
Anything that only relies on pre-image resistance:
- In-protocol signatures, such as in IKE and TLS.
- Message Authentication Codes (HMAC-SHA1) in IPsec and TLS.
- Certificate "fingerprints" or "thumbprints".
- Software update hashes.
What is the industry response?
The industry has been preparing for this for over a decade and has been ready for this for quite some time.
Products have been upgraded to support and use better hash functions, such as SHA-256, for years.
Certificate vendors have been using SHA-256 for a few years.
Mozilla, for example, has responded by immediately deprecating all SHA-1 signatures in Firefox.
For the most part, no action is necessary on the part of end-users.
What do Check Point customers need to do?
Like the rest of the industry, Check Point has been working on this for quite a while.
The SHA-256 algorithm has been supported since the R71 release, and has been the default algorithm for signatures since the R80 release.
The R80.10 release adds an option to fail TLS handshakes, where the peer certificate is signed with SHA-1.
Check Point customers should follow the instructions described in the existing articles about the migration away from SHA-1:
In addition, Threat Emulation users should install Threat Emulation Engine Update Release 6.4 and above to detect SHA-1 collision attacks.
Due to the fact that Threat Emulation cache uses SHA-1, there was a possibility to use this attack vector to avoid inspection
by producing a clean document and then a malicious document with the same hash. This issue is now resolved, and any file,
malicious or benign that is trying to use SHA-1 collision will be flagged as malicious.
For more details about Threat Emulation Engine Updates, refer to sk95235 - Threat Emulation Engine Update - What's New?