Sites Inria

Version française


Charlotte Renauld - 6/03/2017

SHA-1: Inria's predictions verified

Extraction de données d'une carte bancaire

Last February, Pierre Karpman, a former PhD student of the Grace team at Inria Saclay - Île-de-France research centre, and his team caused a collision between two PDF files and proved the obsolescence of the SHA-1 hash standard.

« A cryptographic hash function is a cryptographic algorithm that transforms any electronic document into a short, fixed sized hash, that is used to control the integrity of files. A hash algorithm prevents two files from having the same hash and therefore one can't replace one file with another, » explains Daniel Augot, head of project-team Grace.

Pierre Karpman, former doctoral student of the Grace team, made his thesis from 2013 to 2016 on this subject and already obtained a result indicating that a collision was possible. In October 2015, conscious of this weakness, and while he was a member of an international team of cryptanalysts, Pierre Karpman, in collaboration with Marc Stevens (CWI, Pays-Bas) and Thomas Peyrin (NTU, Singapour), was urging the industry to remove the SHA-1 Internet Security Standard earlier than expected. The team's research had highlighted a "free initialization" collision on the SHA-1 hash function.

This industrial standard is used, for example, for electronic signatures, which secure bank card transactions, dematerialized bank and software distribution. It also certifies the safety of a website and avoids that there are two versions of one website, one secure and the other not.

In February 2017, Pierre Karpman, who became a post-doctoral at CWI, Centrum Wiskunde & Informatica , and his team caused the collision highlighted in 2015, put it online and proved that it was possible to make two PDF files with the same SHA-1 digital signature. The SHA-1 standard is thus permanently corrupted. All sites that continue to use it and which would not have already passed the new standards as suggested in 2015, are exposed to dangerous attacks.

Concretely, it becomes possible to create two PDF files colliding like two leases with a different rent, and in this case deceive someone with a high rent contract by having him sign a low rental contract.

Taking the example of a merchant site that still uses SHA-1, an attacker could also potentially produce a false certificate that will allow it to substitute for the real site, and then engage a secure session with users of the site. They will believe they are on the real site, while their connection is in the hands of the attacker.

The benefit of this discovery is now to increase the awareness of all users and to convince the industry to move quickly to safer alternatives, such as SHA-256 and SHA-3, to avoid 'Expose to very powerful attacks: falsification of electronic signature, false software updates, false certificate of site merchant ...

Although the SHA-2 algorithm shares similarities to that of SHA-1, attacks on SHA-1 have not been extended to SHA-2. The National Institute of Standards and Technology (NIST), however, organized a competition in 2012 to select a new hash function, SHA-3, whose design is very different from SHA-1 and SHA-2. The new family of functions is presented as another possible choice but does not question the use of SHA-2, at least in the short term.

Keywords: Inria Saclay - Île-de-France centre Daniel Augot Cryptographie SHA-1 Grace