Uncertain Certificates

Author: A.R. Peters,


XII. SHA-1

The issue is as follows.

In a TLS handshake, message hashes are transmitted (Message Authentication Code); a certificate also contains a hash of the Subject and of the Signature. By recalculating or comparing hashes, one can check that those data have not been compromised. A commonly used hash function is called SHA-1, related to MD5. It is known that it is not completely safe.

A hash is a summary of another, larger piece of data; SHA-1 hashes have a length of 160 bits. There are therefore "only" 2160 = 1048 different SHA-1 hashes. But there are many, many more possible data files. So there are countless blocks of data that give the same hash. Therefore, if you find such a so-called "collision", you do not know which of the two is the data sent, so it is no longer guaranteed that the data is not tampered with. The chance is extremely small, and you can not abuse it to forge anything specific: but such a first collision has been found now.

That has been coming for a while, and the CAB Forum, a consortium of Certification Auhorities and Browser manufacturers, has decided not to issue any certificates with SHA-1 hashes anymore after 1 January 2016, and that browsers will no longer accept SHA-1 starting from 1 January 2017 (ref. [11] (PDF), [12] (PDF)).

This is why everyone has been busy replacing SHA-1 certificates with new ones using the safer SHA-2 (usually 256 bits).