Microsoft To Remove All SHA-1 Windows Downloads Next Week (zdnet.com) 46
Microsoft announced this week plans to remove all Windows-related file downloads from the Microsoft Download Center that are cryptographically signed with the Secure Hash Algorithm 1 (SHA-1). From a report: The files will be removed next Monday, on August 3, the company said on Tuesday. The OS maker cited the security of the SHA-1 algorithm for the move. "SHA-1 is a legacy cryptographic hash that many in the security community believe is no longer secure. Using the SHA-1 hashing algorithm in digital certificates could allow an attacker to spoof content, perform phishing attacks, or perform man-in-the-middle attacks," it said. Most software companies have recently begun abandoning the SHA-1 algorithm after a team of academics broke the SHA-1 hashing function at a theoretical level in February 2016.
Re: (Score:3)
The problem is that a fake SHA1 can be provided next to a fake download imitating Microsoft or whoever's site. SH1 should be provided separately from the download... published in a magazine for example.
Re: Reproducibility (Score:2)
"If we're going to make recommendations, at least try and not sound like a delusional Presidential candidate clamoring about getting the kids 'round the old record player at night."
Why kids should be walking 20 miles to school in 8 feet of snow uphill both ways while being chased by hungry wolves!
And the only phones we had were 2 tin cans tied together with a string.
Kids have it so easy these days!
Re: Reproducibility (Score:2)
"candidate clamoring about getting the kids 'round the old record player at night..."
Seriously, this shows just how out of touch some of these politicians are with the American people and the modern world. This should be grounds for mandatory retirement.
Re: (Score:2)
Re: Reproducibility (Score:2)
"Hate to break it to ya daddyo but all the coolest hipsters are hardcore into vinyl. Maybe you're out of touch. "
I was imagining an old wind up record player with the big horn playing old shelliac records with maudlin old timey music. I'm very certain that was his intent.
I had a record player and played records all of the time during my years growing up in the 1980s, as did my classmates (only the rich kids got the CD player). I didn't think for a moment that he was refering to Generation X
Re: Reproducibility (Score:2)
"SH1 should be provided separately from the download... published in a magazine for example"
And people will run to the store (during the pandemic, no less) and try to find the magazine that has the signature for the file they want to download.....um no.
There are many obvious reasons this is a nonstarter.
Re: (Score:2)
Uh, most magazines are sent through the mail....
Re: Reproducibility (Score:2)
Good luck having that work in the "I want it now! NOW!" society we live in. And how can one be certain they are getting the right issue with the code they need?
Sorry, but we might as well be sending CDs by pony express at this point, because it's not much less rediculous than what was being proposed.
It's not 1990 anymore..
If for some bizarro reason they try to pull it off, we will just be seeing people buying 0 magazines, and downloading and installing a piece of software which may or may not have been comp
Re: (Score:2)
Currently, the SHA-1 attacks are all collision attacks: An attacker can generate two different files, now with very few constraints on their relative structure, that have the same SHA-1 hash. This effectively breaks any signatures based on SHA-1 over data provided by someone who might be an attacker, no matter who generates the signature.
No one has (yet) performed a first- or second-preimage attack on SHA-1, which would allow them to generate some file that has the an arbitrary SHA-1 hash (for a first-prei
Re: (Score:2)
SHA-1 is really a "checksum"... making sure you didn't lose a few bits in the download process. Now, in the day of TCP, it's irrelevant.
Re: (Score:2)
It's not a checksum. Checksums have mathematical structure that make them absolutely useless for the kind of application that SHA-1 is intended for.
Re: (Score:2)
In all cases where something of length M bits is "hashed" into N bits, where M > N, there will be collisions. Period. End of Line. No exceptions. Without fail. Always. Absolute Certainty.
Changing the "algorithm" used to generate N from M will not change this fact. Ever. Period. End of Line. It is an impossibility.
Claiming that there is an algorithm which can "hash" a message M to a unique N where the length M > N, where the algorithm is not a lossless encoder/compressor is an absurdity, an i
Re: (Score:2)
Cryptographic hash functions are supposed to act almost like random number generators for their N bits of output: Short of computing the function, you're not supposed to be able to guess what the output is for a given input, how the outputs are related for different inputs, or how changing the input in some way changes the output.
If those conditions hold, then by the birthday paradox, generating a collision for a 160-bit function like SHA-1 requires about 2^80 computations of the function, which is impracti
Yes, (Score:2)
Ues, the shattered attack came out in 2017.
These two PDFs have the same SHA-1.
https://shattered.io/static/sh... [shattered.io]
https://shattered.io/static/sh... [shattered.io]
With 2016-2017 GPUs, it costs about 110 GPU years, which would cost $60,000 if you bought it legitimately from AWS instead of using a botnet to do the calculation.
That's expensive, but if you were to sign a malware file installed as a Windows update by 0.1% of a billion Windows users, that's a million PCs you'd take over, so the cost is 6 cents per victim.
Re: (Score:2)
Do you think a PDF created by an attacker is "a legit target document"? I think being created by an attacker makes it illegitimate.
Re: (Score:2)
Putting that into mote formal logic, we distinguish between these cases:
A. ALL files are vulnerable. An attacker can find a collision for ANY FILE chosen by the good guy
B. An attacker can find a collision for SOME files
The initial 2017 SHAttered code was case B, it finds collisions (forgeries) for some files, not all files. In 2019 otyet researchers expanded on it so now an attacker can generate a seemingly valid TLS certificate for updates.microsoft.com with a SHA-1 signature that "proves" it has been sign
Re: (Score:2)
Your A and B are not the relevant categories.
All these attacks are collision attacks, the weakest form of attack, wherein an attacker can generate two files that generate the same output from the hash function. As you point out, this still leads to significant attacks against a cryptosystem.
The next broader category of attack on hash functions is the second-preimage attack, which is like your category A: An attacker can generate a second file that has the same image (message digest / output value) as some
Re: (Score:2)
Second preimage is indeed a category.
Here is another useful categorization:
Attacks which allow the attacker to generate forged certificates for domains of their choosing, vs attacks which only generate random garbage that is of no use.
You can refuse the recognize the difference if you want, but chosen prefix is a HUGE difference to the practical impact of the attack.
Re: (Score:2)
The relevant prefix in X.509 certificates includes a signer-assigned serial number that can be made pretty darn big (20 bytes long), and can be random as long as it is never reused. That means a chosen-prefix collision on that particular system can be made impractical without switching to a different message digest function. Or, in practice, a CA could refuse to sign a certificate if it looked like it had irrelevant content, making it much harder to find a useful collision.
You have studiously avoided answ
Re: (Score:2)
The whole point of a chosen-prefix collision is that it doesn't matter which bits are in the prefix - I can still find a collision. The serial number *does not matter*. If you think a minute about how Merkle-Damgard works perhaps you'll see why. My communion code works just the same no matter what serial number you put on the cert. That's the entire point.
> function. Or, in practice, a CA could refuse to sign a certificate if it looked like it had irrelevant content
The CA doesn't sign the attacker's
Re: (Score:2)
Yes, but the prefix most be known when the attacker generates the collision. If there a lot of entropy in the serial number field, they have to generate enough collisions to be confident of matching the serial number. That's why the CA/Browser Forum Baseline Requirements for certificate issuance (https://cabforum.org/baseline-requirements-documents/) says any certificate's serial number, as assigned by the CA, must include at least 64 bits of output from a CSPRNG.
An attacker has to predict that in order t
Re: (Score:2)
Btw, even without the improvements since 2017, consider that an attacker stuck in 2017 can do the following:
Offer you a transaction wherein you purchase something and send them 0.01 BTC, to an address they chose.
Submit to the block chain your payment of 1.71 BTC, which is signed by you.
It's a good thing that in Bitcoin your payment message uses SHA-256 rather than SHA-1!
You can call that "an illegitimate hack" if you want, but you're still out 1.7 BTC.
Re: (Score:3)
Interesting. But how was that done? I mean, did they start with that graphic and just create a plain old PDF of it, then carefully create the new PDF to have the same SHA1? Or did they start by creating a special PDF that had space in it that didn't affect the displayed image (for example), so they would have room to manipulate things to cause the SHA1 to come out right without the display being negatively affected?
Re: (Score:2)
See:
https://slashdot.org/comments.... [slashdot.org]
Sha-1 is broken. Don't use it.
Re: (Score:2)
Those PDFs are so similar the change in the background colors is so small it hides in the 24-bit color, and none of those 24 bits were used in the hash. Nothing notable there...
Re: (Score:2)
All of the bits in the file arw used in the hash.
Try making a 100 MB file, getting the SHA-1, then changing one bit in the file - any bit. You'll find that you get a completely different hash.
Great cover story (Score:5, Insightful)
"However, the OS maker didn't specify if the Windows-related files that are being removed from its downloads center on Monday will be replaced with new download links signed with SHA-2, leaving many too wonder if they'll ever be able to download some of Microsoft's old tools."
So much this. Easy excuse to get rid of anything that could be helpful or supportive of your older products and force more people against their will to your new not-ness.
Re: (Score:3)
That said, this creates an opportunity for bad actors to make available "cached" and SHA-1 signed images that have been intentionally corrupted. If MSFT really cares about security, they'll make an effort to repost the stuff with a more secure hash.
If they don't do so, that indicates either (1) MSFT doesn't really
Re: (Score:2)
If MSFT really cares about security, they'll make an effort to repost the stuff with a more secure hash.
Why would they bother doing that? There's no point re-signing everything they're taking down with SHA-2 and republishing it. Most of the old service packs, hot fixes and tools professionals might be concerned about here are basically for pre-SHA-2 operating systems and software. Microsoft doesn't support Windows 7, Windows Server 2008 R2, SQL Server 2008 R2 or anything that predates them but, right or wrong, there are still a lot of places out there using such things.
Re: Great cover story (Score:2)
So now we will have a new batch of compromised computers because people were duped into downloading malware.
Have fun with the new botnets. I'm sure grandma with her 2002 e-machines computer she refuses to part with will be happy to be part of all this.
Re: (Score:2)
I tried downloading an old copy of Windows Live Mail 2009 so I could migrate an Outlook Express 6 account to Live Mail 2012. Not only did MS delete every trace of 2009, but almost all download sites have removed their copies, too, probably due to copyright concerns. I was able to nab a copy from a pirate site.
People seem to forget that even free software is subject to copyright, and a LOT of old stuff is being taken offline even if "everyone has copies". Unlike what we used to believe 20 years ago, the I
Re: (Score:2)
"However, the OS maker didn't specify if the Windows-related files that are being removed from its downloads center on Monday will be replaced with new download links signed with SHA-2, leaving many too wonder if they'll ever be able to download some of Microsoft's old tools."
So much this. Easy excuse to get rid of anything that could be helpful or supportive of your older products and force more people against their will to your new not-ness.
We're talking about Microsoft here. You know, the product pimps with a couple billion customers.
To say there's another copy out there, is putting it mildly.
Re: (Score:2)
Replacing with new links won't help older versions of Windows that can't read the new signatures.
Re: (Score:2)
I'm pretty sure the answer is No.
Why?
Think about it - the product
Re: (Score:2)
As those OSes are probably ancient
Not being an MS user I have to ask, how recently did MS actually start using something other than SHA-1 to sign? I wouldn't assume they did so in "ancient" times given the general industry lethargy on such matters.
It's generally not a good idea to remove content and break links. As one of the other posters rightly pointed out it just allows less trustworthy 3rd parties to step in offering to supply the old material.
Methinks MS just got sick of maintaining these downloads and was more than willing to use th
Re: (Score:2)
Microsoft started using SHA-2 to sign things in 2025.
They started using SHA3-256 signatures in 2045.
They plan to transition to SHA3-512 at the turn of the century in 3000.
Great, "beliefs" are such a fine excuse. Experts (Score:2)
Re: (Score:2)
Why do you insist on waiting for a publicly demonstrated exploit before taking any action? (Especially considering that we're talking about a high-profile software distribution site.)
You don't think that it's possible that some actors in this world might develop and exploit security vulnerabilities without making them public first?
Re: (Score:2)
Why do you insist on waiting for a publicly demonstrated exploit before taking any action? (Especially considering that we're talking about a high-profile software distribution site.)
You don't think that it's possible that some actors in this world might develop and exploit security vulnerabilities without making them public first?
Context.
If you're deploying a VPN with SHA-1, or doing file encryption with SHA-1 in 2020....yeah, that's asking for trouble and reflecting laziness as SHA-256 has been around for quite some time now.
If Microsoft has an ISO file of Windows98SE still running around their download center, then the attack involves someone replacing that ISO with one that has malware in it, but still has Microsoft's SHA-1 signature and passes validation, and uploading it to Microsoft's CDNs, with the payoff of.....infecting peo