SHA-1 keys and encrypted content using this cipher will soon be deprecated from the OpenSSH utility and library. This software is the most popular implementation allowing for secure communication and hashing of information. This can have a profound effect on web services, frameworks and applications that rely on it. They will need to switch to another hashing algorithm.
SHA-1 Is No Longer Recommended as Secure By OpenSSH
The OpenSSH software implementation and library code is one of the most widely combinations when hashing algorithms are called. This is also the major resource when applications, web services and frameworks want to use the SHA-1 authentication scheme. The development team has announced their plans to discontinue support of the SHA-1 algorithm. The reason for this is that a lot of people deem it to be no longer secure.
The main cause for this decision is because the SHA-1 cipher was practically broken in February 2017 in a demonstration called SHAttered. Experts in cryptography developed a technique that allowed malicious users to manipulate files into showing up as having pre-defined SHA-1 file signatures. This can result in an attack scenario in which target user files can appear as having the same signature which can cause a disruption in the way the utility handles hashed data. Successful exploitation of SHA-1 keys and hashed data can lead to the following malware scenarios:
- Files Access — SHA-1 hashed data can be opened if malware users can utilize this technique.
- Secure Communications Eavesdropping — The attack can be applied to network services that hash the communications channel with SHA-1. This can allow malicious users to eavesdrop on the conversation.
- Services Disruption — A lot of user-installed applications, operating system services and other software can embed SHA-1 hashing. If this is disrupted then the operations can break down which can lead to performance issues, unexpected errors and data loss.
The SSH keys which are generated by the OpenSSH software are typically used to verify email messages or remote login to hosts. As SHA-1 is no longer the recommended default option the recommendation is to regenerate the keys with another cipher. According to the OpenSSH development team the following modes are to be used in place of SHA-1:
- sha2-256
- sha2-512
- ssh-ed25519
- ecdsa-sha2-nistp256
- ecdsa-sha2-nistp384
- ecdsa-sha2-nistp521
In the future the OpenSSH team has stated that they will remove the default mode of using SHA-1. For more information the users can read the release notes.
Martin Beltov
Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.
Follow Me: