shattered.io Open in urlscan Pro
2001:4860:4802:38::15  Public Scan

Submitted URL: http://www.nessus.org/u?51db68aa
Effective URL: https://shattered.io/
Submission: On April 26 via api from IN — Scanned from DE

Form analysis 1 forms found in the DOM

POST /sample/submit

<form id="online-checker" method="post" action="/sample/submit" enctype="multipart/form-data">
  <div class="upload-select">
    <span class="glyphicon glyphicon-upload"></span>
    <p class="text-center checker-banner">Drag some files here</p>
    <p class="text-center">Or, if you prefer..</p>
    <span class="btn btn-info upload-dragndrop"> Choose a file to upload</span>
    <input class="upload-file hide" type="file" name="file" id="file">
  </div>
  <div class="upload-inprogress hide">
    <div class="progress progress-striped active">
      <div class="progress-bar progress-bar-info" style="width: 0%;"></div>
    </div>
  </div>
  <div class="upload-success hide"></div>
  <div class="upload-error hide"> Upload failed. Please upload files under 100 MB.</div>
  <div class="btn btn-inverse reset-upload hide"> Reset</div>
</form>

Text Content

We have broken SHA-1 in practice.

This industry cryptographic hash function standard is used for digital
signatures and file integrity verification, and protects a wide spectrum of
digital assets, including credit card transactions, electronic documents,
open-source software repositories and software updates.

It is now practically possible to craft two colliding PDF files and obtain a
SHA-1 digital signature on the first PDF file which can also be abused as a
valid signature on the second PDF file.

For example, by crafting the two colliding PDF files as two rental agreements
with different rent, it is possible to trick someone to create a valid signature
for a high-rent contract by having him or her sign a low-rent contract.

Infographic | Paper


ATTACK PROOF

Here are two PDF files that display different content, yet have the same SHA-1
digest.


PDF 1 | PDF 2


FILE TESTER

Upload any file to test if they are part of a collision attack. Rest assured
that we do not store uploaded files.

Drag some files here

Or, if you prefer..

Choose a file to upload


Upload failed. Please upload files under 100 MB.
Reset

--------------------------------------------------------------------------------


Q&A


ISN'T SHA-1 DEPRECATED?

Today, many applications still rely on SHA-1, even though theoretical attacks
have been known since 2005, and SHA-1 was officially deprecated by NIST in 2011.
We hope our practical attack on SHA-1 will increase awareness and convince the
industry to quickly move to safer alteratives, such as SHA-256.


HOW CAN I PROTECT MYSELF?

You can use our file tester above to check your files. If you use Chrome, you
will be automatically protected from insecure TLS/SSL certificates, and Firefox
has this feature planned for early 2017 has quickly reacted to this
announcement, and deprecated SHA-1 as of February 24th, 2017.
Files sent via Gmail or saved in Google Drive are already automatically tested
against this attack.


WHAT TYPES OF SYSTEMS ARE AFFECTED?

Any application that relies on SHA-1 for digital signatures, file integrity, or
file identification is potentially vulnerable. These include:

 * Digital Certificate signatures
 * Email PGP/GPG signatures
 * Software vendor signatures
 * Software updates
 * ISO checksums
 * Backup systems
 * Deduplication systems
 * GIT
 * ...


ARE TLS/SSL CERTIFICATES AT RISK?

Any Certification Authority abiding by the CA/Browser Forum regulations is not
allowed to issue SHA-1 certificates anymore. Furthermore, it is required that
certificate authorities insert at least 64 bits of randomness inside the serial
number field. If properly implemented this helps preventing a practical
exploitation.


WILL MY BROWSER SHOW ME A WARNING?

Starting from version 56, released in January 2017, Chrome will consider any
website protected with a SHA-1 certificate as insecure. Firefox has this feature
planned for early 2017 has deprecated SHA-1 as of February 24th, 2017.


IS GIT AFFECTED?

GIT strongly relies on SHA-1 for the identification and integrity checking of
all file objects and commits. It is essentially possible to create two GIT
repositories with the same head commit hash and different contents, say a benign
source code and a backdoored one. An attacker could potentially selectively
serve either repository to targeted users. This will require attackers to
compute their own collision.


IS SVN AFFECTED?

SVN has been patched against the attack: versions 1.9.6 and up are immune to it,
as well as the 1.8.18 maintenance release.

Previous version are affected by the attack. Subversion servers use SHA-1 for
deduplication and repositories become corrupted when two colliding files are
committed to the repository. This has been discovered in WebKit's Subversion
repository and independently confirmed by us. We noticed that in some cases, due
to the corruption, further commits are blocked.


HOW DO I PATCH/UPGRADE MY SYSTEM?

Consider using safer alternatives, such as SHA-256, or SHA-3.


HOW DO I DETECT THIS ATTACK?

You can use the online tool above to submit files and have them checked for a
cryptanalytic collision attack on SHA-1. The code behind this was developed by
Marc Stevens (CWI) and Dan Shumow (Microsoft) and is publicly available on
GitHub.

It is based on the concept of counter-cryptanalysis and it is able to detect
known and unknown SHA-1 cryptanalytic collision attacks given just a single file
from a colliding file pair.


HOW WIDESPREAD IS THIS?

As far as we know our example collision is the first ever created.


HAS THIS BEEN ABUSED IN THE WILD?

Not as far as we know.


IS HARDENED SHA-1 VULNERABLE?

No, SHA-1 hardened with counter-cryptanalysis (see ‘how do I detect the attack’)
will detect cryptanalytic collision attacks. In that case it adjusts the SHA-1
computation to result in a safe hash. This means that it will compute the
regular SHA-1 hash for files without a collision attack, but produce a special
hash for files with a collision attack, where both files will have a different
unpredictable hash.


WHO IS CAPABLE OF MOUNTING THIS ATTACK?

This attack required over 9,223,372,036,854,775,808 SHA1 computations. This took
the equivalent processing power as 6,500 years of single-CPU computations and
110 years of single-GPU computations.


HOW DOES THIS ATTACK COMPARE TO THE BRUTE FORCE ONE?

The SHAttered attack is 100,000 faster than the brute force attack that relies
on the birthday paradox. The brute force attack would require 12,000,000 GPU
years to complete, and it is therefore impractical.


HOW DID YOU LEVERAGE THE PDF FORMAT FOR THIS ATTACK?

A picture is worth a thousand words, so here it is.


WHO IS THE TEAM BEHIND THIS RESEARCH?

This result is the product of a long term collaboration between the Cryptology
Group at Centrum Wiskunde & Informatica (CWI) - the national research institute
for mathematics and computer science in the Netherlands - and the Google
Research Security, Privacy and Anti-abuse Group. Two years ago Marc Stevens and
Elie Bursztein, who leads the Google's anti-abuse research team, began
collaborating on making Marc's cryptanalytic attacks against SHA-1 practical by
leveraging Google expertise and infrastructure. Since then many CWI researchers
and Googlers have helped make this project possible, including Pierre Karpman
who worked on the cryptanalysis and prototype GPU implementation, and from
Google Ange Albertini who developed the PDF attack, Yarik Markov who took care
of the distributed GPU code, Alex Petit-Bianco implemented the collision
detector to protect Google users, Luca Invernizzi who created the online file
checker, and Clement Blaisse who oversaw the reliability of the computations.