Wednesday, October 15, 2014

SHA-1 is considered insecure while the EU pretends to legislate "advanced" e-signatures

Google announced that it is updating its Chrome browser to display warnings on web sites that use HTTPS (SSL/TLS) backed by a digital certificate signed with SHA-1.  In Why Google is Hurring the Web to Kill SHA-1, Eric Mill gives many reasons why Google is pushing ahead of schedule to rid the web of SSL certs that are considered less secure because they are signed by a Certificate Authority (CA) using SHA-1.

While it's true that SHA-1 is approaching the end of its useful life, it's stubbornly present in many systems and applications.  Getting rid of it isn't easy.  But we have to start sometime!

Of course, creating useful collisions in SHA-1 is still mostly an uncertain game.  We have not heard of any actual SHA-1 collisions that are useful.  "Useful" is a key consideration in that creating a second set of data the hashes to the same SHA-1 hash as some "real" document is hard enough, but doing so in which that second data is a meaningful replacement for the first is even harder.  If a collision could change "$100" to "$200," you'd have a real problem (of course this is just a short text example to illustrate the point, not a real scenario).  But if "x4z]" ended up hashing to the same as "$100", it would be less interesting because the replacement is not meaningful and thus would not be a realistic spoof.

While the Google announcement surrounds SSL certificates, digital signatures for e-signatures are likely a bigger problem.  SSL certificates tend to be renewed every 1 to 3 years, so they do not last very long, and most new certificates issued will use SHA-2 instead of SHA-1.

Digital signatures on documents tend to be "forever."  They do not expire.  While the user's signing keys may change from time to time, once a digital signature is applied to a document, it remains that way going forward.  Since most e-sign vendors use SHA-1 in their digital signatures (aside from the few odd players that don't appear to use any digital signatures at all like Sertifi and AssureSign), all documents being signed may be forged in the future.  Fortunately, most documents become somewhat obsolete after years go by (that is, few want to forge a 5-year sales agreement for example).

In the EU, they promote word play like "advanced" and "qualified" for electronic signatures based on digital signatures created using a typical PKI in which the signer has been issued a digital certificate (no doubt signed with SHA-1!) for a private key the user keeps secure.  This sounds good, but of course has serious flaws:
  1. Users cannot deny an electronic signature created using their "advanced/qualified" signature. The EU law says these are guaranteed to be valid.  No wet signature ever had such an absurd notion attached to it; that's why we have courts to decide based on evidence.
  2. Users may in fact not keep their private keys secure. Users are famous for being unable to keep such stuff secure because they really have no idea what their encryption keys are or how exploits can take place.  Every virus and hack attack is a potential theft of a user's encryption keys.
  3. All encryption requires software and hardware, and all software and hardware is vulnerable to attack. Thus, your keystore can be hacked. The device the key is stored on can be hacked. The device (like a PC, phone or tablet) the key is used on can be hacked.  Any network connections involved can be hacked. As the various credit card hacks have shown, devices can be hacked, replaced or have another device put in the middle of the communications cable (or wireless).
  4. The user may forget the password related to securing their private key. While this would prevent future signing, it could also mean that all data encrypted for storage would no longer be accessible.  There will be millions of users who will lose a lot of their data because it's encrypted using a key they no longer have access to.
  5. Users can be tricked into using their keys insecurely, including phishing attacks and social engineering attacks.
  6. What happens to all digitally signed documents done between the loss of control of a user's keys and detection that the keys were lost?  A user can revoke his keys, but only once he knows something has gone wrong.  But that user will not know what, if anything, was ever forged.
  7. How can a user know where his forged credentials are being used?  Cannot!
  8. Once a digital signature is applied by a user, that document will remain secure only for as long as the digital signature is valid. If the digital signature uses SHA-1, that may only be a few years away.
With services like Yozons Open eSignForms, many of these issues do not exist. When a credit card number and information is stolen, a user eventually finds out because invalid charges appear on his or her statement.  The credit card company can go back and find all fraudulent charges and reverse them.  Something similar happens when using an e-signature service -- the only signed documents you have can be found in the service.  Any fraudulently signed documents can be discovered and invalidated.  There is recourse to such a loss that is guaranteed to happen frequently across a large pool of users.

Documents digitally signed using Yozons Open eSignForms employ a 4096-bit RSA keypair with SHA-512.  This is not the norm among esign vendors who generally use much less secure technologies (including those absolutely worthless vendors/products that don't digitally sign at all).  While the greater security provided by Yozons is powerful today, eventually it will no longer be considered secure just like SHA-1's fate today and MD5 before.

Unlike "advanced" e-signatures created by users for themselves, a service can ensure documents are secure going into the distant future.  For example, if a digitally signed document in Yozons previously used 1024-bit RSA with SHA-1 (a very typical scenario still in practice today), our technology could easily retrieve that document, ensure the older digital signature is still valid, and if so, then re-digitally sign the document using 4096-bit RSA with SHA-512.  Such a document can remain secure for as long as necessary.

It is time for SHA-1 to be retired.  Yozons has updated all of its server SSL certificates to ensure they are protected with SHA-2.  But what about all those web sites and users who do this for themselves?  They most likely will not be on top of security issues like this, and that's the very problem we solve for our customers and their users.

No comments:

Post a Comment