It’s Time to Move Away From Using SHA-1 in the DNS
Earlier this month, cryptographers Gaëtan Leurent and Thomas Peyrin published an attack on the security of the SHA-1 hash algorithm that is used throughout the Internet. SHA-1 has been superseded by better hash algorithms for almost 20 years, but it is still in widespread use, mostly by people who don't know that the SHA-1 algorithm has weaknesses.
Hash algorithms are used to create short strings of bits, known as hash values, that can represent longer messages. One of the properties of good hash algorithms is that it is exceptionally and hopefully impossibly difficult to create two different messages that have the same hash value. For over a decade, cryptographers have been publishing papers showing attacks that chip away at the "strength" of SHA-1, that is, the ability for the SHA-1 algorithm to generate unique hash values given arbitrary input. This month's paper is a great improvement over that earlier work. Like most security protocols on the Internet, Domain Name System Security Extensions (DNSSEC) uses hash algorithms to increase the speed of signing and validating signatures.
The new attack makes it easier for an attacker to fool Domain Name System (DNS) zone administrators into creating hash values, or in DNSSEC terms, trusted signatures over DNS records they don't intend to sign. In technical terms, the new work makes it much faster for a malicious actor to create chosen-prefix collisions. In non-technical terms, an attacker can more easily create two DNS records that have the same SHA-1 hash value. If one of the two records looks benign and they can convince a zone owner to sign it, the signature will also apply to the less-benign record that the zone owner never saw.
This improved attack has serious consequences for all parts of the Internet that use SHA-1. In DNSSEC, SHA-1 is part of some signature algorithms which have been used since the early days of securing the DNS. Even though most zones that sign with DNSSEC use algorithms that use stronger hash algorithms, there are still plenty that sign with algorithms that use SHA-1. In fact, more than 250 top-level domains (TLDs) are still using algorithms with SHA-1. Tony Finch, a long-time DNS contributor working at the University of Cambridge, wrote a great in-depth overview of the new attack's relationship to DNSSEC.
Now is the time for administrators of zones at all levels of the DNS to stop using SHA-1 and change to algorithms using stronger hashes. While there is no urgent need to change immediately, the highly publicized announcement of the improved attack will probably spur other researchers to further improve the attacks. Plus, it is expected there will be a time when changing away from SHA-1 will be an emergency. No one wants to have to change their signing processes under extreme time pressure, so changing now or within the next three months will help prevent an urgent need for change later.