Why it’s harder to forge a SHA-1 certificate than it is to find a SHA-1 collision

The article discusses the vulnerability of cryptographic hash functions, specifically the widely used SHA-1 and MD5 algorithms. It explains how these functions are designed to resist certain types of attacks but have been broken in practice. The author highlights the potential threat posed by a lack of collision resistance in these algorithms, which could lead to forged digital signatures and compromised trust on the web. The article also explores how hash collisions can be used to forge digital signatures, as demonstrated by the MD5 attacks. It describes the chosen-prefix attack technique, which allows an attacker to create two certificates with the same hash value by predicting certain values in the certificate structure. This technique was used to forge a certificate authority trusted by browsers and also played a role in the Flame malware attack. The author emphasizes that while SHA-1 is considered more secure than MD5, it too has been weakened by theoretical attacks and may be vulnerable to chosen-prefix collisions in the near future. To mitigate this risk, the article suggests requiring CAs to randomize serial numbers in certificates, making it significantly harder for attackers to predict these values and carry out chosen-prefix attacks. In conclusion, the article highlights the importance of maintaining strong cryptographic hash functions and ensuring that digital signatures remain secure against forgery. It advocates for measures such as requiring entropy in certificate serial numbers to protect against potential vulnerabilities in algorithms like SHA-1.