1

I am using CryptSignMessage to sign a string/file. Is using RSASha1 insecure?

I know Sha1 is broken as a hashing algorithm, but does that also mean that using it for signing with RSA is broken?

Squeamish Ossifrage
  • 48,392
  • 3
  • 116
  • 223
user93353
  • 2,191
  • 3
  • 23
  • 43

1 Answers1

5

To start with, it's certainly not a bad idea to avoid SHA-1 when other algorithms exist, which do not have the SHA-1 weaknesses to anyone's knowledge.

The security of SHA-1 depends on how you're using it. The vulnerability is what's known as a collision vulnerability: an attacker has the ability to create two input strings with the same SHA-1 hash with less computational power than it should take him for a good hash function. However, he does not get to freely pick what either of those input strings is, and he does not necessarily have the ability to feasibly find a string whose hash matches that of any particular string.

If the attacker has any control over anything you're willing to sign, collision attacks might be exploitable. The classic example is two PostScript files; one is a letter of recommendation for an employee named Alice, the other a security clearance for Alice, and they hash to the same MD5 value. Alice presents file 1 to her boss, and then affixes that signature to file 2, now having obtained a security clearance. Likewise, with TLS certificates, security researchers made 2 colliding-under-MD5 certs, one a legitimate one and one a CA one, got the former signed by a real CA, and that signature was valid for the latter. What these have in common is that someone is signing off on something that they did not entirely create. If that describes what you're doing, you should certainly not use SHA-1.

If you entirely create the files you're signing, it's probably fine for now; in that case, the only person who could exploit a collision attack is you, and you're the person who doesn't need to exploit it (you could just sign whatever you want). Also, as far as anyone's aware, no one yet has the hardware to exploit the collision attack (that's likely at least a year off, and more till it's cheap enough for non-high-value targets).

But honestly, why risk it? Just use SHA-2 instead. CryptSignMessage supports it as well, it looks like.

cpast
  • 3,587
  • 1
  • 15
  • 27
  • I am facing the same issue faced here with SHA2 - https://forums.embarcadero.com/thread.jspa?threadID=96592 – user93353 Jan 15 '15 at 04:26
  • From that site, it looks like a library issue. If you're having coding issues, try posting on [so]; I would generally recommend avoiding SHA-1 for signatures, in case you end up with the attacker in control of part of the text you're signing. – cpast Jan 15 '15 at 05:03