securitysslshatls1.2rc4-cipher

Connection between RC4 removal and SHA 1 removal


Is there any connection between the removal of RC4 stream cipher and SHA 1 certificate removal? Meaning - did the removal of one force the other one to be removed or it just happened to be that they both have been removed at the same time?


Solution

  • TL;DR: There is no such connection. The purpose of each of these algorithms is different, and they have no such effect on each other.

    SHA1 is a cryptographic hash function, its purpose is to create a one way hash of the data in the certificate. There are several properties of cryptographic hash functions, the ones being important in this case are second pre-image resistance (given data1, it should be very difficult to find a different data2 such that h(data1)=h(data2)) and collision resistance (it should be very difficult to find data1 and data2 such that h(data1)=h(data2)).

    If these requirements are not met in a hash function used for hashing certificates, one would be able to come up with a different certificate that has the same hash. That would be bad.

    The problem with SHA1 is that it is easier to find a collision that it was supposed to be. To shed some ligh on the degree of the problem, it should be around 2^80 hashing operations (expected value) for a 160 bit hash function to find a collision. As opposed to that, for SHA1 it is around 2^63 according to an attack published in 2005. That is still a huge number and still practically infeasible, but people thought there may be a feasible attack in a few years, so it seemed better to just retire SHA1 now when people still have time to change certificates to a better hash function while SHA1 is still pratically secure.

    RC4 is a stream cipher, it's input is a data stream and a key, the output is an encrypted stream. There have been known weaknesses for a long time, but those did not make it possible to actually break RC4 as it is used in SSL/TLS (attacks were not computationally feasible). Then in 2015, multiple researchers presented different attacks against RC4 (the Bar-mitzvah attack, the NOMORE attack, the improved Royal Holloway attack) that made it much more feasible to break RC4 in TLS in real life. Actually, most probably there are now organizations that can crack TLS if RC4 is used as the stream cipher, so it was removed based on the recommendation of IETF.