Microsoft plans upgrade to SHA-2 crypto hash for issuing certs

Share this article:
The tech giant will require certificate authorities (CAs) to migrate from SHA-1 to SHA-2.
The tech giant will require certificate authorities (CAs) to migrate from SHA-1 to SHA-2.

Microsoft has taken a major step to diminish the industry's dependence on an older cryptographic hash function, which is still used to validate a majority of digital certificates around the world.

On Tuesday, the tech giant revealed a new policy that will no longer allow certificate authorities (CAs) to issue X.509 certificates using the SHA-1 hashing algorithm for secure socket layer (SSL) and code signing.

The policy takes effect after January 1, 2016, according to a post on Microsoft's Windows public key infrastructure (PKI) blog, and requires CAs to migrate to the stronger SHA-2 hashing algorithm.

“The policy affects CAs who are members of the Windows Root Certificate Program who issue publicly trusted certificates,” said the blog post, later explaining SHA-1's use among CAs since the late 90s and its role in securing more than 98 percent of certificates issued worldwide.

The company added that the change takes into consideration guidance from the National Institute of Standards and Technology (NIST) that SHA-1 “should not be trusted past January 2014.”

Of note, Chinese researchers were able to crack the SHA-1 algorithm back in 2005, despite previous assumptions that it was virtually unbreakable.

On Wednesday, Benjamin Jun, vice president and CTO of San Francisco-based Cryptography Research, a Divison of Rambus, told SCMagazine.com that 2012 revelations about Flame, sophisticated cyber espionage malware that targeted Iran's oil ministry, also intensified misgivings about the integrity of SHA-1 in the face of evolving threats.

The Flame campaign highlighted the first known malicious collision attack in the wild that exploited the MD5 algorithm, which Jun described as a “baby brother of SHA-1.”

“The Flame attack broke the hash function itself in a ‘collision attack,'” Jun said of MD5.

“SHA-1 is more sophisticated [than MD5], but I think it's appropriate to sunset its use in 2016,” Jun said.

The “SHA-1 Deprecation Policy” applies to Windows Vista and later, and Windows Server 2008 and later, the company said.

Microsoft also said that it would reconsider the policy deadline in July 2015. At that point in time, the company will assess whether SHA-1 is “still considered resistant to pre-image attacks by the security community,” and “whether a significant portion of the ecosystem is not capable of switching to SHA-2” – like third-party legacy systems and embedded devices that can't be upgraded to the preferred algorithm.

The coming changes to Microsoft's policy were announced on Patch Tuesday, the company's designated time each month to release security updates for its software.

On Tuesday, the company also advised users to disable the use of the RC4 encryption – a move it intends to support by providing a registry key via an update that allows developers to “eliminate RC4 as an available cipher in their applications.”

Microsoft recommended users employ AES-GCM in place of RC4.
Share this article:
You must be a registered member of SC Magazine to post a comment.
close

Next Article in News

Sign up to our newsletters

TOP COMMENTS

More in News

Adobe exploit used to spread Dyre credential stealer

Adobe exploit used to spread Dyre credential stealer

Users running vulnerable Adobe software could be in danger of having credentials for Bitcoin websites stolen.

Staples is investigating a potential issue involving credit card data

Staples is investigating a potential issue involving credit ...

The company said it is investigating a potential issue involving credit card data and that customers are not responsible for fraudulent activity on cards if an issue is discovered.

Skills set a priority over legacy prejudices, experts say

Skills set a priority over legacy prejudices, experts ...

Cybersecurity expert Winn Schwartau and Robert Clark, a cyber law attorney at the Army Cyber Institute, discussed issues around hiring in the information security industry.