SHA-1 Deprecation

Website administrators need a plan to move their SSL certificates from SHA-1 to SHA-2.

SHA-1 is a hashing algorithm used when a certification authority (CA) signs an SSL certificate. The information in the certificate is cryptographically hashed to a common size for signing. With SHA-1, the information is hashed to 160 bits.

The main risk with hashing is making the hash the same for two different sets of information. It’s like having a true statement for something that is good and something that is bad. This type of attack is called collision. The risk is that a hash for a trusted SSL certificate could be the same as a hash for a trusted CA certificate. If an attacker has a trusted CA certificate, then they can issue fraudulent SSL certificates.

Hashes grow weaker over time due to the growth in computing power . This is called Moore’s Law, where the number of transistors per square inch doubles per year. Greater computing power means that a hash can be attacked in a much shorter time. As such, we must move to stronger crypto before it is susceptible to attack. Today the result is SHA-1 deprecation – bye-bye SHA-1.

SHA-1 deprecation is really quite easy to complete. Simply re-issue your SSL certificate and have it signed using SHA-2. SHA-2 is a family of hashing algorithms using 224, 256, 384 or 512 bits. CAs typically issue certificates using the SHA-256 version. The SHA-2 SSL certificate should also be installed with a SHA-2 intermediate CA certificate. In that way, there will be SHA-2 throughout the trust path.

So why must we migrate to SHA-2 now?

In order to mitigate the risk of a SHA-1 collision attack, Microsoft set a deprecation policy. In such, Microsoft stated that CAs shall stop signing with SHA-1 starting in 2016 and that Windows would stop supporting SHA-1 in 2017.

Google accelerated SHA-1 deprecation by changing Chrome to provide user warnings for SHA-1 certificates expiring after 2015. Chrome releases 39, 40 and 41 will provide the warnings as changes to the lock in the browser status bar. Chrome 39 and 40 have been released and 41 should be released in early March 2015.

So what about SHA-2 compatibility? SHA-2 is compatible with all supported operating systems and browsers, so users of your website should have no issues. There are some other enterprise applications which might not work with SHA-2. As such, it is recommended that applications be tested and if there are issues, then they must be upgraded or replaced.

To download a whitepaper to help you implement an effective SHA2 migration plan, click here.


Latest Security Problems Solved

Privileged Password Management - Pitfalls to consider More >
SIEM matures, however landscape changes. More >
2014: The Year Encryption Comes of Age More >
The key to a secure BYOD-enabled enterprise More >
Our Solutions
Security Solutions

We work with leaders in the fields of data protection, authentication and perimeter security to protect your organisation and manage any threats with the most effective security systems. More >

Technical Services

MPA New Zealand Ltd provides a range of technical services to compliment the vendor technology our company brings to the local market. More >