Windows Enforcement of SHA1 Certificates
Since last few months there has been yellow alert from Microsoft Team on the Enforcement of SHA1 Certificates. Not only Microsoft team but also the other certificate provider and browsers too. Although most of the public SSL has already using SHA2 or we say SHA256, still there might be some private certificate with SHA1. Hence this blog is for the knowledge of details on deprecation of SHA1 certificate. The Enforcement process has been started from Feb 2017. On February 14, 2017, Microsoft will release an update to Microsoft Edge and Internet Explorer 11 that will display an Invalid Certificate warning page alerting users that their connection is not secure. Though we do not recommend it, customers have the option to continue to the website.
The Enforcement of SHA1 Certificates may impact all the application like Exchange, Lync, System Center, SharePoint, etc. which uses https services. For detail, you can visit to this link which Microsoft has shared the knowledge of it.
In cryptography, SHA-1 (Secure Hash Algorithm 1) is a cryptographic hash function designed by the United States National Security Agency and is a U.S. Federal Information Processing Standard published by the United States NIST.SHA-1 produces a 160-bit (20-byte) hash value known as a message digest. A SHA-1 hash value is typically rendered as a hexadecimal number, 40 digits long.
SHA – standing for secure hash algorithm – is a hash algorithm used by certification authorities to sign certificates and CRL (certificates revocation list). Introduced in 1993 by NSA with SHA0, it is used to generate unique hash values from files.
Example: A file hashed with SHA1 could look like:
As for any cryptographic solution, SHA must evolve along with our computers’ calculation capacities in order to avoid any weakness. There are, therefore, several versions of SHA: SHA0 (obsolete because vulnerable), SHA1 (the most popular one), SHA2 (the one we are interested in) and finally SHA3 introduced in 2012.
SHA2, not often used for now, is the successor of SHA1 and gathered 4 kinds of hash functions: SHA224, SHA256, SHA384 and SHA512. It works the same way than SHA1 but is stronger and generate a longer hash.
Hash attacks, SHA1 and SHA2
There are 2 kinds of attacks specific to hash:
- A collision: there is collision when 2 different files produce an identical hash. It is then possible to substitute a file for another. In our domain of expertise, we could then imagine to replace an official certificate by a fraudulent one having the same hash values. SHA0 is not resistant to collision attacks, that is the reason why it is not used anymore.
- the pre-image: one needs to distinguish pre-image from first-preimage. The first one consists of ‘guessing’ a file value from its hash. The other one uses a hash to create a value different from the one that has been used to generate the hash.
Still the question will be, then what will happen after February 2017. So Here is the summary that could help you.
|Today||February 14, 2017|
|TLS Server-Authentication Certificates||No lock icon Microsoft Edge and Internet Explorer 11||Invalid Certificate|
|Code Signing Certificates||Unaffected||Unaffected|
|OCSP and CRL Signing Certificates||Unaffected||Unaffected|
|Code Signature File Hashes||Unaffected||Unaffected|
|Timestamp Signature Hashes||Unaffected||Unaffected|
For Detail Visit on this link.