So everyone one is talking about SHA-1 and how it becomes less secure hash function. People are talking about a quick phase out and move to more secure alternative. So what’s the story?
I would like to share with you my own thoughts and research in the whole SHA1 being insecure and the need to go to another alternative. I will also talk in future posts about how to migrate your Microsoft PKI to support the new SHA-2 hash function.
But i cannot start talking about how to solve the problem before spending some time analyzing the current situation and talking about some cryptography theories. It is hard to jump to conclusions and solutions if you are not fully aware of the current situation.
I believe from listening to Security Now, that Google are aggressively pushing SH1 notices via Chrome this year. No word as yet what the warning will be when visiting such a site.
The whole crytographhy industry needs review. I dont think increasing bits could solve the problem, only slowing things down and make it bit difficult to attack.
Pingback: Cryptographic Providers: SHA-1 & SHA-2 support | Ammar Hasayen - Blog
Pingback: SHA-2 Support – Migrate your CA from CSP to KSP | Ammar Hasayen - Blog
Pingback: What makes a CA capable of issuing certificates that uses SHA-2? | Ammar Hasayen - Blog
Pingback: SHA-1 Broken, Migrating to SHA-2 | Ammar Hasayen - Blog
Pingback: Deploy Offline Root CA in Windows 2012 R2 – SHA-2 Ready | Ammar Hasayen - Blog
Pingback: My readings in 2015 week 45 | My path to become awesome dev
Pingback: Active Directory Certificates Services – quelle architecture dois-je déployer ? – La communauté METSYS
Thanks for a very well written article. It was easy to follow despite the complexity of the topic. I have a question: how about the impact of SHA-1 deprecation on client-side certificates for mutual TSL authentication? If a website is already using SHA-2 certificate, can users still continue authenticate themselves to that website using SHA-1 personal certificates (that are already in their Windows certificate stores) after 2016? Is there an urgency to transition SHA-1 personal certificates to SHA-2 in view of the deprecation policies of Microsoft and Google?
To ” it is impossible (not possible in reasonable time) to find two messages that hash to the same hash value.”:
To my knowledge that is true only for files with the same size!
E. g. if one file has 10 bytes lenth and another one has 25 bytes chances are that they can get the same hash result value.