Back in 2013 I introduced the concept of hashing to readers of this blog. We also discuss it in Learning Tree’s System and Network Security Introduction. One aspect of hashing I didn’t discuss much was hash algorithms. There have been many hash algorithms in popular use over the years including MD4 and Snefru, for many years MD5 was the overwhelmingly most commonly-used hash.
As long ago as 1996 issues were found with MD5; about four years after it was published. This led to increased use of SHA-1. In 2004 more serious issues were discovered, leading to further decline in the use of MD-5. Subsequently, researchers were able to create different documents with the same MD5 hash (a collision), leading to recommendations that it no longer be considered secure.
SHA-1 (Secure Hash Algorithm 1) was created by the US National Security Agency (NSA). It is in widespread use today, particularly for securing websites. Unfortunately, it suffers from issues similar to those of MD5 as the algorithms share some similarities. To counter those issues a family of hash algorithms called SHA-2 was created by the NSA. In contrast with MD5’s 128 bits, the SHA-2 family hashes are 224 – 512 bits in length. By far the most common of the SHA-2 hashes is SHA-256. There is a bit of similarity between SHA-1 and SHA-2, but the issues with SHA-1 do not appear to extend to the SHA-2 hashes.
So why should you care about all this? At the end of next year major browsers will no longer accept digital certificates from sites using SHA-1; Windows will stop accepting such certs, and in general they will be officially obsolete. Soon, browsers will begin warning users of certs that use SHA-1 and are valid after 1 January 2017. Sites that haven’t already should begin upgrading immediately. It is not a matter of SHA-1 vs SHA-2; it is a matter of an upgrade. If you manage a site or use certificates internally, you should begin the upgrade process now.
In theory, the upgrade to SHA-2 should be simple: just upgrade software and generate or purchase new certificates. However, the move is complicated by older – possibly embedded – software that doesn’t support SHA-2. Browsers may need to be upgraded and so forth. The process is similar to most software upgrades, but it still needs to be managed and it needs to start now: consider a device that connects to a web site using SHA-2, but is only compatible with SHA-1. It may fail to connect (because it can’t verify the site’s certificate) or it may misbehave in another way. This migration should be on every system manager’s radar.
Let us know in the comments below about how you are planning to migrate to SHA-2, and whether or not you’re already thinking about the move to SHA-3.
To your safe computing,