+1-888-690-2424

Should You Use SHA-2?

Bruce Morton
Part 4 of 9 in the Series — SHA-2 Migration

A common question we receive from certificate customers: should we ask Entrust to sign our certificate with a signature using the SHA-2 hashing algorithm? Here is some information to help you make this decision.

What’s the purpose of the signature?

The purpose of the signature is to allow an end-user who is validating the certificate to ensure it was issued by a trusted certification authority (CA) and, thus, determine whether or not to trust the certificate.

The CA provides the signature and can choose from several cryptographic hash functions. MD5 was commonly used until it was found to have serious cryptographic flaws. SHA-1 is currently the most widely used hash function, and the industry is now moving to SHA-2. There is also a newly approved SHA-3 hash function, which may be deployed as a substitute to SHA-2 at a future date.

The main thing you need to understand about hash functions is they are designed to be collision- and preimage resistant.

Why should I consider using SHA-2?

As time moves along, the attacks against a given cryptographic hash function often improve. MD2 and MD5 were formerly used, but are now known to be too weak for cryptographic use. The concern is that in the not too distant future the SHA-1 hash will also be found to be too weak.

What are the hash attacks?

The two classes of attacks against cryptographic hash functions are known as collision attacks and preimage attacks.

A collision attack occurs when it is possible to find two different inputs that hash to the same value. MD5 is not collision-resistant, and SHA-1 has known flaws that weaken its collision resistance. A collision attack could be performed by a certificate subscriber to change a legitimately signed end-user certificate into an illegitimate subordinate CA certificate. This is an attack against the CA as the subscriber could then issue fraudulent certificates from their illegitimate subordinate CA.

Preimage attacks are against the one-way property of a hash function. In a first-preimage attack, a message hashing to a specific value can be determined. In a second-preimage attack, a second message can be found that hashes to the same value as a given message.

An attacker could use a preimage attack to switch your legitimate message with their malicious message and it would look like it was signed by you. SHA-1 is believed to be resistant to both types of preimage attack.

But since SHA-1 is already known to have weaknesses in its collision resistance, it may be determined that the CAs must move to SHA-2 sometime in the future. If the certificate subscribers are not prepared to use SHA-2, there will undoubtedly be some user-support issues.

Is SHA-2 supported?

SHA-2 was a little slow in getting implemented and deployed to users. There is no official SHA-2 supportability list, but here are some minimum software versions that do support SHA-2:

  • Windows XP SP3 – most XP users are on SP3; SP2 and older versions are unsupported
  • Mac OS X 10.5 – this and lesser versions make up less than 1 percent of the operating system market
  • Firefox 1.5 – obsolete
  • Opera 9.0 – obsolete
  • Java 1.4.2 – versions below Java 1.4.2 are not supported
  • Adobe Acrobat/Reader 7

As you can see, most of the client-side software currently deployed does support SHA-2. You would need to deal with the issue of the users who use software that does not support SHA-2.

Are there any other SHA-2 issues?

As I stated above, weak collision resistance is the issue with SHA-1. In some cases, you may be using certificates to sign code, to secure email or to secure other documents. In this case, the signed objects may be retained for a long time. When you sign the item you will use a hash function. You may want to consider using SHA-2 to make sure that your signed item will resist hash function attacks out into the future.

Conclusion

The SHA-1 hash function is weak against collision attacks. In the case of digital certificates, collision attacks may be used against your CA or other CAs in the industry. When it is determined that SHA-1 is too weak to continue, then the CAs will be forced to sign with SHA-2, and client software will need to be configured to require it.

The impact to you as a certificate subscriber is that your environment may not be SHA-2-ready. It is recommended that you review your environment to see if it supports SHA-2. Asking your CA to issue a SHA-2 certificate may help you test your environment.

Bruce Morton
Bruce Morton
Director, Certificate Technology & Standards

Bruce Morton has worked in the public key infrastructure and digital certificate industry for more than 15 years and has focused on SSL and other publicly trusted certificates since 2005. He has been an active member of the CA/Browser Forum that released guidelines for extended validation (EV) certificates and Baseline Requirements for SSL certificates. Bruce oversees the governance and compliance of Entrust’s publicly trusted PKI.

2 Comments

Add to the Conversation