(2 votes, average: 5.00 out of 5)
It is always advisable to stay well-informed about the latest and safest cryptographic protocols in the Internet security market, as these are specially devised to protect your data and applications from modern-day cyber-attacks.
SHA is a family of several cryptographic hash functions, namely SHA-0, SHA-1, SHA-2 and SHA-3. It was published by the National Institute of Security and Technology (NIST). Certification Authorities (CAs) use SHA hash functions while signing digital certificates and Certificate Revocation Lists (CRLs). The concept was initialized with the purpose to generate unique hash values from the files. In the case of SSL certificates, the rationale of a hashing algorithm is to reduce reasonably a message to use it with a digital signature algorithm.
As an effective cryptographic solution, security experts make sure the hash functions are advanced enough to be in-sync with computers’ calculation capacity to avoid vulnerabilities. This is precisely the reason why advanced versions are introduced to ensure effective safety.
The Year 2011 marked the onset of SHA-1 deprecation, when an industry group of leading web browsers and Certificate Authorities (CAs) at the CA/Browser Forum worked together to establish basic security requirements for SSL certificates and published their ‘Baseline Requirements for SSL’. These requirements recommended all the CAs to move on to SHA-2 from SHA-1.
So, based on the SHA-1 weaknesses found in SHA-1, in terms of security, here is why all users should reconsider their conventional choice and select SHA-2 when it comes to choosing a hash algorithm.
Ever since the late 1990s, SHA-1 has been every CA’s popular choice for signing digital certificates. So much so, that by 2013, SHA-1 certificates accounted for almost 98% of the total number of certificates being issued. However, of late, the cryptographically advanced cyber-attacks on SHA-1 has led security experts to believe that the industry cannot afford anymore to continue using SHA-1, at the stake of users’ online security.
A recent research on cyber-attacks has revealed a picture that depicts SHA-1 to have become a regular target for attackers. Even if there has never been a successful complete collision (attack) in case of SHA-1, the evolution of our computers’ calculation capacities will soon make it possible. However, unlike SHA-1, SHA-2 is totally collision-resistant.
Now, a hashing algorithm is considered to be secure only if a unique output is produced for any given input which works one way and cannot be reversed. But, in 2005, SHA-1 was found to be the victim of ‘collision’ attacks. These are the kind of attacks where multiple inputs can produce the same output, which makes SHA-1 incapable of producing a cryptographically secure message digest. After that attack, SHA-1 was quite often found to be vulnerable towards many different attacks.
1995: SHA-1 published
2005: SHA-1 collision attack published in 2^69 calls
2005: NIST recommendation for movement away from SHA-1
2012: Identical-prefix collision 2^61 calls presented
2012: Chosen-prefix collision 2^77.1 calls presented
By November 2013, Microsoft© announced a new policy about deprecating the use of SHA-1 algorithm in SSL certificates for all the certificate authorities (CAs). As per the policy, Microsoft© shall allow CAs to continue certificate issuance using SHA-1 only till January 1 2016, after which it will permit the usage of only SHA-2, which is considered to be a safer option.
Following the vulnerabilities found in SHA-1, even the US NIST Guidance has advised that SHA-1 should not be trusted after January 1 2017 for achieving a higher level of assured communications over the US Federal Bridge PKI.
With the fundamental goal of protecting the integrity of the Windows platform and Windows customers, Microsoft© released a deprecation policy comprising of deadlines that gives fair amount of time for such massive transition.
Google© announced their SHA-1 deprecation policy in September 2014. As per the new policy, by 2017 Google Chrome will stop accepting SHA-1 certificates in a phased way.
The SHA-1 deprecation on Google’s Chromium user interface is projected to evolve in the following pattern:
SHA-2 is a set of hashing algorithms, which features a high level of security as compared to its older version, SHA-1. It is developed through the National Institute of Standards and Technology (NIST) and National Security Agency (NSA). The SHA-2 set of algorithms is patented in US 6829355 and the United States has released the patent under royalty-free license. Currently, the SHA-2 family consists of the following algorithms:
SHA-256 & SHA-512 – These the novel hash functions, which are computed with 32-bit and 64-bit words respectively. Their structures are almost identical in spite of using different shift amounts and additive constants. Their structures differ only in the number of rounds.
SHA-224 & SHA- 384 – Commonly referred to as the truncated versions of the above mentioned algorithms. Both these are computed with different initial values.
SHA-512/224 & SHA 512/256 – These are the truncated versions of SHA-512.
The servers in the list below are compatible with SHA-2 algorithm:
All browsers mentioned below are compatible with SHA-2:
Here are just a few applications for SHA-2:
Apparently the SHA-2 Revolution has taken Internet security by storm. Especially after having SHA-1 deprecation policies coming from leading web browsers. So, this brings us to the juncture where it has become almost necessary to replace SHA-1 with its secure predecessor, SHA-2 algorithm. Here is the procedure for all the users intending to migrate or concerned about the migration from SHA-1 to SHA-2 should do.
First of all, the users are requested to check their websites and confirming which algorithm is being used by the SSL certificate securing the website. Please click here to check your website for SHA-1 encryption. After getting the results, if you find your website to be relying on an SHA-1 SSL certificate, then you are advised to migrate it to SHA-2 SSL certificate. Here is a stepwise procedure for our users to follow, steps of which can be performed even without any expertise:
If you are an existing customer and have already purchased an SSL certificate but it has SHA-1 algorithm, then you can upgrade it by following these steps-
Step 1 – Go to the ‘My Order’ or ‘Order Listing’ page and click on the ‘Order ID’ option to get to the order details page. On the order detail page, click on the re-issue button located on the bottom side on the same page.
Step 2 – After that, you shall receive an e-mail from ComodoSSLStore© which contains a centralapi link.
Step 3 – You shall be soon re-directed to the panel of ‘Certificate Reissue’
Step 4 – Now enter your SSL certificate’s CSR with SHA-2. After that, scroll the drop down menu given for ‘Algorithm’ and carefully select SHA-2.
Step 5 – Above step completes the procedure of migration for existing customers. Your re-issued certificate shall be sent to you via e-mail. You can download and install this certificate by following the routine procedures.
However, if you are a new customer and wish to purchase a SHA-2 SSL certificate, please follow all the steps mentioned below:
Step 1 – First of all, the customers need to generate a new CSR by choosing the SHA-2 algorithm..
Step 2 – Next, click on the ‘Generate Certificate’ button to proceed to the order.
Step 3 – Next, you would be directed to the panel of ‘Certificate Issuance’ process panel where you need to enter the CSR you generated in the first step.
NOTE: Keep in mind to select SHA-2 algorithm while placing the order.
Step 4– Certificate Authorities shall soon send you an email with your new SSL Certificate.