By now, you may have already heard that Microsoft will start deprecating trust in certificates with SHA-1 signatures in 2016. In our view, this is a prudent move by Microsoft. We've long known that SHA-1 was weakening, and showing signs that a practical attack similar to the 2008 demonstration against MD5 could appear in the next few years.
At the 2008 Chaos Communications Conference, demonstrators were able to produce two digital certificates, representing different identities, that had the same MD5 hash and therefore both appeared to be legitimately issued certificates from the same CA.
As you might expect, this is the sort of attack that can have catastrophic consequences to PKI, and any systems that leverage digital certificates. However by 2008, most newer Public Key Infrastructures were not using MD5. SHA-1 had become the predominant standard, and therefore, in most cases, migrating away from MD5 was not particularly painful.
Unfortunately, we suspect that this time, looking at SHA-1 and a migration to the SHA-2 family of algorithms, the migration may not be quite as easy. There seem to be many more legacy systems in large enterprises that don't support SHA-2 (or don't support RSA keys larger than 1024 bits, which is also a serious but separate issue). CSS has seen this coming for quite a while; in fact PKI expert Wayne Harris blogged about this possibility in early 2011.
CSS’ guidance for our enterprise customers is to:
- Begin assessing and cataloging what legacy systems (both operating systems and software) may exist in the IT environment that cannot make use of SHA-2.
- Ensure that any newly deployed or purchased systems that will make use of your PKI are SHA-2 capable.
- As PKI components such as Issuing or Root CAs expire, consider whether these systems can be replaced by SHA2-based CAs.
- Continue to monitor communications from Microsoft and other sources regarding SHA-1 deprecation policies.
Please contact firstname.lastname@example.org with any questions.