Oct 18, 2016 8:50:41 AM
SHA-2 Migration Timelines are Looming

Are You Ready for the Move
to SHA-2?

Is your business ready for SHA-1 deprecation? The timelines for the move to SHA-2 are looming, and deprecation is fast-approaching. Explained by InfoWorld, SHA-1 was once considered secure, but has been proven to contain cryptographic flaws. Security experts and cryptographers believe that the SHA-1 hash is no longer secure—and its shelf life is dwindling quickly.

A quick recap for anyone unfamiliar with SHA-1 vs SHA-2:

  • Hash values help ensure the integrity of a given piece of data because they are virtually guaranteed to be unique and unpredictable. Secure Hash Algorithm (SHA) is a type of cryptographic hash function created to ensure that data has not been modified.
  • The National Security Agency (NSA) designed a SHA-1 in 1995. It’s a 160-bit hash function, meaning that each and every possible piece of data will hash down to a 160-bit number.
  • Until recently, SHA-1 currently was adopted widely and supported by most devices and systems that use cryptographic hash functions.
  • In 2002, SHA-2 became the new recommended hashing standard. SHA-2 is often called the SHA-2 family of hashes because it contains hashes of different sizes, including 224-, 256-, 384-, and 512-bit digests and is considered to be cryptographically strong. The encryption hash used in SHA-2 is significantly stronger and not subject to the same vulnerabilities as SHA-1.

In essence, SHA-1 is no longer strong, SHA-2 is the more secure alternative, and all organizations should be making the transition. The risk of continuing to use SHA-1 certificates is incontrovertible. 

 

Updates on Deprecation Deadlines

December 31, 2016 is the official date for accepting SHA-1. Unfortunately, as reported by InfoWorld, not all vendors have the same deprecation dates—and they’re changing all of the time, which is all the more reason to complete your SHA-2 migration as soon as possible.

As it stands, Microsoft has moved its deadline to February 14, 2017. Google has announced that HTTP sites whose certificate chains use SHA-1 and are valid past 1/1/17 will no longer appear to be fully trustworthy in Chrome's user

Interface. On 10/20/15, Mozilla announced a re-evaluation of when it would start rejecting all SHA-1 SSL certificates (regardless of when they were issued). The plan remained to make this change on 1/1/17, but in light of recent attacks on SHA-1, Mozilla was also considering the feasibility of having a cut-off date as early as 7/1/16 (which was last July).

Regardless of the deprecation dates projected by vendors, your safest bet is to consider December 31, 2016 the official cutoff.

 

Failure to Migrate: the Consequences

Organizations and users who do not adopt SHA-2 run the risk of not being able to trust the authenticity of data. In the case of public-facing browsers, users will be notified of “untrusted connections,” or even experience lack of access – all because of a vulnerable SHA-1 certificate.

Given the lower cost and increasing advancements in computing power and cryptanalysis, it’s not a matter of if an SHA-1 collision will occur, it’s a matter of when.

Organizations that issue or consume certificates need a transition plan; industry-leading CAs and browsers are taking this seriously. So, too, should organizations that manage their own PKI infrastructure, CA, and digital certificates. Both large and small organizations are vulnerable today, and reacting after an outage or breach will be ugly, and potentially cost millions of dollars.

 

Executing the Move

If you need professional services from an external PKI expert, the time to get on their radar was yesterday, so don’t delay further. Many PKI consulting organizations have already filled their schedules with SHA-2 transition projects.

Your best practices for SHA-2 migration will differ depending on how your organizations issues certificates, but here are a few high-level suggestions:

 

Certificates issued from internal CA

Certificates issued from a third-party CA

Certificates issued from multiple sources

  • Assess hardware, software, people, policies, and procedural needs of internal PKI/CA
  • Review certificate inventory
  • Confirm interoperability with SHA-2
  • Identify PKI changes
  • Contact third-party certificate provider for formal deprecation dates and customer responsibilities
  • Review certificate inventory
  • Confirm interoperability with SHA-2
  • Create and manage multiple transition plans.

 

 

 

 

Don’t Go Solo When it Comes to SHA-2 Migration

For in-depth details regarding projected deprecation dates and best practices for SHA-2 migration, download “SHA-1 Deprecation Challenges and Solutions,” generated by CSS Research.

If you have questions about the SHA-2 migration, or are seeking PKI expertise to assist with the transition, don’t hesitate to contact the CSS PKI professionals, or call us at 877.715.5448 for immediate assistance. CSS PKI experts are actively working with clients to help them address their unique situation through PKI Health Checks and PKI Professional Service engagements.

 

 Speak with a PKI Expert