SHA-1 is a widely adopted hash algorithm that can no longer be considered trustworthy. Current PKI design analysts must weigh the benefits of implementing SHA-2 verses the compatibility problems associated with its adoption. This design decision is driven by the recent understanding that SHA-1 hashes are cryptographically weak and the opportunity for malicious manipulation of resulting hash values are much easier than originally anticipated. This is a serious problem if an authentic digital signature on contract for $100, cannot be distinguished from a fraudulent digital signature on a contract worth $100,000.

SHA-2 is an update of the older SHA-1 hashing algorithm, providing a more secure and ultimately a more trustworthy PKI. But are the benefits of SHA-2 worth the expense involved in its implementation? This blog post explores SHA-2 in order to provide context, background, and possible migration paths.

**A brief history of Hash Algorithms**

Secure Hash Algorithm (SHA) is a type of cryptographic hash function whose job it is to ensure that data has not been modified. SHA accomplishes this by computing cryptographic hash value for a given piece of data that is unique to that data. Different pieces data yield unique hash values, and any change to a given piece of data will result in a different hash value. And that’s the whole point, differing hash values are key to determining if data has been altered.

Hash values help ensure the integrity of a given piece of data because they are virtually guaranteed to be unique, infeasible to predict and yet easy to compute.

SHA-0 was a short lived hash algorithm released in 1993. SHA-0 was found to be flawed, and the National Security Agency (NSA) designed a replacement called SHA-1. Both SHA-0 and SHA-1 are 160-bit hash functions. That means each every possible piece of data will hash down to a 160 bit number. SHA-1 currently enjoys widespread adoption and is supported by most devices and systems that use cryptographic hash functions.

**So what is the problem with SHA-1?**

A primary consideration for cryptographic hash designers is to minimize the probability that two different pieces of data yield the same hash value. When this happens, it’s referred to as a “cryptographic hash collision.”

The problem is that while there are an infinite amount of unique bits of data, and yet there are limited numbers of computable hash values. Using SHA-1, there are 2^{160} possible cryptographic hash values. Mathematical theory tells us that the chances that any two messages computing to the same value should be about 1 in 2^{80}. In other words, if one wanted to find two messages that computed the same value, they would have to try 2^{80} different messages before you would expect to find two whose hashes collide. While this very large number makes hash guessing improbable, crypto mathematicians proved in 2005 that SHA-1 hash collisions could be calculated much quicker than simply trying 2^{80} different messages (2000 times quicker in fact).

This is the reason that SHA-1 is being phased out of most governmental applications, and that NIST has recommended that SHA-1 not be used after 2010.

**SHA-2 Background**

SHA-2 is a more recent cryptographic hash algorithm that is based on SHA-1. SHA-2 was developed by the NSA in 2001 to address the mathematical shortcomings of SHA-1. SHA-2 is actually a ** collection** of four different hashing algorithms; SHA-224, SHA-256, SHA-384, SHA-512.

SHA-2 avoids the weaknesses in SHA-1 by leveraging larger key sizes that make collisions even less likely; nevertheless the development of SHA-3 is currently underway. It should be noted that SHA-3 will not be based on SHA-2."* *See update below*

**SHA-2 Adoption Difficulties**

The widespread adoption of SHA-1 by systems requiring hashing functions might serve to illustrate the difficulty with the adoption of SHA-2. The wide spectrum of possible crypto devices, applications, and systems demand a wide spectrum of management and upgrade paths. And what is most difficult, not everything that uses SHA-1 is compatible with SHA-2.

Upgrading an entire enterprise PKI from SHA-1 to SHA-2 will not only require the installation of Certificate Authorities that are capable of issuing SHA-2 certificates, but also ensuring that all subscribers, relying parties, applications and devices can actually use the resulting SHA-2 based certificates.

For Microsoft systems, SHA-2 capabilities are native to Windows Vista, Windows 7, and Windows Server 2008 (R2). However Windows XP Service Pack 3 and Windows Server 2003 SP2 clients with KB 968730 have only limited support for SHA-2. Support for SHA-2 on these platforms is limited to SSL/TLS capabilities.

Applications that use certificates, even on supported platforms will also have to be evaluated to determine their compatibility with SHA-2. For example, Microsoft Outlook 2003 cannot validate a SHA-2 S/MIME certificate.

Platforms such as mobile devices, mainframes, mid-range computers, WAP devices, radius servers, VPN concentrators, etc. will also need to be evaluated to ensure compatibility with SHA-2. In many cases, an upgrade of some sort is required.

In short, because SHA-1 is embedded in so many different platforms, it can be a challenge to determine exactly what the impact of migrating to SHA-2 can be. Even newer systems include support for SHA-1 for compatibility with legacy CAs

**Suggested upgrade path to SHA-2**

In almost all cases, the best approach to moving to a SHA-2 based PKI would involve migrating to a separately rooted PKI. A separate PKI that uses only SHA-2 for issued certificates and CA certificates.

Figure 1 SHA-1 and SHA-2 PKI

Accomplishing this requires that a separate SHA-2 based root CA be created in parallel with the original PKI. This separate root is signed using SHA-2, as are any subordinate CA certificates. Enterprise subscribers and relying parties will need to trust both roots during the migration.

A separate PKI allows PKI administrators to carefully migrate platforms and applications to a new SHA-2 based PKI in a phased and controlled manner. Eventually, when all subscribers, relying parties and applications have migrated, the original SHA-1 based PKI will be devoid of users or applications and will be decommissioned.

It is worth noting that there is a policy aspect to the adoption of SHA-2. A SHA-2 based PKI will also allow for the adoption of a separate enterprise Certificate Policy (CP). This will allow for the adoption of a CP that requires the discontinuation of the SHA-1 hashing algorithm.

**Conclusion**

SHA-1 is a hashing algorithm that is currently enjoys widespread adoption. There are, however, mathematical shortcomings of this cryptographic hash algorithm that are solved by SHA-2. The implementation of a SHA-2 based PKI will require a separately root enterprise PKI and a well thought out migration strategy. This will yield a PKI that continues to be trustworthy and protects against the increasing weakness of the SHA-1 cryptographic hashing algorithm.

***UPDATE:**

On October 2 2012, NIST announced the winner of their ongoing hash function competition. The selected cryptographic hash algorithm is called “Keccak”. (Pronounced Catch-ack)

As a result of this selection, “Keccak” will now become known as “SHA-3”.

http://www.nist.gov/itl/csd/sha-100212.cfm

http://en.wikipedia.org/wiki/Keccak

**Related Posts:**