SHA-1 is a widely adopted hash algorithm that can no longer be considered trustworthy. Current PKI design analysts must weigh the benefits of implementing SHA-2 verses the compatibility problems associated with its adoption. This design decision is driven by the recent understanding that SHA-1 hashes are cryptographically weak and the opportunity for malicious manipulation of resulting hash values are much easier than originally anticipated. This is a serious problem if an authentic digital signature on contract for $100, cannot be distinguished from a fraudulent digital signature on a contract worth $100,000.
SHA-2 is an update of the older SHA-1 hashing algorithm, providing a more secure and ultimately a more trustworthy PKI. But are the benefits of SHA-2 worth the expense involved in its implementation? This blog post explores SHA-2 in order to provide context, background, and possible migration paths.
A brief history of Hash Algorithms
Secure Hash Algorithm (SHA) is a type of cryptographic hash function whose job it is to ensure that data has not been modified. SHA accomplishes this by computing cryptographic hash value for a given piece of data that is unique to that data. Different pieces data yield unique hash values, and any change to a given piece of data will result in a different hash value. And that’s the whole point, differing hash values are key to determining if data has been altered.
Hash values help ensure the integrity of a given piece of data because they are virtually guaranteed to be unique, infeasible to predict and yet easy to compute.
SHA-0 was a short lived hash algorithm released in 1993. SHA-0 was found to be flawed, and the National Security Agency (NSA) designed a replacement called SHA-1. Both SHA-0 and SHA-1 are 160-bit hash functions. That means each every possible piece of data will hash down to a 160 bit number. SHA-1 currently enjoys widespread adoption and is supported by most devices and systems that use cryptographic hash functions.
So what is the problem with SHA-1?
A primary consideration for cryptographic hash designers is to minimize the probability that two different pieces of data yield the same hash value. When this happens, it’s referred to as a “cryptographic hash collision.”
The problem is that while there are an infinite amount of unique bits of data, and yet there are limited numbers of computable hash values. Using SHA-1, there are 2160 possible cryptographic hash values. Mathematical theory tells us that the chances that any two messages computing to the same value should be about 1 in 280. In other words, if one wanted to find two messages that computed the same value, they would have to try 280 different messages before you would expect to find two whose hashes collide. While this very large number makes hash guessing improbable, crypto mathematicians proved in 2005 that SHA-1 hash collisions could be calculated much quicker than simply trying 280 different messages (2000 times quicker in fact).
This is the reason that SHA-1 is being phased out of most governmental applications, and that NIST has recommended that SHA-1 not be used after 2010.
SHA-2 is a more recent cryptographic hash algorithm that is based on SHA-1. SHA-2 was developed by the NSA in 2001 to address the mathematical shortcomings of SHA-1. SHA-2 is actually a collection of four different hashing algorithms; SHA-224, SHA-256, SHA-384, SHA-512.
SHA-2 avoids the weaknesses in SHA-1 by leveraging larger key sizes that make collisions even less likely; nevertheless the development of SHA-3 is currently underway. It should be noted that SHA-3 will not be based on SHA-2." *See update below
SHA-2 Adoption Difficulties
The widespread adoption of SHA-1 by systems requiring hashing functions might serve to illustrate the difficulty with the adoption of SHA-2. The wide spectrum of possible crypto devices, applications, and systems demand a wide spectrum of management and upgrade paths. And what is most difficult, not everything that uses SHA-1 is compatible with SHA-2.
Upgrading an entire enterprise PKI from SHA-1 to SHA-2 will not only require the installation of Certificate Authorities that are capable of issuing SHA-2 certificates, but also ensuring that all subscribers, relying parties, applications and devices can actually use the resulting SHA-2 based certificates.
For Microsoft systems, SHA-2 capabilities are native to Windows Vista, Windows 7, and Windows Server 2008 (R2). However Windows XP Service Pack 3 and Windows Server 2003 SP2 clients with KB 968730 have only limited support for SHA-2. Support for SHA-2 on these platforms is limited to SSL/TLS capabilities.
Applications that use certificates, even on supported platforms will also have to be evaluated to determine their compatibility with SHA-2. For example, Microsoft Outlook 2003 cannot validate a SHA-2 S/MIME certificate.
Platforms such as mobile devices, mainframes, mid-range computers, WAP devices, radius servers, VPN concentrators, etc. will also need to be evaluated to ensure compatibility with SHA-2. In many cases, an upgrade of some sort is required.
In short, because SHA-1 is embedded in so many different platforms, it can be a challenge to determine exactly what the impact of migrating to SHA-2 can be. Even newer systems include support for SHA-1 for compatibility with legacy CAs
Suggested upgrade path to SHA-2
In almost all cases, the best approach to moving to a SHA-2 based PKI would involve migrating to a separately rooted PKI. A separate PKI that uses only SHA-2 for issued certificates and CA certificates.
Figure 1 SHA-1 and SHA-2 PKI
Accomplishing this requires that a separate SHA-2 based root CA be created in parallel with the original PKI. This separate root is signed using SHA-2, as are any subordinate CA certificates. Enterprise subscribers and relying parties will need to trust both roots during the migration.
A separate PKI allows PKI administrators to carefully migrate platforms and applications to a new SHA-2 based PKI in a phased and controlled manner. Eventually, when all subscribers, relying parties and applications have migrated, the original SHA-1 based PKI will be devoid of users or applications and will be decommissioned.
It is worth noting that there is a policy aspect to the adoption of SHA-2. A SHA-2 based PKI will also allow for the adoption of a separate enterprise Certificate Policy (CP). This will allow for the adoption of a CP that requires the discontinuation of the SHA-1 hashing algorithm.
SHA-1 is a hashing algorithm that is currently enjoys widespread adoption. There are, however, mathematical shortcomings of this cryptographic hash algorithm that are solved by SHA-2. The implementation of a SHA-2 based PKI will require a separately root enterprise PKI and a well thought out migration strategy. This will yield a PKI that continues to be trustworthy and protects against the increasing weakness of the SHA-1 cryptographic hashing algorithm.
On October 2 2012, NIST announced the winner of their ongoing hash function competition. The selected cryptographic hash algorithm is called “Keccak”. (Pronounced Catch-ack)
As a result of this selection, “Keccak” will now become known as “SHA-3”.