PKI Blog

SHA-1 is “Shattered”

Posted by Wayne Harris on Mar 22, 2017 11:41:01 AM

SHA-1 has been in the news (again). We’ve all known that the SHA-1 hash function is cryptographically weak. In fact, CSS has been pointing out the weaknesses of SHA-1 for years now.


Read More

Topics: SHA-1, SHA-2

Freestart Collision for SHA-1

Posted by Wayne Harris on Oct 9, 2015 12:45:15 PM

Many of you know that the cryptographic hash algorithm SHA-1 is in the process of being deprecated, due primarily to the hashing algorithm’s susceptibility to collision attacks. I first wrote about this back in 2011: http://blog.css-security.com/blog/times-up-for-sha-1-css-suggested-migration-path.

Read More

Topics: PKI, SHA-1

SHA-1 Signed Certificates No Longer Trusted?

Posted by Ted Shorter on Dec 10, 2013 4:47:24 AM

By now, you may have already heard that Microsoft will start deprecating trust in certificates with SHA-1 signatures in 2016. In our view, this is a prudent move by Microsoft. We've long known that SHA-1 was weakening, and showing signs that a practical attack similar to the 2008 demonstration against MD5 could appear in the next few years.

Read More

Topics: expired digital certificate, Public Key Infrastructure, Certificate Management System (CMS), Industry Trends, RSA Keys, PKIaaS, Azure PKI, PKI, Secure Hash Algorithm, PKI as a Service (PKIaaS), PKI as a Service, SHA1, SHA2, MD5 hash, Blog, SHA-1, SHA-2

SHA-3 Announcement

Posted by Wayne Harris on Oct 4, 2012 8:16:30 AM

As many know, the cryptographic hash function known as Secure Hash Algorithm 1 (SHA-1) has been deemed weak by NIST, and is no longer recommended. The NSA addressed the weaknesses in SHA-1 by publishing the SHA-2 hash function standard back in 2001. SHA-2 builds on SHA-1 by using similar algorithms with larger block and state sizes.

Read More

Topics: Keccak, Public Key Infrastructure, Industry Trends, NIST, Microsoft Public Key Infrastructure, PKI, Secure Hash Algorithm, Blog, SHA-1, SHA-2, SHA-3, NSA

The NDES CA Thumbprint Hash

Posted by CSS Technical Team on Feb 21, 2012 6:00:32 AM

Recently, while working on a Microsoft Network Device Enrollment Services (NDES) deployment, a client asked a simple-enough question about the thumbprint for the Certificate Authority (CA) certificate that was displayed on the NDES admin enrollment GUI, “What is that hash? And why doesn’t it match any of the CA certificate thumbprint hashes in my chain-of-authority?”

Read More

Topics: digital certificate, microsoft ca, IT Security, Microsoft Security Partner, NDES, Public Key Infrastructure, Certificate Management System (CMS), Infrastructure Management, mCMS, SCEP, Microsoft Checksum Integrity Verifier, MD5 hash, Blog, FCIV, SHA-1, Simple Certificate Enrollment Protocol, Microsoft Network Device Enrollment Services (NDES, Microsoft Certificate Authority

Time's Up for SHA-1, CSS' Suggested Migration Path

Posted by Wayne Harris on Apr 18, 2011 5:00:16 AM

SHA-1 is a widely adopted hash algorithm that can no longer be considered trustworthy. Current PKI design analysts must weigh the benefits of implementing SHA-2 verses the compatibility problems associated with its adoption. This design decision is driven by the recent understanding that SHA-1 hashes are cryptographically weak and the opportunity for malicious manipulation of resulting hash values are much easier than originally anticipated. This is a serious problem if an authentic digital signature on contract for $100, cannot be distinguished from a fraudulent digital signature on a contract worth $100,000.

Read More

Topics: Microsoft Security Partner, digital pki, Public Key Infrastructure, Microsoft Public Key Infrastructure, Secure Hash Algorithm, Microsoft PKI, Blog, SHA-1, SHA-2, SHA-3, Got PKI?

Posts by Topic

see all

Subscribe to Email Updates

Want to Learn more about CSS?