Microsoft announces retiring of SHA-1
Along with the standard security advisories released on this month’s Patch Tuesday, Microsoft has also released a few that announce the company’s intention to deprecate the SHA-1 algorithm and avoid the RC4 cryptographic cipher.
“Microsoft is recommending that customers and CA’s stop using SHA-1 for cryptographic applications, including use in SSL/TLS and code signing,” they explained, adding that the company will stop recognizing the validity of SHA1-based code signing certificates after 1 January 2016 and that of SHA-1-based SSL certificates after 1 January 2017.
Microsoft is trying to avoid the situation that happened when Flame malware authors managed to perform a collision attack against the MD5 algorithm and, by forging Microsoft digital signatures, to impersonate its servers. As with MD5 before it, researchers have proven on several occasions that the SHA-1 algorithm is susceptible to collision attacks, and the company has decided to act instead of react this time.
“US NIST Guidance has counseled that SHA-1 should not be trusted past January 2014 for the higher level of assurance communications over the US Federal Bridge PKI. Common practice however has been to continue to issue SHA-1-based certificates, and today SHA-1 certificates account for over 98% of certificates issued worldwide,” they explained. “Recent advances in cryptographic attacks upon SHA-1 lead us to the observation that industry cannot abide continued issuance of SHA-1, but must instead transition to SHA-2 certificates.”
The company has also issued a policy for deprecating the algorithm for Certificate Authorities who are members of the Windows Root Certificate Program, but have also said that the deprecation deadlines will be reconsidered in 2015.
The number of practical attacks against the RC4 stream cipher is, again, the reason Microsoft has officially recommended that customers retire and deprecate RC4 in their TLS implementations. Instead, they are advised to enable TLS1.2 with AES-GCM.
They also pointed out that they made the latest iteration of IE not offer RC4-based cipher suites during the initial TLS/SSL handshake as the first option, reserving it instead only for situations when the browser cannot negotiate a non-RC4 cipher suite with the server.