Heartbleed bug has taught us many lessons and alerted the world about algorithm and security aspect. To fix this bug, it is quite necessary to reissuance and revocation of the certificate. Here, the good news is that many organizations have reissued their certificates with new hash algorithm named SHA-2 instead of SHA-1. Many of you may not aware about the use of SHA-2 in SSL certificates.
SHA-2 is a set of cryptography hash function that includes six has functions including SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, and SHA-512/256. NIST (National Institute of Standards and Technology) has designed SHA-2 in 2001.
| Algorithm / Variant | Output size (bits) | Internal state size (bits) | Block size (bits) | Max message size (bits) | Word size (bits) | Rounds | |
|---|---|---|---|---|---|---|---|
| SHA-1 | 160 | 160 | 512 | 264 – 1 | 32 | 80 | |
| SHA-2 | SHA-224 | 224 | 256 | 512 | 264 – 1 | 32 | 64 |
| SHA-256 | 256 | 256 | 512 | 264 – 1 | 32 | 64 | |
| SHA-384 | 384 | 512 | 1024 | 2128 – 1 | 64 | 80 | |
| SHA-512 | 512 | ||||||
| SHA-512/224 | 224 | ||||||
| SHA-512/256 | 256 | ||||||
SHA-2 is more powerful algorithm than SHA-1. It is believed that after Heartbleed bug, 50% of certificates implemented with SHA-2 algorithm instead of SHA-1.
Microsoft had also published a security advisory named “Deprecation of SHA-1 Hashing Algorithm for Microsoft Root Certificate Program”. Therefore, Window is also going to cease the use of SHA-1 certificates on January 1, 2017. All certificates signed with SHA-1 algorithm must be changed with a SHA-2 (SHA-256) before January 1, 2017. Even window XP that is no longer supported by Microsoft was able to allow certificates signed with SHA-256, SHA-384, and SHA-512.
Certificate authorities must start the migration to SHA-2 as soon as possible to make long-term certificates alive. Even NIST (National Institute of Standards and Technology) has also published in a note, which will not allow the use of SHA-1 algorithm after December 2013.
The bad news is that there are 92% SSL certificates were signed with SHA-1 instead of SHA-2. However, the Heartbleed bug has changed the whole scenario and compelled website administrators to use SHA-2 algorithm in place of SHA-1.
There are almost 7% new certificates have been using SHA-2. Almost nearly 200000 valid third party certificates have accepted SHA-2 algorithm.
To make this change easy for you, Symantec had published a little FAQ support on its website.
Note:
ClickSSL also want to make its customers more secure by providing enhanced cryptographic standards with all SSL certificates including Code Signing certificates. Therefore, we are offering SHA-2 SSL certificates to secure website, intranet/extranet, mail servers and applications. It is advisable to migrate any SHA-1 algorithm that expire after January 1, 2017 and SHA-1 code signing certificates that expire after January 1, 2016.
Conclusion:
The increased strength of algorithm reminds us about Moore’s law that stated, over the time; computer speed is increased twice in almost 18 months. It means that with current computer technology, you can break algorithm in a billion years, but when the computer technology changes every 18 months, you need a strong cryptography to protect against such powerful threats.
