Microsoft advised its customers to stay away from SHA1 hashing algorithm and RC4 stream cipher that is widely used in applications and protocol. Microsoft revealed in its security advisory that after 1 January 2016 it would stop realizing certificate using SHA1 algorithm. The decision was taken in the interest of customer’s online security therefore root certificate authorities could not issue X.509 certificate with SHA1 algorithm because such algorithm is not so secure against phishing attack and man-in-middle attack.
Microsoft advised root certificate authorities to migrate to SHA2 hash algorithm and requested customers to change their certificate with SHA-2 algorithm.
SHA1 is widely used in SSL (Secure Sockets Layer) and TLS (Transport Layer Security) which secure online data transition that take place between server and end users. SHA1 based certificate also verify software application whether they are real or fake/tampered. The main intention to avert SHA-1 algorithm is continuous changing hardware requirement, emerging cyber attacks, and evolving security research.
Difference Between SHA-1 And SHA-2
The only concern in SHA-2 is it requires large amount of space to store the hash. Besides this SHA-2 is faster and secure hashing algorithm. Below is the table that shows in technical term the difference between SHA-1 and SHA-2.
| Hash Algorithms | SHA-1 | SHA-2 | SHA-2 |
|---|---|---|---|
| Output size (bits) | 160 | 224 & 256 | 384/512 |
| Internal Size(bit) | 160 | 256 | 512 |
| Block size (bits) | 512 | 512 | 1024 |
| Max message size (bits) | 264 – 1 | 264 – 1 | 2128 – 1 |
| Word size (bits) | 32 | 32 | 64 |
| Rounds | 80 | 64 | 80 |
| Collisions found | Yes | None | None |
History Of Collision Attack
In last decade, Iran had faced Fame malware that used cryptographic collision attack and sabotage MD5 algorithm. In this attack, infected computers had pretended to be legitimate official servers of Microsoft by forging Microsoft’s digital signatures. The infected machines were effectively able to install malicious software. Since then, Microsoft removes MD5 in its update system.
After experiencing such collision attack Microsoft is determined to stop using SHA-1 before it becomes victim of any cyber attack.
What Is Collision Attack?
Collision attack occurs where two similar plaintext messages have same hash value so the software program could not realize the modified hash value this technique allow attacker to create fake digital certificate that challenges the security of system and makes it vulnerable.
How Collision Attack formed?
If we take an example of Collision attack, it will create below situation.
- Maria produces two dissimilar documents X and Y, both have an identical hash value (collision).
- Maria then transmit document X to Arnold, who corresponds to what the document states, and signs its hash and send back to Maria.
- Maria imitates the signature sent by Arnold from document X to document Y.
- Then Maria sends document Y to Steve, asking that Arnold has signed the different document. Because the digital signature verifies the document hash, now Steve’s software is not capable to identify the modification.
RC4 Is Obsolete:
In a recent security, survey published on Microsoft security advisory stated that there are almost 58% sites are not using RC4 stream cipher while 43% apply it. Out of this 43%, there are hardly 3.9% sites require RC4 therefore, Microsoft announced to disapprove of RC4 cipher.
Microsoft also announced that customers must enable TLS version 1.2 and stop using RC4 cipher in server and applications. Microsoft advised to use TLS1.2 and AES-GCM and called IE-11 being a safer browser that minimize the use of weak cipher RC4 and allow standard security TLS1.2 by default. TLS1.2 has ability to protect against BEAST attack.
Frequent cyber attacks and changing hardware requirements compel respected authority and the whole cyber world to think in a different way. However, the fear is still stand in front of us when this cat and mouse race will end.
