One by one, tech companies have been tossing aside the SHA-1 cryptographic algorithm like the unreliable collision-prone mess that it is.
Microsoft was among the first to steer its customers away from SHA-1 and established an internal edict that its developers would no longer use it for code-signing or its certificates after January 2016.
Yesterday among the flurry of its Patch Tuesday security bulletins, Microsoft took another important step when it issued a pair of security advisories, one notifying users that it had made the SHA-2 algorithm available for Windows 7 and Windows Server 2008 R2. The other was an update for Microsoft EAP implementations that enables the use of Transport Layer Security (TLS) 1.1 or 1.2.
SHA-1 collisions have been theoretically possible for years; collisions occur when an attacker is able to generate a certificate with the same signature as the original cert. Though mathematically possible, a collision attack, even against a weakened SHA-1, would take significant hardware resources in order to execute.
That gap, however, is narrowing. In 2012, Bruce Schneier published research in which he concluded that collisions would be within reach of most hackers by 2018. Citing calculations done by Jesse Walker based on the cost of commodity microprocessors and evidence that Moore’s law will extend another decade, server-cycle costs would be around $173,000 on Amazon, well within reach of a funded attacker such as an organized crime group or nation state.
The use of fraudulent certificates would allow an advanced attacker such as a nation state to pose as Microsoft, Google or any site of their choosing, putting web traffic and personal communication at risk. Google, and most recently Mozilla, have announced their road maps for SHA-1 deprecation. Beginning with an upcoming Chrome release in November, Google’s browser will no longer trust websites whose certificate chains trust SHA-1. Mozilla, meanwhile, asked Certificate Authorities and websites to upgrade to cryptographically stronger versions of the algorithm and said it would no longer trust SHA-1 certs after Jan. 1, 2017.
Microsoft’s decision to make SHA-2 available for Windows 7 means that it joins Windows 8, 8.1 and Windows Server 2012, 2012 R2 and Windows RT and RT 8.1, as Windows versions that already support SHA-2. Windows 8 and higher support it by default and do not require an update, Microsoft said, adding that the update is not available for Windows Server 2003, Windows Vista, or Windows Server 2008.
Microsoft’s decision to enable TLS for EAP implementations continues its push to encrypt its web-based services. In July, Microsoft announced that its webmail service Outlook.com supports TLS encryption inbound and outbound, in addition to Perfect Forward Secrecy. OneDrive cloud storage also enabled Perfect Forward Secrecy in July, Microsoft said. PFS randomizes private encryption keys, meaning that if a key is someday compromised, it cannot be used to decrypt old messages.
EAP, or Extensible Authentication Protocol, is the authentication framework used in Windows client and server rollouts. Windows 7, Windows Server 2008 R2, Windows 8, Windows 8.1, Windows Server 2012, and Windows RT are enabled through the update to support TLS via a simple registry modification, Microsoft said. A hacker who is able to exploit an older version of TLS could carry out a man-in-the-middle attack, hijack traffic and steal information in plaintext from sessions thought to be encrypted.
This article was updated Oct. 16 clarifying that SHA-2 is available only for Windows 7 and up, and earlier supported versions of Windows will not support SHA-2.