Microsoft is in the process of phasing out use of the Secure Hash Algorithm 1 (SHA-1) code-signing encryption to deliver Windows OS updates – announcing that customers running legacy OS versions will be required to have SHA-2 code-signing support installed on their devices by July 2019.
No SHA-2 support, no more updates: This will hold true for users of Windows 7 SP1, Windows Server 2008 R2 SP1, Windows Server 2008 SP2, and some older versions of Windows Server Update Services.
Windows for now uses both the SHA-1 and SHA-2 hash algorithms to authenticate its updates and prevent man-in-the-middle tampering, with newer systems supporting only SHA-2, and older ones only SHA-1. However, SHA-2 upgrades will roll out to the affected products over the course of several months, beginning March 12.
“Due to weaknesses in the SHA-1 algorithm and to align to industry standards, Microsoft will only sign Windows updates using the more secure SHA-2 algorithm exclusively [after July 19],” the computing giant said in a Feb. 15 notice. “Any devices without SHA-2 support will not be offered Windows updates after July 2019.”
The NIST-developed SHA-1 remains a widely used part of code-signing, but its efficacy has declined over time as more and more attacks that break it have popped up. Microsoft for instance has cited the existence of known collision attacks against SHA-1 as the main reason for advising against its use. Collisions occur when an attacker is able to generate a certificate with the same signature as the original certificate.
This is only the latest step for Microsoft in phasing out SHA-1. It has been actively deprecating the SHA-1 and older hash algorithms like RC4 since at least 2013.
In 2014, Microsoft made SHA-2 available for Windows 7 and Windows Server 2008 R2, bringing those older versions of Windows in line with Windows 8 and Windows Server 2012 and 2012 R2. And it began steering developers away from SHA-1 in 2016, when it said SHA-1 would no longer be allowed for code-signing and certificates. And in 2017, it discontinued support in its Internet Explorer and Edge browsers.
Other tech giants, including Facebook, Google and Mozilla, are doing the same. “These changes are part of a broader shift in how browsers and web sites encrypt traffic to protect the contents of online communications,” said Facebook production engineer Adam Gross in 2015, when Facebook put developers on notice that apps that do not support SHA-2 will no longer connect to its network.