Microsoft to use SHA-2 exclusively starting May 9, 2021

Corrine · Apr 14, 2021

Quote

As a major move to the more secure SHA-2 algorithm, Microsoft will allow the Secure Hash Algorithm 1 (SHA-1) Trusted Root Certificate Authority to expire. Beginning May 9, 2021 at 4:00 PM Pacific Time, all major Microsoft processes and services—including TLS certificates, code signing and file hashing—will use the SHA-2 algorithm exclusively.

Additional information at the source: Microsoft to use SHA-2 exclusively starting May 9, 2021 - Microsoft Tech Community.

x BlueRobot · Apr 14, 2021

Hmm, I'll expect that they'll probably be a few issues with Windows Update.

Digerati · Apr 15, 2021

If for no other reason than to avoid bad publicity and the inevitable exaggerated bashings from all the Microsoft haters, I suspect Windows Update is a top priority and one of the primary areas they have concentrated many resources on to ensure it won't have any issues.

That said, as noted in Corrine's link, they "changed the signing Windows updates to use the more secure SHA-2 algorithm exclusively in 2019". So if there are any issues with Windows update, they most likely will be due to something other than switching to SHA-2.

NumberFiveee · Apr 29, 2021

Sorry, but as a "low level" IT guy, what kind of impact could this possibly have for end users?

x BlueRobot · Apr 29, 2021

Any encrypted communication will be more secure and security signatures will be more difficult to spoof.

Digerati · Apr 29, 2021

NumberFiveee said:
what kind of impact could this possibly have for end users?

Most likely, we will "see" no impact at all. We will be able to continue using our computers as we did before - except we will be in a safer environment.

If the bad guys failed to break through the security barriers and get to you before, this just adds yet another barrier in their way.

Tekno Venus · Apr 29, 2021

Back in 2017, Google discovered a flaw in the (by then already old and superseded) SHA-1 algorithm. SHA-1 is a hashing function, which takes an input and converts it to a unique value. Being a hash function, this transformation can only go one way (you can convert a value to a hash, but you can’t convert a hash back to the original value). Hashing functions are vital in software, being used for password storage, certificate signing and file verification.

The flaw in SHA-1 allowed 2 different files to generate the exact same hash. This is a major vulnerability. For example, if the OS used a SHA-1 hash to verify an update was valid, an attacker could produce a malicious update that would generate the same hash and pass verification.

There’s a much better and more detailed explanation here Announcing the first SHA1 collision

Theoretical attacks have been known in SHA1 for over a decade, and NIST recommended against using SHA1 back in 2012 Hash Functions | CSRC. So tbh, it’s a long overdue fix by MS.

From an end user point of view, there’s no noticeable difference, but it’s an important security fix.

NumberFiveee · Apr 29, 2021

Alright, tyvm for the clarification.

Search

Search

Microsoft to use SHA-2 exclusively starting May 9, 2021

Corrine

Administrator,
Microsoft MVP,
Security Analyst

x BlueRobot

Administrator

Digerati

Moderator
Hardware Expert
Microsoft MVP (Ret.)

NumberFiveee

Well-known member

x BlueRobot

Administrator

Digerati

Moderator
Hardware Expert
Microsoft MVP (Ret.)

Tekno Venus

Senior Administrator, Developer

NumberFiveee

Well-known member

Microsoft to use SHA-2 exclusively starting May 9, 2021

Administrator, Microsoft MVP, Security Analyst

Administrator

ModeratorHardware ExpertMicrosoft MVP (Ret.)

Well-known member

Administrator

ModeratorHardware ExpertMicrosoft MVP (Ret.)

Senior Administrator, Developer

Well-known member

Administrator,
Microsoft MVP,
Security Analyst

Moderator
Hardware Expert
Microsoft MVP (Ret.)

Moderator
Hardware Expert
Microsoft MVP (Ret.)