As of May 9, 2021, Microsoft will only use SHA-2

Posted on 2021-04-15 by guenni

[German]Microsoft will only allow the more secure SHA-2 algorithm in its processes and services (including in TLS certificates, code signing and file hashing) from May 9, 2021. SHA-1 use will then no longer be possible.

Advertising

The announcement was made on April 14, 2021 in the blog post Microsoft to use SHA-2 exclusively starting May 9, 2021 (thanks to the user for pointing this out). At that time, Microsoft will phase out the trusted root certification authority Secure Hash Algorithm 1 (SHA-1). Starting May 9, 2021, at 4:00 p.m. Pacific time, all major Microsoft processes and services – including TLS certificates, code signing, and file hashing – will exclusively use the SHA-2 algorithm.

The background: SHA-1 is considered insecure

The SHA-1 hashing algorithm is now considered insecure because over time, SHA-1 is considered too insecure due to vulnerabilities found in the algorithm, increased processor power and the advent of cloud computing. Since there are now better alternatives such as Secure Hash Algorithm 2 (SHA-2), they are preferred.

For this reason, Microsoft has already switched the signing of Windows updates in 2019 to exclusively use the more secure SHA-2 algorithm and subsequently withdrawn all SHA-1 content signed with Windows from the Microsoft Download Center on August 3, 2020. I had reported on the implications for Windows 7 (the newer operating systems already supported SHA-2) in the blog post Windows 7: From April 2019 'SHA-2-Support' is required.

What does this mean?

In the best case, administrators and users don't even notice. The expiration of the Microsoft SHA-1 Trusted Root Certificate Authority only affects SHA-1 certificates that are chained to the Microsoft SHA-1 Trusted Root Certificate Authority. Manually installed enterprise or self-signed SHA-1 certificates are not affected. However, Microsoft strongly recommends switching to SHA-2 (if not already done).

In the article above, Microsoft writes that they do not expect any problems due to the expiration of the SHA-1 certificate, because all important applications and services have been tested.

Advertising

Similar articles
SHA-2 patch for Windows 7 arrives on March 2019
Windows 7: From April 2019 'SHA-2-Support' is required

Cookies helps to fund this blog: Cookie settings
Advertising

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *