Bernard N.

Layon

Several companies using older versions of Secure Hash Algorithms migrated to

SHA2. Discuss why. Reference your discussions. 

SHA2 was developed by the National Institute of Standards and Technology (NIST) and
the National Security Agency (NSA). Said algorithm comes in four versions – SHA224,
SHA256, SHA384, and SHA512, which the number refers to bits in their outputs. The
purpose of the publication of SHA2 was to remove the weaknesses found in SHA1 and
to get along with the higher demand of using hashing algorithm in larger messages.
Study shows that there was an increased in difficulty and unpredictability in conforming
messaging pairs in SHA2 over MD5 and SHA1 making it more secured from the two.

It is true that up to date, several companies shifted from SHA1 to SHA2, and one of
them is Microsoft. According to their post in support.microsoft.com, the change was
initialized since they found out that the security of SHA1 has become less secure. There
were weaknesses found in the algorithm and a significant increase in the needed
processor performance was discovered. There were also considerations that there will
be possible problems in the implementation of the algorithm in cloud computing. It was
also mentioned that one of the reasons for shifting, is to align their processes with the
industry standards.

The collision was said to be the cause why SHA1 is not secured anymore. With this
problem, hackers will act as authorized issuers of certificates. Users will enter a
website, not knowingly that the certificate was issued by a hacker, making his or her
information/credentials be exposed.

Microsoft used these algorithms in making sure that when they release updates to
users, the contents have not been changed during the delivery. They just started using
the SHA2 last April 2019 and implement it in phases. They also require old OS versions
to install the update, making it a prerequisite to succeeding releases.

Aside from Microsoft, McAfee also announced through their website that they already
migrated from SHA1 to SHA2, specifically in issuing certificates. The problem was
discovered when a vulnerability scan, flags their ePolicy Orchestrator using SHA1 and
considering it as a weak hashing algorithm. Specifically, browsers such as Google
Chrome, Microsoft IE, and Mozilla Firefox flag the ePO as unsecure HTTPS, even
though that the certificate is correct. McAfee mentioned that the SHA1 algorithm already
reached its end of life.

References:

[1] Support.microsoft.com. 2021. 2019 SHA-2 Code Signing Support requirement for
Windows and WSUS. [online] Available at:
<https://support.microsoft.com/en-us/topic/2019-sha-2-code-signing-support-
requirement-for-windows-and-wsus-64d1c82d-31ee-c273-3930-69a4cde8e64f>
[Accessed 20 September 2021].
[2] Kc.mcafee.com. 2021. Migration from SHA-1 to SHA-2 certificates is required after
upgrading to ePolicy Orchestrator 5.9. [online] Available at:
<https://kc.mcafee.com/corporate/index?page=content&id=KB87017> [Accessed 20
September 2021].

[3] Chaves, R., Vassiliadis, S., Sousa, L. and Kuzmanov, G., 2006. Improving SHA-2
Hardware Implementations. International Association for Cryptologic Research,.

[4] Mendel, F., Nad, T. and Schlaffer, M., 2011. Finding SHA-2 Characteristics:
Searching through a Minefield of Contradictions. International Association for
Cryptologic Research,.

[5] Aoki, K., 2009. Preimages for Step-Reduced SHA-2. International Association for
Cryptologic Research,.