Executive Summary

Summary
TitleDeprecation of SHA-1 Hashing Algorithm for Microsoft Root Certificate Program
Informations
NameKB2880823First vendor Publication2013-11-12
VendorMicrosoftLast vendor Modification1970-01-01
Severity (Vendor) N/ARevision1.0

Security-Database Scoring CVSS v2

Cvss vector :
Cvss Base ScoreN/AAttack RangeN/A
Cvss Impact ScoreN/AAttack ComplexityN/A
Cvss Expoit ScoreN/AAuthenticationN/A
Calculate full CVSS 2.0 Vectors scores

Detail

General Information

Executive Summary

Microsoft is announcing a policy change to the Microsoft Root Certificate Program. The new policy will no longer allow root certificate authorities to issue X.509 certificates using the SHA-1 hashing algorithm for the purposes of SSL and code signing after January 1, 2016. Using the SHA-1 hashing algorithm in digital certificates could allow an attacker to spoof content, perform phishing attacks, or perform man-in-the-middle attacks.

Recommendation: Microsoft recommends that certificate authorities no longer sign newly generated certificates using the SHA-1 hashing algorithm and begin migrating to SHA-2. Microsoft also recommends that customers replace their SHA-1 certificates with SHA-2 certificates at the earliest opportunity. Please see the Suggested Actions section of this advisory for more information.

Advisory Details

Issue References

For more information about this issue, see the following references:

ReferencesIdentification
General InformationIntroduction to The Microsoft Root Certificate-Program
Technical RequirementsWindows Root Certificate Program - Technical Requirements

Advisory FAQ

What is the scope of the advisory?
This advisory aims to assist customers in assessing the risk of certain applications that use X.509 digital certificates that are signed using the SHA-1 hashing algorithm and to recommend that administrators and certificate authorities begin using SHA-2 in place of SHA-1 as an algorithm for signing digital certificates.

Is this a security vulnerability that requires Microsoft to issue a security update?
No. A signing mechanism alternative to SHA-1 has been available for some time, and the use of SHA-1 as a hashing algorithm for signing purposes has been discouraged and is no longer a best practice. Microsoft will however evaluate any opportunities to strengthen technologies to detect fraudulent certificates. Although this is not a vulnerability in a Microsoft product, Microsoft is issuing this advisory to help clarify the actual risk involved to customers.

What causes this threat?
The root cause of the problem is a known weakness of the SHA-1 hashing algorithm that exposes it to collision attacks. Such attacks could allow an attacker to generate additional certificates that have the same digital signature as an original. These issues are well understood and the use of SHA-1 certificates for specific purposes that require resistance against these attacks has been discouraged. At Microsoft, the Security Development Lifecycle has required Microsoft to no longer use the SHA-1 hashing algorithm as a default in Microsoft software.

What is a digital certificate?
In public key cryptography, one of the keys, known as the private key, must be kept secret. The other key, known as the public key, is intended to be shared with the world. However, there must be a way for the owner of the key to tell the world who the key belongs to. Digital certificates provide a way to do this. A digital certificate is an electronic credential used to certify the online identities of individuals, organizations, and computers. Digital certificates contain a public key packaged together with information about it - who owns it, what it can be used for, when it expires, and so forth. For more information, see Understanding Public Key Cryptography and Digital Certificates.

What is the purpose of a digital certificate?
Digital certificates are used primarily to verify the identity of a person or device, authenticate a service, or encrypt files. Normally, there is no need to think about certificates at all, aside from the occasional message stating that a certificate is expired or invalid. In such cases, one should follow the instructions provided in the message.

What is a certification authority (CA)?
Certification authorities are the organizations that issue certificates. They establish and verify the authenticity of public keys that belong to people or other certification authorities, and they verify the identity of a person or organization that asks for a certificate.

Suggested Actions

  • Review Microsoft Root Certificate Program Policy Changes

    Customers who are interested in learning more about the topic covered in this advisory should review Windows Root Certificate Program - Technical Requirements.

  • Update from SHA-1 to SHA-2

    Certificate authorities should no longer sign newly generated certificates using the SHA-1 hashing algorithm. Customers should update certificate authorities to use the SHA-2 hashing algorithm and obtain SHA-2 certificates from their certificate authorities.

    Impact of action: Older hardware-based solutions may require upgrading to support these newer technologies.

  • Keep Windows Updated

    All Windows users should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit Windows Update, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have Automatic Updates enabled, the updates are delivered to you when they are released, but you have to make sure you install them.

Original Source

Url : http://www.microsoft.com/technet/security/advisory/2880823.mspx

Alert History

If you want to see full details history, please login or register.
0
DateInformations
2013-11-12 21:19:27
  • First insertion