Written by: admin on 03/16/17

Here an issue that we are starting to hear more about for clients in the NJ and NY areas where we are providing IT security / Cybersecurity services and consulting.  If fact, we’ve dealt with it internally here at our NJ offices.

The Basics

  • Hashing is the transformation of a string of characters into a usually shorter fixed-length value or key that represents the original string.
  • Among other things, Hashing is used to encrypt and decrypt digital signatures.
  • SHA is Secure Hash Algorithm and uses a 60 bit cipher. SHA1 uses 160 bits. SHA2 includes 224 bit, 256 bit, 384 bit, 512 bit hashing

The Problem

For several years it has been shown that SHA1 is vulnerable and an attacker can exploit that to have his code carry a certificate that appears legitimate. Certificate based authentication is the cornerstone of computing systems security and integrity today. Such exploits can have significant impact such as the 2012 Flame malware. Microsoft plans to deprecate SHA1 certificates by mid-2017.

The Solution

We recommend moving in-house corporate PKI infrastructure to SHA-256 certificates. SHA-256 is a level of SHA2. It’s the most commonly adopted standard at this time (Q1 2017). Higher levels SHA2 such as SHA-512 have been shown to not be supported at this time by major applications such as Internet Explorer, Lync/Skype, …

Challenges and Options

  • Older Microsoft operating systems like Windows XP, Server 2003 use legacy Cryptographic Service Providers (CSPs) which have limited SHA2 support
  • The use of SHA1 certificates can be logged to present a client-specific scope of the problem
  • SHA1 deprecation enforcement by Microsoft Windows can be disabled via a registry tweak. This is not recommended, and will leave the client vulnerable but may be useful as a short term measure if a critical application suddenly breaks because of this issue.
  • SHA1 deprecation enforcement by Microsoft Windows can be manually enabled ahead of the 2017 deadline, perhaps on test system to validate impact.
  • Windows XP, 2003, 7, 2008 R2 must be patched to support SHA2
  • In order to both sign and validate SHA2 messages, Windows 7 with Outlook 2007 or 2010 is needed
  • TMG2010 does not support CNG, only the legacy CAPI (CSP)
  • NDES (Network Device Enrollment Service) signs responses by SHA-1 by default, but can be changed to SHA-2
  • Windows Vista and Server 2008 do not support SHA2 Microsoft code signing certificates

Example of securing IIS server

This PowerShell script automates the process of securing protocols, ciphers, and hashes. This goes beyond the SHA1 issue to disabling weak and vulnerable protocols, hashes, and ciphers that are enabled by default on a Windows computer. This can be run on any computer but is typically run on an IIS server because of its public facing role. The script specifically disables the following legacy protocols, hashes, and ciphers:

SHA1 Powershel Image

Note that SHA1 is still used by Skype of Business. Disabling SHA (SHA1 that is) hash will cause Skype to fail to sign in.

Skype1

Exigent Technologies provides a wide array of IT Security (Cybersecurity) consulting services in the greater NY, NJ Tri-state areas.

For more information on securing your IT infrastructure, contact us.



Categories

IT Security