38
MIGRATE TO SHA-2: IMPLICATIONS & NEXT STEPS
MIGRATE TO SHA -2 :
IMPL ICAT IONS
& NEXT STEPS
Migrate to SHA-2:
implications and next steps
Your speaker today:
Bhav ik Kapadia Web Secu r i t y Co n su l t an t
Part 1W h a t i s S H A ?
Part 2W h y t h e d e p r e c a t i o n ?
Part 3S w i t c h i n g t o S H A - 2
2
Migrate to SHA-2:
implications and next steps
PART 1What i s SHA?
3
Migrate to SHA-2:
implications and next steps
WHAT IS SHA?
• Hashing algorithm
Cryptographic hash function to transform an input (message) into an output
(hash value) with a certain number of bits.
Secure Hash Algorithm
• You apply the hash algorithm on a message and it gives you a unique
string called fingerprint, digest or hash value.
The interest
integrity and authenticity of a message to the receiver
identity validation during the SSL process
• Several generations of hashing algorithms…
e.g: MD5 (obsolete)
4
Migrate to SHA-2:
implications and next steps
WHAT IS SHA?
• Whatever the number of times you apply the hash algorithm on this message, the
hash value will always be the same:
• Change one single character, and the hash value becomes completely different:
"Website Security SpecialistE" 3a09 e8f8 fdf6
"Web Security Specialist" 8537 1ca6 ht5f3
"Website Security Specialists" Hashing process 5e83 1rt6 ed60
You can’t invert this hash function! You can’t recreate the message from its hash
value = ONE-WAY CRYPTOGRAPHIC ALGORITHM
Hashing process
Hashing process
HOW IT WORKS
5
Migrate to SHA-2:
implications and next steps
WHAT IS SHA-1?
SHA-1 = a version of SHA algorithm producing 160-bit hash values.
8537 1ca6 e550 143d ce28 0347 1bde 3a09 e8f8 770f
Example of a SHA-1 hash value
Most certificates today include a digital signature based on the SHA-1
hashing algorithm.
6
Migrate to SHA-2:
implications and next steps
WHAT IS SHA-2?
SHA-2 = another version of SHA algorithm. It works with 6 hash algorithms
which produce different sizes of hash values:
SHA-256 = SHA-2.Producing 256-bit hash values.
SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256
E3b0 c442 98fc 1c14 9afb f4c8 996f b924 27ae 41e4 649b 934c a495 991b 7852 b855
Example of a SHA-256 hash value
7
Migrate to SHA-2:
implications and next steps
PART 2Why the deprecat ion?
8
Migrate to SHA-2:
implications and next steps
WEAKNESSES
REMINDER
Collision Attack• What is it?
An attempt to find two messages which produce the same hash value.
• How can it happen?
Hash functions have infinite input length & a predefined output length which can
lead to collisions.
• What are the consequences?
Increase risks of Man-In-the-Middle attacks
Decrease the integrity of SSL certificates
SHA is a one-way cryptographic algorithm.
9
Migrate to SHA-2:
implications and next steps
MD5: previous hash algorithm, not resistant to collisions in practice
SHA-1: proven not resistant to collisions in theory
8537 1ca6 e550 143d ce28 0347 1bde 3a09 e8f8 770f
SHA-1 hash value length (160-bit)
E3b0 c442 98fc 1c14 9afb f4c8 996f b924 27ae 41e4 649b 934c a495 991b 7852 b855
SHA-256 hash value length (256-bit)
9e10 7d9d 372b b682 6bd8 1d35 42a4 19d6
MD5 hash value length (128-bit)
WEAKNESSES
The algorithms before SHA-2:
Solution? SHA-2 bigger hash value
10
Migrate to SHA-2:
implications and next steps
• January 1st 2017
Microsoft Operating Systems will stop trusting any SHA-1 SSL certificate
Web browsers will do the same
• Consequences?
Any user trying to connect to a website using a SHA-1 certificate will get the
following warning message:
DEADLINES
11
Migrate to SHA-2:
implications and next steps
CERTIFICATION AUTHORITIES (CAs)
• January 1st 2016
Following MICROSOFT’s decision, all CAs will stop issuing SHA-1 certificates after
this date.
DEADLINES
12
Migrate to SHA-2:
implications and next steps
ON CHROME 40 & 41
Since February and March 2015, for SHA-1 certificates expiring…
• … between June 1st, 2016 - December 31st, 2016
• … after January 1st, 2017
DEADLINES
• In 2014 Google announced Chrome would display warning icons on websites using
SHA-1 certificates.
• Warning icon varies according to…
the expiration date of the SHA-1 certificate
the version of Chrome
Secured but with
minor errors
Neutral, lacking
security
13
Migrate to SHA-2:
implications and next steps
DEADLINES
ON CHROME 42
Starting from April the 14th 2015 (estimated date), for SHA-1 certificates expiring…
• … between June 1st, 2016 - December 31st, 2016
• … after January 1st, 2017
Secured but with
minor errors
Affirmatively insecure
14
Migrate to SHA-2:
implications and next steps
DEADLINES
Secured, but with minor errors
Neutral, lacking security
Affirmatively insecure
If an SSL certificate using SHA-1 expires after June 1st, 2016, users will see:
15
Migrate to SHA-2:
implications and next steps
DEADLINES
Example of what Chrome’s users will see.
Instead of…
16
Migrate to SHA-2:
implications and next steps
SWITCHING TO SHA-2 IS ESSENTIAL
If you don’t …
• Visual alerts
It has an impact on…
• All companies
• All types of certificates (DV, OV,
EV, Wildcard, Multi-Domains,
for internal and external
applications)
It is the new security standard:
• US NIST Guidance
• PCI DSS Compliance
• Negative users’ reactions
17
Migrate to SHA-2:
implications and next steps
PART 3Switch ing to SHA-2
18
Migrate to SHA-2:
implications and next steps
PLANNING YOUR MIGRATION
1. Identify SHA-1 certificates
2. Check your server/browser compatibility
3. Prioritise the SHA-1 certificates
4. Switch to SHA-2 with SSL247®
5. Install your SHA-2 certificates
6. Test your new certificates
19
Migrate to SHA-2:
implications and next steps
IDENTIFY SHA-1 CERTIFICATES
https://www.ssl247.co.uk/ssl-tools/sha1-checker
3 ways to do it…
1
• Use our SHA-1 Checker
20
Migrate to SHA-2:
implications and next steps
IDENTIFY SHA-1 CERTIFICATES
• If you are already a client, use your MySSL® platform
1
21
Migrate to SHA-2:
implications and next steps
IDENTIFY SHA-1 CERTIFICATES
• Or simply check on your browser
1
22
Migrate to SHA-2:
implications and next steps
CHECK SERVER/BROWSER COMPATIBILITY
• As a general rule, SHA-256 is supported on Windows XP SP3+ and OS X 10.5+
https://www.ssl247.co.uk/kb/ssl-certificates/generalinformation/sha2-
compatibility-browsers-os
• Use our online whitepaper to check browser compatibility!
Note: If your server is not compatible, you should consider upgrading
2
23
Migrate to SHA-2:
implications and next steps
PRIORITISE THE SHA-1 CERTIFICATES
If you have a lot of certificates try to prioritise them according to:
The expiration date…
Focus on the certificates with the latest expiration date first!
The level of urgency…
Focus on public facing sites first!
The transition time…
Check how much time you need to prepare the transition (ex: server
compatibility issues)
3
24
Migrate to SHA-2:
implications and next steps
4 SWITCHING TO SHA-2 WITH SSL247®
3 ways to switch to SHA-2:
Renew
Competitive replacement
ReissueReissuing with SSL247® is free of charge, quick, easy and does not
require a lot of manipulation for you!
25
Migrate to SHA-2:
implications and next steps
SWITCHING TO SHA-2 WITH SSL247®
REISSUING ON MySSL®
26
Migrate to SHA-2:
implications and next steps
Quickly reissue your SSL certificate in 2 steps with SSL247®
How ?
To access your SSL certificates products, use the left-hand side
panel of the platform.
Through MySSL® platform
REISSUING ON MySSL®
https://www.ssl247.co.uk/myssl/login
27
Migrate to SHA-2:
implications and next steps
STEP 1: Generate a new CSR (Certificate Signing Request)Note: Use the same CSR information you originally used for the certificate
Click on download existing CSR
If you do not remember your CSR information, find it back through
your MySSL® platform
REISSUING ON MySSL®
28
Migrate to SHA-2:
implications and next steps
Copy-paste the downloaded
existing CSR in our CSR
decoder
https://www.ssl247.co.uk/support/tools/csr-decoder
REISSUING ON MySSL®
To access all our Support tools
29
Migrate to SHA-2:
implications and next steps
Use the information from the CSR
decoder to generate a new CSR
https://www.ssl247.co.uk/kb/ssl-certificates/generate-csr
REISSUING ON MySSL®
To access our CSR generation tutorials
30
Migrate to SHA-2:
implications and next steps
STEP 2: Reissuing the certificateOnce you have the right CSR, go back to the certificate page on your MySSL® platform:
At the bottom, copy-paste the new CSR
in the reissuing field and validate.
REISSUING ON MySSL®
31
Migrate to SHA-2:
implications and next steps
https://www.ssl247.co.uk/kb/myssl-guide/SHA-2-reissue
Find this easy 2-steps process on our dedicated tutorial!
REISSUING ON MySSL®
32
Migrate to SHA-2:
implications and next steps
INSTALL YOUR SHA-2 CERTIFICATES
• Remember to install your SHA-2 intermediate certificate
https://www.ssl247.co.uk/kb/ssl-certificates/install
Once you receive your SHA-2 certificate via email:
5
Note: there is nothing to change for the root
certificates.
https://www.ssl247.co.uk/support/download-roots-intermediates
• Use our tutorials to guide you
33
Migrate to SHA-2:
implications and next steps
TEST YOUR NEW CERTIFICATES
• Check your installation with our…
6
Certificate decoder
https://www.ssl247.co.uk/ssl-tools/certificate-decoder
https://www.ssl247.co.uk/support/tools/health-checkers
Health checkers
To access all our Support tools
34
USEFUL LINKS
35
• Identify SHA-1 certificates
SHA-1 Checker: https://www.ssl247.co.uk/ssl-tools/sha1-checker
• Check server/browser compatibility
Whitepaper: https://www.ssl247.co.uk/kb/ssl-certificates/generalinformation/sha2-compatibility-browsers-os
• Switching to SHA-2 with SSL247®
MySSL®: https://www.ssl247.co.uk/myssl/login
CSR decoder: https://www.ssl247.co.uk/support/tools/csr-decoder
CSR tutorial: https://www.ssl247.co.uk/kb/ssl-certificates/generate-csr
Reissue with SHA-2 tutorial: https://www.ssl247.co.uk/kb/myssl-guide/SHA-2-reissue
• Install your SHA-2 certificates
Install your certificate tutorials: https://www.ssl247.co.uk/kb/ssl-certificates/install
Download root & Intermediate certificates: https://www.ssl247.co.uk/support/download-roots-intermediates
• Test your new certificates
Health checkers: https://www.ssl247.co.uk/support/tools/health-checkers
Certificate decoder: https://www.ssl247.co.uk/ssl-tools/certificate-decoder
• More information: https://www.ssl247.co.uk/migrate-to-sha2
Please note that these links are also available on our other websites (www.SSL247.fr,
www.SSL247.es, www.SSL247.se, etc.)
Migrate to SHA-2:
implications and next steps
Questions & Answers
36
Migrate to SHA-2:
implications and next steps37
FREQUENTLY ASKED QUESTIONS
1. When I reissue my certificate in SHA-2 do you revoke my old
certificate right away?
No. We do not revoke your old certificate. You just need to install the
new re-issued certificate in SHA-2.
2. Is my server XP SP3 compatible with SHA-2?
Yes. Your server XP SP3 is compatible with SHA-2. If you have any
doubts regarding the compatibility with your browser/server be sure
to check the whitepaper:
https://www.ssl247.co.uk/kb/ssl-certificates/generalinformation/sha2-compatibility-browsers-os
Migrate to SHA-2:
implications and next steps
Thank you for your attention!
With SSL247®, you don’t have to wait to protect your Online Business Continuity
[email protected] - 0203 740 5927 (London office) - www.SSL247.co.uk
38
