Replace SHA-1. It’s not that hard.

Replace SHA-1. It’s not that hard.

Now that SHA-1 has been broken it’s time for enterprises that have ignored its potential weakness for years to finally act, and it’s not that hard.

The most common use of the hash function is in securing SSL and TLS connections, and to get rid of SHA-1 in that use is to utilize browsers and servers that don’t support it. Depending on the size of an organization, this isn’t onerous, says Paul Ducklin, a senior security advisor at Sophos. (See his excellent description of the problem with SHA-1 and other hashing algorithms.)

+More on Network World: Cisco deepens enterprise network virtualization, security detection of DNA suite+

Upgrading these SHA-1 certificates ought to be a housekeeping activity. “It shouldn’t be that difficult,” Ducklin says. “It should be part of your operational DNA.”

But the fact is that it hasn’t been, despite warnings from seven years ago that SHA-1 was susceptible to attacks, at least theoretically.

SHA-1 may be lurking in less common places, says David Maxwell, CSO at InfoSec Global, an adaptive cryptography firm. It is embedded in many software programs. Applications typically call on crypto libraries to access hashing functions that the applications specify, so changing which function to use can involve a lot of work.

+More on Network World: Ransomware 'customer support' chat reveals criminals' ruthlessness+

Content management systems and code-revision systems may use SHA-1 as well, as a means to identify files and to ensure they haven’t been tampered with, Ducklin says. If these systems are bought from third parties, businesses should ask the vendors whether they employ SHA-1 and when they are going to fix it.

There’s no way to make it easier to swap in a different hash function in legacy applications, says Maxwell, but it is possible to write an easier method into new code using what he calls crypto-agility.

That’s writing applications so that when they call for hash functions they do so from a discrete module software that can be altered relatively simply. So when the app calls on the library, it seeks a list of all the hashes available and then chooses the appropriate one. Which it selects can be quickly changed, he says.

The reason to use crypto-agility is that as hashes get better, the math and machines needed to crack them also improve, he says. “It would have been great if you’d done it yesterday,” Maxwell says, to avoid having to throw a lot of effort into upgrading now. “If you scramble today, wouldn’t you rather not have to scramble next time?”

Since the successful attack on SHA-1 required the massive computing capabilities of Google, it’s likely only those with vast resources will be using this attack anytime soon, Ducklin says. So even though it’s proven to be exploitable, as a practical matter attacks against SHA-1 are very unlikely anytime soon.

“You can kind of do nothing and get away with it,” he says, but you shouldn’t.

IDG Insider


«5G will help autonomous cars cruise streets safely


iOS 10.2.1 might be the cure for your iPhone 6 and 6s battery woes»
IDG Connect

IDG Connect tackles the tech stories that matter to you

Recommended for You


Platform or publisher?

Tech Cynic – IT without the rose-tinted spectacles


Mark Shuttleworth’s next mission: making private clouds affordable

Martin Veitch's inside track on today’s tech trends


GDPR-based extortion could be the next cybercrime trend

Dan Swinhoe casts a critical eye on the future

Our Case Studies

IDG Connect delivers full creative solutions to meet all your demand generatlon needs. These cover the full scope of options, from customized content and lead delivery through to fully integrated campaigns.


Our Marketing Research

Our in-house analyst and editorial team create a range of insights for the global marketing community. These look at IT buying preferences, the latest soclal media trends and other zeitgeist topics.



Should the government regulate Artificial Intelligence?