Microsoft Software and Services Switching to SHA-2 Security Next Month
Microsoft plans to stop trusting Secure Hash Algorithm 1 (SHA-1) certificates next month for "all major Microsoft processes and services," according to a Wednesday announcement.
Those SHA-1 certificates will expire starting on "May 9, 2021 at 4:00 PM Pacific Time." Going forward, Microsoft's solutions will just use the SHA-2 security algorithm.
The changeover to SHA-2 could throw errors for organizations, but it only affects organizations with "SHA-1 certificates chained to the Microsoft SHA-1 Trusted Root Certificate Authority," the announcement explained. It doesn't affect organizations using "manually installed enterprise or self-signed SHA-1 certificates."
Even though organizations could still use SHA-1 in those instances, Microsoft is generally encouraging them switch to using SHA-2.
Organizations that continue to use SHA-1 after the May deadline could start seeing error messages, as listed in this Microsoft support article. Those errors include:
- Windows can't verify the publisher when installing drivers
- App blocked from running
- Publisher blocked when trying to open an app
- Generic trust failure on software installs
- Invalid digital signature when installing an app
The support article added that Microsoft hasn't been seeing these issues with popular applications so far.
It's possible to confirm that an application uses SHA-2 by right-clicking on its executable file (.EXE) and then selecting the Properties tab, followed by Digital Signatures. SHA-2 support will be denoted by seeing "SHA256 in the Digest algorithm column in the Signature list section," the support article explained.
SHA-1 is a 21-year-plus security algorithm that's used for hashing data. It's deemed insecure by the computer industry. It was broken by researchers in 2018 using brute-force methods.
Microsoft has sent out various warnings about the use SHA-1 over the years. In 2019, Microsoft shifted most of its Windows systems over to using SHA-2, according to its announced plans.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.