Update Your SHA-1 Certs If You Haven't Already

"SHA-1 (Secure Hash Algorithm 1) is a cryptographic hash function designed by the United States National Security Agency and is a U.S. Federal Information Processing Standard published by the United States NIST and published in 1995...In 2005, cryptanalysts found attacks on SHA-1 suggesting that the algorithm might not be secure enough for ongoing use...Microsoft, Google, and Mozilla have all announced that their respective browsers will stop accepting SHA-1 SSL certificates by 2017." 1,2

##### BEGIN MESSAGE FROM INFORMATION SECURITY OFFICE #####

I wanted to make you aware of some new research that indicates a practical exploit of SHA-1 will be possible in the next few months:

 http://arstechnica.com/security/2015/10/sha1-crypto-algorithm-securing-internet-could-break-by-years-end/

SHA-1 has been theoretically compromised for some time, but we believe this new information requires action.

If your unit has any active SHA-1 certificates in place, we would strongly recommend developing a plan to have them updated as soon as reasonably possible.

Please note that InCommon does not allow you to renew a SHA-1 certificate to a SHA-2 certificate -- they will need to be created as new certificates.

If you have any questions or concerns, you might refer to the following resource:

 https://www.incommon.org/cert/support

or feel free to let us know.

Thanks for your vigilance!

~cam.

##### END MESSAGE FROM INFORMATION SECURITY OFFICE #####

1  "SHA-1Wikipedia: The Free Encyclopedia. Wikimedia Foundation, Inc.

2  Microsoft has announced that it will end support not only for its browsers, but for its operating systems.

Written by CNS OIT staff
Questions or comments? The best and easiest way to contact us is via the CNS Help Desk form.