Microsoft Is Set To Retire SHA1 & RC4

Microsoft advised its customers to stay away from SHA1 hashing algorithm and RC4 stream cipher that is widely used in applications and protocol. Microsoft revealed in its security advisory that after 1 January 2016 it would stop realizing certificate using SHA1 algorithm. The decision was taken in the interest of customer’s online security therefore root certificate authorities could not issue X.509 certificate with SHA1 algorithm because such algorithm is not so secure against phishing attack and man-in-middle attack.

Microsoft advised root certificate authorities to migrate to SHA2 hash algorithm and requested customers to change their certificate with SHA-2 algorithm.

SHA1 is widely used in SSL (Secure Sockets Layer) and TLS (Transport Layer Security) which secure online data transition that take place between server and end users. SHA1 based certificate also verify software application whether they are real or fake/tampered. The main intention to avert SHA-1 algorithm is continuous changing hardware requirement, emerging cyber attacks, and evolving security research.

Cheap SSL

Difference Between SHA-1 And SHA-2

The only concern in SHA-2 is it requires large amount of space to store the hash. Besides this SHA-2 is faster and secure hashing algorithm. Below is the table that shows in technical term the difference between SHA-1 and SHA-2.

Hash Algorithms SHA-1 SHA-2 SHA-2
Output size (bits) 160 224 & 256 384/512
Internal Size(bit) 160 256 512
Block size (bits) 512 512 1024
Max message size (bits) 264 – 1 264 – 1 2128 – 1
Word size (bits) 32 32 64
Rounds 80 64 80
Collisions found Yes None None

History Of Collision Attack

In last decade, Iran had faced Fame malware that used cryptographic collision attack and sabotage MD5 algorithm. In this attack, infected computers had pretended to be legitimate official servers of Microsoft by forging Microsoft’s digital signatures. The infected machines were effectively able to install malicious software. Since then, Microsoft removes MD5 in its update system.

After experiencing such collision attack Microsoft is determined to stop using SHA-1 before it becomes victim of any cyber attack.

What Is Collision Attack?

Collision attack occurs where two similar plaintext messages have same hash value so the software program could not realize the modified hash value this technique allow attacker to create fake digital certificate that challenges the security of system and makes it vulnerable.

How Collision Attack formed?

If we take an example of Collision attack, it will create below situation.

  • Maria produces two dissimilar documents X and Y, both have an identical hash value (collision).
  • Maria then transmit document X to Arnold, who corresponds to what the document states, and signs its hash and send back to Maria.
  • Maria imitates the signature sent by Arnold from document X to document Y.
  • Then Maria sends document Y to Steve, asking that Arnold has signed the different document. Because the digital signature verifies the document hash, now Steve’s software is not capable to identify the modification.

RC4 Is Obsolete:

In a recent security, survey published on Microsoft security advisory stated that there are almost 58% sites are not using RC4 stream cipher while 43% apply it. Out of this 43%, there are hardly 3.9% sites require RC4 therefore, Microsoft announced to disapprove of RC4 cipher.

Microsoft also announced that customers must enable TLS version 1.2 and stop using RC4 cipher in server and applications. Microsoft advised to use TLS1.2 and AES-GCM and called IE-11 being a safer browser that minimize the use of weak cipher RC4 and allow standard security TLS1.2 by default. TLS1.2 has ability to protect against BEAST attack.

Frequent cyber attacks and changing hardware requirements compel respected authority and the whole cyber world to think in a different way. However, the fear is still stand in front of us when this cat and mouse race will end.


We Assure to Serve

Leading Brands

ClickSSL is platinum partner of leading CAs & offering broad range of SSL certificate products.

Valued Price

You are at right place to get cheapest SSLs; our prices are up to 79% low as compared to CAs.

100% Refund Policy

If you are not satisfied, our all SSL certificates are backed by 30-day 100% money back guarantee.

24×7 Support

Our experts are always active to help you, so you will get instant solutions for your queries.