All about SHA1, SHA2 and SHA256 hash algorithms
SHA256, provided by TBS INTERNET since 2008, will in the coming few years replace SHA1. But what is SHA?
SHA
SHA - standing for secure hash algorithm - is a hash algorithm used by certification authorities to sign certificates and CRL (certificates revocation list). Introduced in 1993 by NSA with SHA0, it is used to generate unique hash values from files.
Example: A file hashed with SHA1 could look like:
752c14ea195c369bac3c3b7896975ee9fd15eeb7
As for any cryptographic solution, SHA must evolve along with our computers' calculation capacities in order to avoid any weakness.
There are, therefore, several versions of SHA: SHA0 (obsolete because vulnerable), SHA1 (the most popular one), SHA2 (the one we are interested in) and finally SHA3 introduced in 2012.
SHA2
SHA2, not often used for now, is the successor of SHA1 and gathered 4 kinds of hash functions: SHA224, SHA256, SHA384 and SHA512.
It works the same way than SHA1 but is stronger and generate a longer hash.
Hash attacks, SHA1 and SHA2
There are 2 kinds of attacks specific to hash:
- A collision: there is collision when 2 different files produce an identical hash. It is then possible to substitute a file for an other. In our domain of expertise we could then imagine to replace an official certificate by a fraudulent one having the same hash values. SHA0 is not resistant to collision attacks, that is the reason why it is not used anymore.
- the preimage: one needs to distinguish preimage from first-preimage. The first one consists of 'guessing' a file value from its hash. The other one uses a hash to create a value different from the one that has been used to generate the hash.
What about SHA1 and SHA2?
Even if there has never been a successful complete collision with SHA1, the evolution of our computers' calculation capacities will soon make it possible. SHA2 is totally collision-resistant, its time has then come!
New standards / recommandations from certification authorities: Depreciation of SHA1
Note that SHA1 is being depraciated by browsers (Internet Explorer, Google Chrome, ...) and that the deadline for its scheduled disappearance is 2016-12-31. Therefore, the certification authorities that we work with do not issue certificates expiring after this date anymore.Learn more
SHA256 hash algorithm does not intervene in the encryption / authentication process but tools (browsers, email clients, servers...) must be able to read / decipher this kind of hash during the connection / authentication process.- if you install a SHA256 certificate on a client (strong authentication by certificate),
make the client (browser, webservice...) and the servers are compatible
even if the server keep using a SHA1/MD5 signed certificate. - if you install a SHA256 certificate on a server then all the clients connecting to it and the server must be SHA256-compatible.
- If you are using a SHA256 certificate to sign emails or documents, only the readers have to be compatible.
- SHA-256 signed certificates
- Our SHA-256 certificates offer
- SHA256-compatible browsers
- SHA256-compatible servers
- Certigna SSL RGS* certificates
OpenSSL and SHA256
By default, OpenSSL cryptographic tools are configured to make SHA1 signatures.
for example, if you want to generate a SHA256-signed certificate request (CSR) , add in the command line: -sha256, as:
Note: To do so, you'll need OpenSSL version 0.9.8o at least.
Decipher a SSL certificate:
openssl x509 -text -in [path-to-your-certificate]Check the field "Signature Algorithm". It should indicate either "sha1WithRSAEncryption" or "sha256WithRSAEncryption".
Useful links
Check your certificate installation with Co-Pibot:
In your Certificates center, on your certificate status page you'll see a "check your certificate" button. Click it to make sure your certificate has correctly been installed.- SHA1: Depreciation of SHA1 algorithm scheduled for 2015, 2016, 2017?
- SHA1 Root - the case of servers returning the root certificate
- SHA1 disappearance: what is the situation?
- Browsers compatible with SHA256 hash algorithm
- Severs compatible with SHA256 hash algorithm
- The certification chain does not match the certificate hash algorithm
- Servers returning a SHA1 root
- Install several SSL certificates on a same machine / IP: TLS SNI
- Gnerate a CSR in SHA256