AD CS: Migrate from SHA1 to SHA2 (SHA256)

It’s imperative for organizations to fully switch from SHA-1 to SHA-2. The National Institute of Standards and Technology (NIST) stated SHA-1 should not be trusted, PCI Compliance scanners no longer accept SHA-1 certificates, and Google has deprecated the SHA-1 algorithm. Too many vulnerabilities have been discovered with SHA-1 and networks are at serious risk of compromise if they don’t migrate to SHA-2.

However, migrating to SHA-2 isn’t a simple process because components that use SHA-1 may not be compatible with SHA-2. How can organizations update their Public Key Infrastructure (PKI) if some features won’t work with SHA-2?

Luckily, there are plenty of guides for SHA-1 to SHA-2 migration. We’ve compiled a list of key steps to cover in your migration plan.


SHA-1 vs SHA-2

Secure Hash Algorithm (SHA) is a cryptographic hash function that ensures the validity of a message and that it hasn’t been manipulated in any way. SHA computes a unique value for each piece of data, any change to that value means the data has been altered.

SHA-1 was designed in 1995 by the NSA, but has since been phased out in favor of SHA-2. Simply put, SHA-1 had been around long enough for people to discover and exploit its security vulnerabilities..

In 2005, researchers at the Shandong University in China found a collision attack technique that was able to effectively overcome SHA-1. A collision attack is a method of finding two inputs that produce the same hash value, allowing you to work backwards to discover the hash algorithm. The collision attack required significantly fewer actions than a brute force attack, allowing it to be completed with far fewer resources.

The cost of an attack like this can range from $110,000 to $560,000. Considering the value of the data protected by the hash, this cost could certainly be regained. The collision attack showed that bad actors had the capabilities to insert malware into regular internet traffic with relative ease and profit from the data they collected.

SHA-2 differs from SHA-1 as it uses a more complex cryptographic hashing standard. These hashes come in different sizes such as 224-bit, 256-bit (the most common size), and 512-bit. The larger bit size of the hashes make SHA-2 much harder to crack than its predecessor.SHA-2 fills in the security gaps created by SHA-1 and is the standard used by major browsers and industry titans like Microsoft. While there have been some exploits, it’s still the strongest option and will be for the next few years, until SHA-3 is more commercialized.

sha-2 ad cs


Creating a SHA-1 to SHA-2 Migration Plan

Since SHA-1 is so entrenched in legacy systems, migrating to SHA-2 can prove difficult. Upgrading your entire PKI to SHA-2 means configuring certificate authorities to issue SHA-2 certificates AND ensuring all users, devices, computers, applications, and workstations can use SHA-2.

Organizations will need to construct a proper migration plan because not all devices and applications will comply with SHA-2. Creating a plan allows you to effectively migrate to SHA-2, prioritize mission-critical applications, and identify any incompatible certificates.

There’s a variety of steps involved when migrating to a SHA-2 PKI, but each plan should contain this general structure:

Inventory SHA-1 Certificates

Take inventory of all devices, machines, and workstations that use SHA-1 certificates. Catalogue all certificates in use or about to be deployed and record their attributes (type, location, application).

Determine SHA-2 Support

Determine which devices and applications that can work with SHA-2. Some legacy systems and applications will not work with SHA-256 certificates, Windows Server 2003 to name one. For organizations that consist largely of legacy systems and applications, it’s recommended to use multi-domain certificates and split them in two: one for SHA-2 and the other for SHA-1.

Migrating from SHA-1 to SHA-2

Prioritize mission-critical applications for certificate replacement, then move on to remaining applications. This will be the most time-consuming task.

Enforce SHA-2 Policies

If you’ll be managing hundreds or thousands of certificates, configure access levels and group policies so weak or compromised certificates won’t be able to access critical applications.

Migrating to SHA-2 with SecureW2 PKI and CloudRADIUS

SHA-1 is particularly vulnerable to several cyber attacks and when coupled with credential-based authentication, leaves the network vulnerable to compromise. Luckily, those risks can be eradicated by switching to certificates and a Managed PKI.

SecureW2’s PKI operates with the EAP-TLS authentication method, which encrypts messages sent through the EAP tunnel and protects them with far more secure hash algorithms (like SHA-256). EAP-TLS uses public key cryptography to prevent outside attacks, including ones that can exploit SHA-1. Data protected by certificate authentication is secure from manipulation.

Many organizations have avoided implementing certificates because of historically perceived difficulties of issuing and managing certificates. Those concerns are alleviated with our best-in-class JoinNow onboarding software. Users can self-configure their devices for automatic certificate enrollment in a few easy steps and be automatically connected to the network from then on out.

Our PKI also comes with CloudRADIUS, a cloud-based RADIUS solution that is powered by a Dynamic Policy Engine. This allows the RADIUS server to directly reference your online directory and provides runtime-level SHA-2 policy enforcement. Instead of permissions being stored on the certificate, they can be stored in the directory. Any changes to user permissions will be reflected immediately.

Our PKI, CloudRADIUS, JoinNow onboarding software allow admins to securely and efficiently migrate to SHA-2, can integrate into any environment with no forklift upgrades, and come at an affordable price.

Key Takeaways:
  • Use a Managed PKI to securely migrate from SHA-1 to SHA-2
Learn about this author

Sam Metzler

Sam (aka Slammin Salmon, Street Hustler Sam, Samilstilskin) is a copywriter within the marketing team and a man of many nicknames. He has a degree in Marketing from the University of North Texas with previous experience in mortgage marketing and financial services.

Sam Metzler

AD CS: Migrate from SHA1 to SHA2 (SHA256)