Microsoft recommends against usage of SHA-1

Redmond software giant issues policy changes inline with US and Australian government agencies.
Written by Michael Lee, Contributor on

Microsoft is advising its customers to stop using the SHA-1 hashing algorithm in cryptographic applications such as SSL/TLS encryption and code signing.

In a security advisory issued by the company, Microsoft said that it would stop recognising certificates using the algorithm after January 1, 2016. After this date, certificate authorities (CAs) that issue certificates under the Windows Root Certificate Program will only be able to issue SHA-2 certificates.

According to Microsoft, SHA-1 is used in 98 percent of all certificates issued worldwide. However, it also claims that since 2005 researchers have discovered collision attacks against the algorithm that mean it no longer meets its security standards. Although the announcement to drop SHA-1 comes today, the Australian Signals Directorate (ASD) has been advising government agencies to move to SHA-2 since December 2011.

The ASD also has a slightly different opinion of when the collision attacks were first known, stating that "theoretically impressive attacks" against SHA-1 were known since 2004, but that they were not practical to implement.

ASD has already removed the "weakened but not broken" SHA-1 algorithm from use in its Information Security Manual.

The US National Institute of Standards and Technology, which published the algorithm, also stated in September 2012 that US federal agencies should stop using SHA-1.

Editorial standards