Entrust Datacard

Entrust Certificate Services Support Knowledge Base

Audience: General
Last Modified: 2014-09-15 15:45:29.0

TN 8526 - What is SHA-2?

Question: What is SHA-2?

Answer:

SHA-2 is a family of hashing algorithms to replace the SHA-1 algorithm.  SHA-2 features a higher level of security than its predecessor. It was designed through The National Institute of Standards and Technology (NIST) and the National Security Agency (NSA). Entrust uses the SHA-1 hashing algorithm to sign all digital certificates. Entrust is introducing the SHA-256 variant of the SHA-2 family as a signing option for all certificates.  Due to possible backwards compatibility issues with older Operating Systems, Entrust is also leaving the SHA-1 the default hashing algorithm and allowing the customer to optionally choose SHA-2 when signing or to set SHA-2 as the default  in the Certificate Management Service (CMS).

One of the major benefits of using SHA-2 is that it addresses some weaknesses in the SHA-1 hashing algorithm. SHA-1 is not considered to be unsafe at this time; however, the weaknesses that have been identified make the algorithm vulnerable to possible exploitation over the coming years. 

One of the drawbacks with SHA-2 is that there are some older applications and operating systems that do not support it. Compatibility problems are the main reason why SHA-2 algorithms have not been adopted more rapidly. Windows XP Service Pack 2 or lower does not support the use of SHA-2.  The use of SHA-2 on websites may pose a problem if the end user has an older operating system.

Regarding server side support for SHA-2, there are a few things that need to be considered. If you are using a Windows environment, Microsoft has published the following blog for SHA-2 deployment. You will need to make sure you have the minimum supported version of Windows server, along with any required patches that are mentioned.

http://blogs.technet.com/b/pki/archive/2010/09/30/sha2-and-windows.aspx

Java based servers will be able to support SHA-2 as long as Java SDK 1.4.2 or higher is installed and used on the server.

Apache based servers will be able to support SHA-2 with Apache version 2.x or higher. Open SSL 1.1.x will be required for certificate signing request and private key generation.

For other server types that are not based on Windows, Java, or Apache, it is recommended that you check with the vendor to ensure that your server/appliance will be able to support SHA-2 signed certificates.