1

There is so little info and so much confusion out there.

People often equate SHA2 as being SHA256; so then would SHA be 160 bit, also known as SHA1?

Is SHA deprecated, like SHA1?

Are they the same thing?

What is the difference, anyway?

Does a deprecated SHA1 mean one should consider disabling SCHANNEL\Hashes\SHA?

Nathan Basanese
  • 640
  • 1
  • 10
  • 20
Tyler
  • 417
  • 5
  • 13
  • Is sha sha-0? I looked up sha vs sha1, never found anything. – Tyler Apr 13 '18 at 03:34
  • This is all I have found, still doesn't answer my question conclusively SHA stands for Secure Hashing Algorithm. SHA-1 and SHA-2 are two different versions of that algorithm. They differ in both construction (how the resulting hash is created from the original data) and in the bit-length of the signature. You should think of SHA-2 as the successor to SHA-1, as it is an overall improvement. – Tyler Apr 13 '18 at 03:37
  • Cont: Primarily, people focus on the bit-length as the important distinction. SHA-1 is a 160-bit hash. SHA-2 is actually a “family” of hashes and comes in a variety of lengths, the most popular being 256-bit. – Tyler Apr 13 '18 at 03:37
  • Cont: The variety of SHA-2 hashes can lead to a bit of confusion, as websites and authors express them differently. If you see “SHA-2,” “SHA-256” or “SHA-256 bit,” those names are referring to the same thing. If you see “SHA-224,” “SHA-384,” or “SHA-512,” those are referring to the alternate bit-lengths of SHA-2. You may also see some sites being more explicit and writing out both the algorithm and bit-length, such as “SHA-2 384.” – Tyler Apr 13 '18 at 03:37

1 Answers1

3

People often equate SHA2 as being SHA256...

Do they? While this is not fully true it is not fully wrong: SHA-256 is part of the SHA-2 family which also includes SHA-512 and others. See What is the relationship between “SHA-2” and “SHA-256”

... so then would SHA be 160 bit? AKA SHA1?

SHA is originally not SHA-1 but SHA-0. From Wikipedia:Secure Hash Algorithms:

SHA-0: A retronym applied to the original version of the 160-bit hash function published in 1993 under the name "SHA". It was withdrawn shortly after publication due to an undisclosed "significant flaw" and replaced by the slightly revised version SHA-1.

Despite this SHA-1 is often simply called SHA, like in cipher names like TLS_RSA_WITH_AES_128_CBC_SHA.

Does a depreciated SHA1 mean one should consider disabling SCHANNEL\Hashes\SHA?

This setting seems to affect the availability of SHA-1 in older versions of Windows (up to Windows 2003). But not every use of SHA-1 is bad. While it is no longer considered secure enough to be used for signing X.509 certificates used by TLS it is still considered safe to be used as HMAC as used in ciphers like TLS_RSA_WITH_AES_128_CBC_SHA. See Will Google block HMAC-SHA1 along with SHA1 signed certificates?. Thus, disabling SHA-1 in general using this registry key is not recommended (but it is probably recommended to use a newer version of Windows than Windows 2003).

Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434
  • Thank you so much for your comment, it is so much appreciated. The only time I have noticed the use of sha-hmac so far was using NordVPN; current VPN is not using this; so I will certainly consider blocking sha under schannel. – Tyler Apr 13 '18 at 04:19
  • @Tyler: SHA-1 is still heavily used as HMAC in ciphers within TLS. It might also have other valid use cases. Blocking the algorithm in general might cause strange problems without effectively increasing the security. – Steffen Ullrich Apr 13 '18 at 04:24
  • Wow, so I assume then it may not increase security only because the standards out there today take into account the previous "significant flaws" and other industry standard changes; on servers, web servers, web browsers (etc) in regards to sha? – Tyler Apr 13 '18 at 04:32
  • Windows does not take into account disabling RC4, NULL, and 3DES... so it makes me extra cautious. – Tyler Apr 13 '18 at 04:35
  • @Tyler: I recommend that you make yourself familiar with the different use cases of hash algorithms like SHA-1 and which flaws of an algorithm are relevant in the various use cases. HMAC is a different use case than signatures and flaws which lead to the deprecation of SHA-1 for signatures (only!) don't affect the safety of using SHA-1 for HMAC. – Steffen Ullrich Apr 13 '18 at 04:55
  • I will keep that in mind and cautiously maintain the use of sha for the time being; Also, please bear in mind the following: SHA-1 deprecation countdown Update (4/26/2017) https://blogs.windows.com/msedgedev/2016/11/18/countdown-to-sha-1-deprecation/ – Tyler Apr 13 '18 at 05:18
  • @Tyler: please read carefully the details about the SHA-1 deprecation. It only affects digital signatures and the instruction also show how to disable SHA-1 for digital signatures only and not in general. HMAC is not a digital signature. – Steffen Ullrich Apr 13 '18 at 05:25
  • It also says they are depreciating it because of "Weaknesses in SHA-1 could allow an attacker to spoof content, execute phishing attacks, or perform man-in-the-middle attacks when browsing the web" so this means signatures are used in web browsing? Please elaborate if I am mistaken. Microsoft talks of depreciating SHA-1 in their web browsers. Windows also released an update for that. I'm assuming the browser creators are responsible for depreciating these kinds of things also. What about Windows Update, CryptoAPI, IIS, and all the rest? All of these depend on Schannel. – Tyler Apr 13 '18 at 05:30
  • @Tyler: SHA-1 is/was used to sign X.509 certificates. These signatures are essential to verify these certificates. Proper certificate verification is essential in HTTPS - if it fails man in the middle attacks or impersonation of a server are possible. Thus: weakness in cryptographic signatures could allow modification of content or impersonation of servers. Also signatures are used to sign software and updates and thus weakness in signatures could result in fake software/updates. But again, use of SHA-1 in HMAC is not affected by this. – Steffen Ullrich Apr 13 '18 at 06:00
  • Microsoft is being extra cautious with their browsers blocking sha1 entirely to encourage https enabled servers/hosts to transition to safer sigs; Sounds like its worth experimenting with blocking sha altogether, If all works well nothing to worry about. If web servers/browsers are doing what they can to depreciate these then there is less to be worried about; Though Firefox does allow insecure non PFP algorithms by default. One has to manually change their browser settings, and WinHttp, .NET, and Schannel (Schannel = Windows update, CryptoAPI, IIS among others like SQL server etc) for windows – Tyler Apr 13 '18 at 06:09
  • 1
    Here is a registry file I made to do enable highest security for all devices I have just described in the above comment, also you can remove everything creating a reg file with the second half of the file: https://pastebin.com/Rrp6JbUR – Tyler Apr 13 '18 at 06:19
  • @Tyler: I think you are moving too far away from your original question. If you need help with creating specific system policies please ask a new question. – Steffen Ullrich Apr 13 '18 at 06:22
  • Disabling sha for security purposes is very directly related to the original post I had personally written here. – Tyler Apr 13 '18 at 07:14
  • @Tyler: *If* it should be disabled is related but is already answered. *How* it should be disabled, i.e. the exact policies needed and the exact syntax in the registries on a specific operating system is not. – Steffen Ullrich Apr 13 '18 at 07:18
  • 1
    It would IMO make sense to add that SHA is not one "family" of algorithms, but totally different (especially SHA-3) algorithms wich are somehow selected and then choose to be the new SHA now. While SHA-0/1/2 are quite similar, SHA-3 is totally different and not just a "better SHA-2". – Josef Apr 13 '18 at 09:41
  • @Josef: SHA-\* are not even two families like one might derive from your comment. While SHA-1 and SHA-2 share some basic ideas (which they share with MD5) they are actually quite different, i.e. SHA-2 is not only just a longer version of SHA-1. SHA-3 then is totally different from the underlying idea. – Steffen Ullrich Apr 13 '18 at 10:20
  • @Steffen, if you or anybody here knows of the recommended list of cipher strings that should be enabled and what should be disabled in regards to sha, please do share! Thank you so much. – Tyler Apr 13 '18 at 21:26
  • 1
    I am not seeing hmac anywhere in the default lists within windows or recommended lists online anywhere. – Tyler Apr 13 '18 at 21:38
  • @Tyler: again, please ask a new question if you need this kind of detail. Also, use of SHA-1 in signatures has nothing to do with TLS ciphers. Using SHA-1 as HMAC instead is part of the TLS cipher definition. – Steffen Ullrich Apr 14 '18 at 02:45