Display and rate signature hash algorithm (SHA) for Exchange certificates found on the system#592
Conversation
| https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gpnap/a48b02b2-2a10-4eb0-bed4-1807a6d2f5ad | ||
| SignatureHashAlgorithmSecure = Unknown 0 | ||
| SignatureHashAlgorithmSecure = Insecure/Weak 1 | ||
| SignatureHashAlgorithmSecure = Secure 2 |
There was a problem hiding this comment.
Where is the documentation on what is determined as secure or weak?
There was a problem hiding this comment.
Message-Digest Algorithms (up to md5) are vulnerable to collision attacks (reported in 2008). See: https://docs.microsoft.com/en-us/security-updates/securityadvisories/2008/961509#suggested-actions
Same goes for SHA-1 (SHAttered attack https://shattered.io). So it should be considered as weak.
See: https://www.schneier.com/blog/archives/2020/01/new_sha-1_attac.html
SHA-2 and higher should be good for now.
More information:
https://developer.mozilla.org/en-US/docs/Web/Security/Weak_Signature_Algorithm
https://techcommunity.microsoft.com/t5/windows-it-pro-blog/microsoft-to-use-sha-2-exclusively-starting-may-9-2021/ba-p/2261924
https://csrc.nist.gov/projects/hash-functions/nist-policy-on-hash-functions
And many more...
There was a problem hiding this comment.
Let's add a link to a Microsoft location in the displayed results when we have a weak algorithm being used.
There was a problem hiding this comment.
As discussed: We'll link to: https://techcommunity.microsoft.com/t5/exchange-team-blog/exchange-tls-038-ssl-best-practices/ba-p/603798
lusassl-msft
force-pushed
the
lusassl-SHAwork
branch
from
277cb62 to
0a85bad
Compare
| https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gpnap/a48b02b2-2a10-4eb0-bed4-1807a6d2f5ad | ||
| SignatureHashAlgorithmSecure = Unknown 0 | ||
| SignatureHashAlgorithmSecure = Insecure/Weak 1 | ||
| SignatureHashAlgorithmSecure = Secure 2 |
There was a problem hiding this comment.
Let's add a link to a Microsoft location in the displayed results when we have a weak algorithm being used.
format update Wording changed
lusassl-msft
force-pushed
the
lusassl-SHAwork
branch
from
4d017f8 to
4d704b1
Compare
2 participants
Description:
We are now displaying/rating the Signature Hash Algorithm for each Exchange certificate found on the system. We show a warning (yellow) if SHA-1 was used (because SHA-1 hash algorithm should be considered as weak).
Issue #589