Upload
navneetmishra
View
222
Download
6
Embed Size (px)
DESCRIPTION
MD5 Signature Hash Deprecation
Citation preview
6/20/2015 MD5SignatureHashDeprecationandYourInfrastructureAsktheDirectoryServicesTeamSiteHomeTechNetBlogs
http://blogs.technet.com/b/askds/archive/2013/08/14/md5signaturehashdeprecationandyourinfrastructure.aspx 1/2
4
MD5 Signature Hash Deprecation and Your InfrastructureDavid Beach MSFT 14 Aug 2013 7:42 AM
Tweet 15 Save this on Delicious7Like Share 6
Hi everyone, David here with a quick announcement.
Yesterday, MSRC announced atimeframe for deprecation of builtin support forcertificates that use theMD5 signaturehash. You can find more information here:
http://blogs.technet.com/b/srd/archive/2013/08/13/cryptographicimprovementsinmicrosoftwindows.aspx
Along with this announcement,we've released a framework which allows enterprises to test their environment forcertificates that might be blocked as part of the upcoming changes Microsoft Security Advisory 2862966. This frameworkalso allows future deprecation of other weak cryptographic algorithm to be streamlined and managed via registry updatespushed via Windows Update.
Some Technical Specifics:
This change affects certificates that are used for the following:
server authenticationcode signingtime stampingOther certificate usages that used MD5 signature hash algorithm will NOT be blocked.
Forcode signing certificates, we will allow signed binaries that were signed before March 2009 to continue to work, even ifthe signing cert used MD5 signature hash algorithm.
Note: Only certificates issued under a root CA in the Microsoft Root Certificate program are affected by this change.Enterprise issued certificates are not affected but should still be updated.
What this means for you:
1 If you're using certificates that have an MD5 signature hash for example, if you have older web server certificates thatused this hashing algorithm, you will need to update those certificates as soon as possible. The update is planned torelease in February 2014; make sure anything you have that is internet facing has been updated by then.
You can find out what signature hash was used on a certificate by simply pulling up the details of that certificate's publickey on any Windows 8 or Windows Server 2012 machine. Look for the signature hash algorithm that was used. Thecertificate in my screenshot uses sha1, but you will see md5 listed on certificates that use it.
If you are on Server Core or have an older OS, you can see the signature hash algorithm by using certutil v against thecertificate.
2 Start doublechecking your internal applications and certificates to insure that you don't have something older that'susing an MD5 hash. If you find one, update it or contact the vendor to have it updated.
3 Deploy KB 2862966 in your test and QA environments and use it to test for weaker hashes You are using test and QAenvironments for your major applications, right?. The update allows you to implement logging to see what would beaffected by restricting a hash. It's designed to allow you to get ahead of the curve and find the potential weak spots inyour environment.
Sometimes security announcements like this can seem a little like overkill, but remember thatyour certificates are only asstrong as the hashing algorithm used to generate the private key. As computing power increases, older hashingalgorithms become easier for attackers to crack, allowing them to more easily fool computers and applications intoallowing them access or executing code. We don't release updates like this lightly, so make sure you take the time toinspect your environments and fix the weak links, before some attacker out there tries to use them against you.
David "Security is everyone's business" Beach
Microsoft's official enterprise support blog for AD DS and more
All AboutWindows Server
Cloud PlatformBlogs
DatacenterManagement
ClientManagement
Virtualization,VDI & RemoteDesktop
File & Storage &High Availability
Windows ServerManagement
Identity & Access
Ask the Directory Services Team