4 MD5 Signature Hash Deprecation and Your Infrastructure David Beach ‐ MSFT 14 Aug 2013 7:42 AM Tweet 15 Save this on Delicious 7 Like Share 6 Hi everyone, David here with a quick announcement. Yesterday, MSRC announced a timeframe for deprecation of built‐in support for certificates that use the MD5 signature hash. You can find more information here: http://blogs.technet.com/b/srd/archive/2013/08/13/cryptographic‐improvements‐in‐microsoft‐windows.aspx Along with this announcement, we've released a framework which allows enterprises to test their environment for certificates that might be blocked as part of the upcoming changes ﴾Microsoft Security Advisory 2862966 ﴿. This framework also allows future deprecation of other weak cryptographic algorithm to be streamlined and managed via registry updates ﴾pushed via Windows Update﴿. Some Technical Specifics: This change affects certificates that are used for the following: server authentication code signing time stamping Other certificate usages that used MD5 signature hash algorithm will NOT be blocked. For code signing certificates, we will allow signed binaries that were signed before March 2009 to continue to work, even if the signing cert used MD5 signature hash algorithm. Note: Only certificates issued under a root CA in the Microsoft Root Certificate program are affected by this change. Enterprise issued certificates are not affected ﴾but should still be updated﴿. What this means for you: 1﴿ If you're using certificates that have an MD5 signature hash ﴾for example, if you have older web server certificates that used this hashing algorithm﴿, you will need to update those certificates as soon as possible. The update is planned to release in February 2014; make sure anything you have that is internet facing has been updated by then. You can find out what signature hash was used on a certificate by simply pulling up the details of that certificate's public key on any Windows 8 or Windows Server 2012 machine. Look for the signature hash algorithm that was used. ﴾The certificate in my screenshot uses sha1, but you will see md5 listed on certificates that use it﴿. If you are on Server Core or have an older OS, you can see the signature hash algorithm by using certutil ‐v against the certificate. 2﴿ Start double‐checking your internal applications and certificates to insure that you don't have something older that's using an MD5 hash. If you find one, update it ﴾or contact the vendor to have it updated﴿. 3﴿ Deploy KB 2862966 in your test and QA environments and use it to test for weaker hashes ﴾You are using test and QA environments for your major applications, right?﴿. The update allows you to implement logging to see what would be affected by restricting a hash. It's designed to allow you to get ahead of the curve and find the potential weak spots in your environment. Sometimes security announcements like this can seem a little like overkill, but remember that your certificates are only as strong as the hashing algorithm used to generate the private key. As computing power increases, older hashing algorithms become easier for attackers to crack, allowing them to more easily fool computers and applications into allowing them access or executing code. We don't release updates like this lightly, so make sure you take the time to inspect your environments and fix the weak links, before some attacker out there tries to use them against you. ‐‐David "Security is everyone's business" Beach Microsoft's official enterprise support blog for AD DS and more All About Windows Server Cloud Platform Blogs Datacenter Management Client Management Virtualization, VDI & Remote Desktop File & Storage & High Availability Windows Server Management Identity & Access Ask the Directory Services Team

MD5 Signature Hash Deprecation

Download PDF Report

Upload
navneetmishra
View
222
Download
6

Embed Size (px)

DESCRIPTION

Citation preview

6/20/2015 MD5SignatureHashDeprecationandYourInfrastructureAsktheDirectoryServicesTeamSiteHomeTechNetBlogs

http://blogs.technet.com/b/askds/archive/2013/08/14/md5signaturehashdeprecationandyourinfrastructure.aspx 1/2

4

MD5 Signature Hash Deprecation and Your InfrastructureDavid Beach MSFT 14 Aug 2013 7:42 AM

Tweet 15 Save this on Delicious7Like Share 6

Hi everyone, David here with a quick announcement.

Yesterday, MSRC announced atimeframe for deprecation of builtin support forcertificates that use theMD5 signaturehash. You can find more information here:

http://blogs.technet.com/b/srd/archive/2013/08/13/cryptographicimprovementsinmicrosoftwindows.aspx

Along with this announcement,we've released a framework which allows enterprises to test their environment forcertificates that might be blocked as part of the upcoming changes Microsoft Security Advisory 2862966. This frameworkalso allows future deprecation of other weak cryptographic algorithm to be streamlined and managed via registry updatespushed via Windows Update.

Some Technical Specifics:

This change affects certificates that are used for the following:

server authenticationcode signingtime stampingOther certificate usages that used MD5 signature hash algorithm will NOT be blocked.

Forcode signing certificates, we will allow signed binaries that were signed before March 2009 to continue to work, even ifthe signing cert used MD5 signature hash algorithm.

Note: Only certificates issued under a root CA in the Microsoft Root Certificate program are affected by this change.Enterprise issued certificates are not affected but should still be updated.

What this means for you:

1 If you're using certificates that have an MD5 signature hash for example, if you have older web server certificates thatused this hashing algorithm, you will need to update those certificates as soon as possible. The update is planned torelease in February 2014; make sure anything you have that is internet facing has been updated by then.

You can find out what signature hash was used on a certificate by simply pulling up the details of that certificate's publickey on any Windows 8 or Windows Server 2012 machine. Look for the signature hash algorithm that was used. Thecertificate in my screenshot uses sha1, but you will see md5 listed on certificates that use it.

If you are on Server Core or have an older OS, you can see the signature hash algorithm by using certutil v against thecertificate.

2 Start doublechecking your internal applications and certificates to insure that you don't have something older that'susing an MD5 hash. If you find one, update it or contact the vendor to have it updated.

3 Deploy KB 2862966 in your test and QA environments and use it to test for weaker hashes You are using test and QAenvironments for your major applications, right?. The update allows you to implement logging to see what would beaffected by restricting a hash. It's designed to allow you to get ahead of the curve and find the potential weak spots inyour environment.

Sometimes security announcements like this can seem a little like overkill, but remember thatyour certificates are only asstrong as the hashing algorithm used to generate the private key. As computing power increases, older hashingalgorithms become easier for attackers to crack, allowing them to more easily fool computers and applications intoallowing them access or executing code. We don't release updates like this lightly, so make sure you take the time toinspect your environments and fix the weak links, before some attacker out there tries to use them against you.

David "Security is everyone's business" Beach

Microsoft's official enterprise support blog for AD DS and more

All AboutWindows Server

Cloud PlatformBlogs

DatacenterManagement

ClientManagement

Virtualization,VDI & RemoteDesktop

File & Storage &High Availability

Windows ServerManagement

Identity & Access

Ask the Directory Services Team