Technical Blog Post
Why use SHA256 instead of SHA1?
In 2017, a number of companies announced they would no longer support SHA-1 signing. What’s behind this change, and what does it mean for Sterling B2B Integrator users?
First of all, let me give an overview of signing. Signing is the process of applying a cryptographic hash function to data, to generate a string of characters, which can then be used to guarantee the data is intact. The sender uses a private certificate to generate the signing string, then the receiver uses the public key of that certificate to verify the signing string. If they can do that, they know the data they’ve received is the same as what was sent.
In Sterling B2B Integrator, signing is used as part of a certificate. It is also used in some data transfers such as AS2.
In AS2, there are several signing methods that are allowed. MD5 is an option, but it is not widely used. It is possible for a collision to occur where the same signing string can be generated for two different pieces of data. That in turn means it doesn’t do a good job of allowing the receiver to verify the data is intact. SHA1 (sometimes written as SHA-1; the two are the same thing) has been offered for several years as an alternative, but in recent years it has been discovered that collisions are possible with it as well.
Collision attacks are possible, where cyber criminals can cause MD5 and SHA1 collisions to steal data and cause other problems. In 2012, it looked like we would all be safe until 2018 because these attacks take processing power that costs money. By 2015, it was apparent to researchers that attacks were getting cheaper more rapidly than expected.
In 2015, based on the research from 2012, Google, Microsoft and Mozilla announced their browsers would no longer support SHA-1 signing as of the start of 2017. The later research revealed this should have been done much earlier, but they had already announced their plans and were not able to change them.
When 2017 came, the browser companies all stopped accepting SHA1 signing. The rest of the computer industry that exchanges data also began to shift away from SHA1 as a signing algorithm. The companies which back certificates will not issue SHA-1 signed certificates any longer.
SHA2 is a set of signing standards that includes SHA256, SHA384 and SHA512. (These are sometimes written as SHA-256, SHA-384 and SHA-512. The dash in the middle makes no difference; SHA-512 and SHA512 are the same standard.) SHA2 was designed to replace SHA1, and is considered much more secure.
Most companies are using SHA256 now to replace SHA1. Sterling B2B Integrator supports all three SHA2 algorithms, but most of our users are now using SHA256.
Sterling B2B Integrator versions earlier than 5.2.5 cannot support SHA256. If you are on an older version, it is critically important to upgrade your instance as soon as possible. The Sterling Certificate Wizard cannot create SHA256 certificate signing requests (CSR). It was replaced by the IBM tool iKeyman, or by using OpenSSL. My colleague Alex Chia wrote an excellent explanation of how to create a CSR using OpenSSL, which is here:
In summary, it is very important for all Sterling B2B Integrator companies to move to SHA256 signing as soon as possible. This blog explains that SHA1 is alarmingly insecure, and not even usable with many companies now.
As an addendum, the SHA3 standard was released in 2015 by the (US) National Institute of Standards and Technology (NIST). It has not yet been widely implemented, and is not available in any version of Sterling B2B Integrator as of the end of 2017. SHA2 algorithms are the current standard of the data transfer and security industries.
If you have further questions about SHA1 or SHA2 signing, or information to add, please make a comment to this blog entry!
If you need assistance with upgrading your instance of Sterling B2B Integrator, or with implementing SHA2 signing for certificates or data transfers, please open a PMR with Support. An analyst will be very happy to assist.