FAQ: Secure Hashing Algorithm (SHA) Transition

FAQ: Secure Hashing Algorithm (SHA) Transition

Summary

The Drug Enforcement Administration’s (DEA) Controlled Substance Ordering System (CSOS) subscribers’ digital certificates are being upgraded to the SHA-256 secure hashing algorithm. This upgrade will affect all systems and applications utilizing DEA CSOS certificates and may require system upgrades for SHA-256 compatibility. Software and hardware support and guidance will be provided by your software vendor.

Background

SHA-1, developed by the National Security Agency (NSA), is a cryptographic hashing function that is used to transform a string of characters (data) into a fixed length value (or hash value) that represents the original string. An important application of this cryptographic hash function is message integrity where any change to the original data will change the hash value. In 2005, the National Institute of Standards and Technology (NIST) discovered a weakness in SHA-1 and as a result, NIST decided that Federal agencies should stop using SHA-1 after 2010 and consider it deprecated for use in digital signatures through December 2013. NIST has instructed agencies to transition to a stronger secure hash algorithm, SHA-256.

Answer: The Controlled Substance Ordering System (CSOS) currently issues public key infrastructure (PKI) certificates that are signed digitally using a secure hash algorithm (SHA-1) to prevent tampering. As a result of discovered weaknesses with SHA-1, CSOS will be transitioning away from SHA-1 and begin using SHA-256 for signing digital certificates.

Answer: CSOS plans to be able to transition to SHA-256 prior to December 31, 2013 which is the deadline for generating digital signatures using SHA-1. Specific CSOS dates will be announced when available.

Answer: What References are available describing SHA-256?

Answer: Please refer to Appendix A: Software Products SHA-2 Support for a more complete list of SHA-256 compatible applications.

  • Applications that sit on Windows XP (WinXP) Service Packs 1 and 2, along with Windows Server 2003 Service Packs 1 and 2, will need to be modified to use SHA-256. A Microsoft Hotfix for SHA-256 compatibility is described in Microsoft Knowledgebase Article (KB 968730)[1].

Answer: Current CSOS users will remain unaffected until the Transition occurs.

Upon transition, CSOS users experiencing issues should first contact their software vendor or supplier

Answer:

Answer: E-mail (Online Support Request Form ( http://diversiontest.usdoj.gov/support.html) Users navigate to Online Support Request Form and can email questions.

Users navigate to Online Support Request Form and can email questions.

 

Appendix A: Software Products SHA-2 Support

  MICROSOFT PRODUCTS NON-MICROSOFT PRODUCTS
  Microsoft products use the Microsoft Cryptography Application Programming Interface (MS CAPI) to process hash algorithms Some non-Microsoft products provide their own cryptographic algorithms.
DIGITAL SIGNING
  • Windows 7, Windows Vista, and Server 2008 support SHA-256.
  • Windows XP Service Pack 3 and Windows Server 2003 Service Pack 2 (with a hotfix [2] ) can process and validate SHA-256, but cannot create a new SHA-256 signature. As a workaround, a SHA-1 signature can be used to sign documents, e-mails, etc, if use of the algorithm is supported by risk assessment.
  • Older versions of Microsoft operating systems do not support SHA-256.
 Contact Vendor or Software for SHA-256 compatbility.

 

[1] Microsoft Knowledgebase Article: http://support.microsoft.com/kb/968730

[2] Hotfix for Windows Server 2003 and Windows XP: http://support.microsoft.com/hotfix/KBHotfix.aspx?kbnum=968730&kbln=en-us