Arc's Drummond® certification includes the optional SHA-2 profile, which was introduced to the testing in 2012. This addition ensures interoperability with partners using SHA-2 certificates and signatures. SHA-2 is more secure than SHA-1. This article answers common questions about the differences between SHA-1 and SHA-2. The article also explains the algorithms' roles in information security in regards to AS2.
What is SHA-2
SHA-2 is a family of hash algorithms that was created to replace SHA-1. SHA-2 actually consists of the SHA-224, SHA-256, SHA-384, and SHA-512 algorithms. SHA-256 is the most common implementation from this standard.
What is a hash algorithm? Why use SHA-2 in place of SHA-1?
SHA-2 and SHA-1 are one-way hashes used to represent data. The value of the hash will completely change if even a single byte of the data is changed, but the same set of data will produce the exact same result. This function only happens in one direction, however, as you can't look at a hash alone and tell what data was used to create the hash (The hash is usually short in comparison to the original data.).
The basic principle is that you can publicly compare two sets of data to see if they are the same without exposing that data for anyone to see. Each side calculates a hash over what they're comparing using the same known algorithm, and then the two results are compared. If a third party had tampered with even a single byte of the original data in between, the hashes would be completely different afterwards.
Because these hashes are one-way hashes, there's always the possibility that it is possible to assemble a random arrangement of bytes and produce a hash with the same result (known as a collision). This is highly improbable, difficult, and time consuming; however, it is still theoretically possible to produce a collision of a SHA-1 within the limits of existing technology. SHA-2 hashes are more secure; they use improved algorithms and larger hashes.
What is a SHA-2 certificate?
A certificate is a file store containing a key that's signed by the issuer of the key. If you inspect the Details tab of the certificate in Windows, you can see the signature algorithm that was used to sign the key.
A SHA-2 certificate is simply one where the signature algorithm used to sign the key is a SHA-2 algorithm (ex. SHA-256).
What is the difference between this and using the certificate to create a SHA-2 signature?
The certificate is a means of presenting a public key to your trading partners, but the keys themselves are going to be used to perform additional cryptography operations during the course of your communications. A private key can be used to sign a message for a partner, but the signature algorithm that is selected for that operation is not tied to the signing algorithm used to create the certificate. In this way, a SHA-1 certificate (like the certificate pictured above) can be used to sign a message using SHA-2, and- likewise- a SHA-2 certificate can be used to sign a message with SHA-1.
Okay, so what does my version of the application support?
Early versions of the AS2 Connector (Version 7 of the /n software IP*Works! EDI AS2 Connector and version 2 of the /n software AS2 Connector) do not support the creation or verification of SHA-2 signatures, but SHA-2 certificates can be configured in the application. Windows will validate the signature in the certificate, and the application will simply access the key therein.
Beginning with version 3 of the AS2 Connector and continuing on into Arc, the application supports both the configuration of SHA-2 certificates and the creation and verification of SHA-2 signatures. Please note, however, that SHA-2 signing is an optional protocol in AS2, and not all AS2 solutions support transmissions that were created with SHA-2 signatures.
FAQs
Breaking Down the Values: SHA1 vs SHA2
What is the difference between SHA-1 and SHA-2? ›
SHA-1 is a 160-bit hash. SHA-2 is actually a “family” of hashes and comes in a variety of lengths, the most popular being 256-bit. The variety of SHA-2 hashes can lead to a bit of confusion, as websites and authors express them differently.
What is the difference between SHA-1 and SHA-2 certificate? ›
SHA1 employs a simpler structure compared to SHA2. It uses a 160-bit hash value and processes data in 512-bit blocks. On the other hand, SHA2's variants, including SHA256, use more complex algorithms. When you use SHA256, it processes data in 512-bit blocks but produces a 256-bit hash value.
Is SHA-2 obsolete? ›
2 Answers. "SHA-2" is the traditional codename for a family of six functions that includes SHA-256 and SHA-512. These functions are considered completely fine and current and non-obsolete.
Why have some security experts recommended replacing SHA-1 with SHA-2? ›
Final answer: SHA1 is being replaced due to decreasing attack costs, published full hash collisions, and instances of its collision being exploited to forge digital certificates. This demonstrates SHA1's vulnerabilities compared to more secure options like SHA2 and SHA3.
Why is SHA-1 deprecated? ›
NIST has set the date of Dec. 31, 2030 to remove SHA-1 support from all software and hardware devices. The once-widely used algorithm is now easy to crack, making it unsafe to use in security contexts. NIST deprecated SHA-1 in 2011 and disallowed using SHA-1 when creating or verifying digital signatures in 2013.
Why is SHA-2 more secure? ›
One of the major benefits of using SHA-2 is that it addresses some weaknesses in the SHA-1 hashing algorithm. SHA-1 is not considered to be unsafe at this time; however, the weaknesses that have been identified make the algorithm vulnerable to possible exploitation over the coming years.
What are the disadvantages of SHA-2? ›
Cons of SHA-2
It's resistant to collision, to pre-image and second-preimage attacks. SHA-256 is slower than its predecessors. It addresses SHA-1's weaknesses. Some software may need updating to support SHA-2 encryption.
Is SHA-1 still valid? ›
As attacks on SHA-1 in other applications have become increasingly severe , NIST will stop using SHA-1 in its last remaining specified protocols by Dec. 31, 2030.
What is the safest SHA algorithm? ›
Common attacks like brute force attacks can take years or even decades to crack the hash digest, so SHA-2 is considered the most secure hash algorithm.
While SHA-1 was once considered a secure hash algorithm, it is now vulnerable to various attacks. The primary vulnerability of SHA-1 is its collision resistance, which means that it is possible to find two different messages that produce the same hash value.
Why do you think SHA-1 was retired? ›
The main threat to SHA-1 is the fact that today's powerful computers can create two messages that lead to the same hash, potentially compromising an authentic message – the technique is referred to as a 'collision' attack.
Why is SHA-2 irreversible? ›
Like all hash functions, the SHA-256 hash function cannot be reversed because it discards information. In other words, some information present in the function's input is not present in its output.
What is the difference between SHA-1 and SHA2 in ipsec? ›
SHA-1 is considered to be mostly insecure because of a vulnerability. SHA2 is the most secure algorithm. Fireware v11. 8 and higher supports three variants of SHA2 with different message digest lengths.
How can you tell the difference between SHA-1 and SHA-256? ›
Regarding SHA-1 and SHA-256, their output hash length, vulnerability to brute force attacks, and overall security are the core differences. SHA-256 is newer and more secure, with a 256-bit hash length as opposed to SHA-1's 160-bit length. This difference translates directly into a higher level of security for SHA-256.
Which SHA should I use? ›
SHA-256 is one of the hashing algorithms that's part of the SHA-2 family (patented under a royalty-free U.S. patent 6829355). It's the most widely used and best hashing algorithm, often in conjunction with digital signatures, for: Authentication and encryption protocols, like TLS, SSL, SSH, and PGP.
Does Bitcoin use SHA2? ›
SHA2 is a specific hashing algorithm that is a key component to the Proof-of-Work (PoW) function for Bitcoin. A PoW is a function that is computationally expensive to compute, but easy to validate.
