Hi using SHA 1 with RSA encryption for ssl certificate is secure? As i know, sha 1 is not secure, but if we use RSA with sha1, still it will be an issue? Please suggest if any security issues exist.
Asked
Active
Viewed 1.3k times
2 Answers
2
There is no "SHA1 with RSA encryption" for certificates used in SSL. In the context of certificates the owner of the certificate has a key pair (RSA, ECC...) and here the public key part is included in the certificate, SHA1 (or other hash algorithms) are used as a cryptographic hash within the signature and the private key (RSA, ECC..) of the issuer certificate is used in this signature too (for signing, not encrypting).
SHA1 is no longer considered secure for use in certificate signatures - use SHA2 (i.e. SHA256, SHA384... etc) instead.
Steffen Ullrich
- 201,479
- 30
- 402
- 465
-
|-Subject : C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA |-Signature Algorithm : SHA-1 With RSA Encryption – Veeru Oct 11 '18 at 11:51
-
-
1@Veeru: While you don't provide all details about the certificate this is likely this root certificate. Signature for root certificates is irrelevant. See Why is it fine for Certificates above the end-entity certificate to be SHA1 based?. – Steffen Ullrich Oct 11 '18 at 12:21
-
1Sadly the early versions of PKCS1 were written before the importance of distinguishing signature from encryption semantics was fully understood, so the (now retronymed SSAv15) signature OIDs were and remain officially named {hash}withRSAEncryption -- see https://tools.ietf.org/html/rfc8017#appendix-A.2.4 -- and even TLS1.3 still allows SSAv15 in certs although protocol-level RSA signature is changed to PSS. – dave_thompson_085 Oct 12 '18 at 01:45
-
Any one could you please let me know how can i update the Signature algorithm name: SHA1withRSA (weak) Subject Public Key Algorithm: 1024-bit RSA key (weak) to strong key – sejn Dec 20 '21 at 09:29
2
RSA is the signing (not encrypting, despite what the text says) algorithm, and it operates on a hash of the content to be signed.
SHA1 is the hashing algorithm (it produces a short, one-way non-reversible version of the full certificate) that is used to produce the string which RSA then signs.
If the hash is weak to pre-image attacks - that is, if it is at all feasible for an attacker to find pre-hashed data (in this case, a certificate) that when hashed produces the same digest (short string) - then that hashing algorithm is unsuitable for certificate hashing. That's because if both a legitimate and a fraudulent certificate have the same hash, then the signature of the fraudulent certificate (if it were to be signed by the same signer) would be the same. Thus you can take the fraudulent certificate and append the signature from the genuine one, and it will pass signature verification.
Because SHA1 has known weaknesses to some collision and pre-image attacks, and it has been demonstrated possible to produce a binary blob that constitutes a valid (if weird) cert whose hash collides with a genuine one, it's not safe to use SHA1 for signing certificates. This is true whatever the actual digital signature primitive (in this case, RSA) might happen to be.
However, all of the above is irrelevant for root certificate authorities (and any other self-signed certificate), because your software trusts those directly and doesn't rely on their signature to prove anything. The signature is only relevant for determining the "chain of trust" between a "leaf" certificate (such as for a TLS server) and a root CA.
CBHacking
- 48,401
- 3
- 90
- 130