TECHNICAL COMMUNICATION SafeNet / Gemalto

TECHNICAL COMMUNICATION

For customers with cryptographic devices fromSafeNet / Gemalto

Purpose of this communication

We inform you that the SafeNet Authentication Client application version 10.5 will have as default option signature under SHA2 algorithm, with SHA1 algorithm being disabled. In case your application is configured to generate signatures with SHA1 algorithm, you will receive an error message.

This change is mandatory due to pre-established security policies and through this communication we transmit the actions that must be taken into account and how to mitigate this situation.

Introduction

There is a significant movement throughout the industry that is rapidly forcing the end of the SHA-128 (SHA-1) algorithm to adjust security controls. A combination of NIST guidelines (National Institute of Standards & Technology of the USA), Microsoft’s Windows® Root Certificate Program,

CAB / Forum formed by the Certifying Authorities and Navigators, the data security standard of the payment card industry (PCI DSS) and Gemalto’s own analysis of the evolving cryptographic environment is driving these changes.

As an example, no public certifying authority can issue a server certificate whose signature algorithm is SHA1.

Currently, SHA-1 continues to be a secure algorithm and no known critical breaches have been reported with certificates using SHA-1. However, experts in cryptography around the world believe that the use of the SHA-1 algorithm could be vulnerable to attacks in the not so distant future. That is the main reason to move to a stronger algorithm.

That is why, as of version 10.5 of SafeNet Authentication Client (SAC), the default algorithm will be SHA-256 and the SHA1 algorithm will be disabled. Beyond this default option, it will be possible to enable the SHA1 algorithm by adding a key in the Microsoft Registry Editor [1]

[HKEY_LOCAL_MACHINE \ SOFTWARE \ SafeNet \ Authentication \ SAC \ Crypto]

“Disable-Crypto” = “None”

Additionally, a list of restricted and obsolete algorithms and cryptographic features is detailed:

MD5 RC2

RC4 DES

2DES GenericSecret <112

RSA-RAW RSA <2048

ECC <224 ECB

Sign-SHA1

The default list of deprecated cryptographic algorithms and features may vary to meet NIST requirements in future versions. It is your responsibility to verify that it is compatible with third-party applications.

It is important that you take advantage of this advance notice to evaluate your applications both on the client and server side, to determine what steps should be taken so that you can sign digitally with the SHA2 algorithm. For example, if your user population consists of Internet Explorer® 7 (and higher) in Windows Vista SP2 (and higher), all your users will be able to manage SHA-2.

If you use proprietary applications or other hardware devices, consult your documentation or contact the vendor to make a determination. Careful analysis and a structured update plan will ensure that your users experience minimal disruption during these vitally important transitions.

The PTA (Personal Trust Agent) application only allows you to sign with the SHA1 algorithm, therefore if your certificate is installed in a cryptographic device, use SafeNet Authentication Client 10.5 or higher and try to sign with PTA you will receive an error message.

The application developed by CertiSur, Alison SDK; to sign transactions from any browser, it allows you to indifferently define the signature algorithm SHA1 or SHA2 when incorporating the signature capacity into your site.

In addition, Debbie, the signature verification tool developed by CertiSur, supports the validation of signatures made with SHA1 or SHA2.
Technical support

If you have any questions or concerns, contact CertiSur Support through this link: https://www.certisur.com/soporte
[1] More information in the SafeNet Authentication Client document 10.6 Administrator Guide Windows Rev_B.pdf page 114-Security Settings