How to Generate a SHA-1 Certificate Inventory
Background to the SHA-1 changes
The Secure Hash Algorithm is a family of cryptographic hash functions published by the National Institute of Standards and Technology (NIST) as a U.S. Federal Information Processing Standard (FIPS). SHA-1 is a 160-bit hash function which resembles the earlier MD5 algorithm. Cryptographic weaknesses were discovered in SHA-1, and the standard was no longer approved for most cryptographic uses after 2010.
It is recommended that you don’t use SHA-1 certificates past 2016 for a number of reasons:
- Google are planning to penalize sites that use SHA-1 certificates that expire during 2016 and after.
- Microsoft is to retire support for SHA-1 certificates in the coming months. Sites using SHA1 will be blocked come January 2017.
- Browser vendors are shutting down support for SHA-1 digital certificates.
What you need to do right now
If you are running public facing web services, then this problem may seem obvious. However, many network devices such as printers run web engines so the SHA-1 issue will impact on nearly all computer networks. The advice is to spend some time looking at the problem now, rather than wait for user complaints in 2017. At a minimum, we recommend the following:
- Inventory your existing certificates. This can be tricky if you do not have network monitoring tools in place. If you don’t have anything at present, you can download a trial version of our LANGuardian product which has SHA-1 reporting built-in.
- Replace SHA-1 certificates that expire after 2015. This may require a new server platform as operating systems such as Windows Server 2003 are not able to support SHA256 certificates.
- Ensure new certificate and their chains are based on SHA-2.
Generating a SHA-1 inventory using network traffic analysis
LANGuardian 14.1 includes a new feature that allows you to generate a list of all servers on your network running SSL services. Those devices that need to be updated are highlighted within the report. LANGuardian uses network traffic as data source, so you just need to setup a SPAN or mirror port on your core switch to get started. We have a couple of video guides on this subject within the resources section of this website which explain things in more detail.
To access the SSL reports, you need to click on All Reports from within the LANGuardian GUI and navigate to the Inventory section. If you don’t have an inventory section, you will need to upgrade your LANGuardian to the latest release. Please contact our support team if you have any questions about this.
You can filter based on variables like IP addresses, subnets and specific time ranges. Servers running expired or outdated protocol versions will be highlighted in red.
The IP address link within the report allows you to drill down and see what clients are connecting to this server. This can be very useful data, if you are planning to shut down any outdated systems. In my example, the device is actually a printer running an insecure SHA-1 certificate.
In some cases, you may need to replace certificates running on servers where in others situations, you may need to do firmware updates. Whatever the remedy, you can use LANGuardian to check if the device or server is updated. Just run the Servers Running SSL report again and change the date\time filter so you are looking at data which was captured after the time of upgrade.
NetFort provides network traffic and security monitoring software for virtual and physical networks. NetFort’s flagship product, LANGuardian, is unique in the marketplace thanks to its powerful deep-packet inspection technology that can be downloaded and deployed on standard physical or virtual hardware to provide comprehensive visibility in minutes. Organizations worldwide depend on LANGuardian solutions from monitoring user activity to file activity monitoring, web activity monitoring, network security monitoring, bandwidth troubleshooting, wire data analytics, network forensics to packet capture.
To see LANGuardian in action – try our interactive demo today!