A common question we receive from certificate customers: should we ask Entrust to sign our certificate with a signature using the SHA-2 hashing algorithm? Here is some information to help you make this decision.
What’s the purpose of the signature?
The purpose of the signature is to allow an end-user who is validating the certificate to ensure it was issued by a trusted certification authority (CA) and, thus, determine whether or not to trust the certificate.
The CA provides the signature and can choose from several cryptographic hash functions. MD5 was commonly used until it was found to have serious cryptographic flaws. SHA-1 is currently the most widely used hash function, and the industry is now moving to SHA-2. There is also a newly approved SHA-3 hash function, which may be deployed as a substitute to SHA-2 at a future date.
The main thing you need to understand about hash functions is they are designed to be collision- and preimage resistant.
Why should I consider using SHA-2?
As time moves along, the attacks against a given cryptographic hash function often improve. MD2 and MD5 were formerly used, but are now known to be too weak for cryptographic use. The concern is that in the not too distant future the SHA-1 hash will also be found to be too weak.
What are the hash attacks?