On a recent project I was asked to upgrade the security algorithm used from SHA1 to SHA256 The project was broken up into 2 code bases, the first being a Java code base which was used to communicate with Adobe LiveCycle ES2.5 and the second being a C# code based used to communicate with Microsoft SharePoint
When making the change on the Java side, it was a pretty simple, straight forward change. Basically it was changing a line that looked like:
MessageDigest algorithm = MessageDigest.getInstance("SHA1");
To just switch out the MessageDigest type like:
MessageDigest algorithm = MessageDigest.getInstance("SHA256");
However, making the change on the C# side was not as simple, although it appeared that it would be.
The Background
I basically needed to switch out the hashing algorithm on a project from using SHA1 to using SHA256 in both Java and C# components.
The Problem
The SHA1 implementation was using the SHA1CryptoServiceProvider. This seemed to be working fine implemented in a manner similar to below:
This worked well providing correct SHA1 hashed results:
However, switching to the SHA256CrptoServiceProvider generates the following error:
"The specified cryptographic algorithm is not supported on this platform."
The Resolution
As the error suggests, I started looking into possible limitations of the operating system. Basically what I found out was that SHA2 algorithms are not supported at the OS level for Windows versions that are prior to Vista. Since the company I was contracting for at the time only supported XP, I was out of luck. (I found this article helpful when trying to understand the issue.) This would also explain why the switch was easier to make on the Java side since it is not OS dependent.
To overcome the issue I was switch from using SHA256CrptoServiceProvider class which lets the OS calculate the hash, to using the SHA256Managed class which is a fully managed implementation.
The code below is an example of the managed solution’s implementation.
Probably the biggest reason this through me off was because in Java, it was as easy as passing in the new algorithm type. Componded with the fact that in C# it looked that easy because there was a similar class as to what was already implemented, I spent more time on this then was necessary. This is why I IssueBlogged It.
I remember when MSN used to used sha1 encryption. Old school man! Built an msnp9 messenger from vb6 and used this site as a reference:
http://www.hypothetic.org/docs/msn/research/msnp9.php
…sha1 is great, but crackable now (duplicates). Glad you switched!
Yes, and although SHA-2 is not known to have been cracked yet, it’s algorithm has some parts based on the SHA-1. Currently the SHA-3 algorithm is not released yet but is scheduled for completion in 2012. From what I read it is going to be a completely new algorithm then what we’ve seen in the past.