On 16/05/2016 09:05 PM, John Eells wrote:
We understand the NIST recommendation to move off SHA-1 for
security-related purposes. However, our use of SHA-1 in this context
has nothing to do with security, and as far as I know it was never
intended to provide any. We are using SHA-1 just to be reasonably
sure that what we send over the wire is what you get from a data
integrity standpoint. (I wrote the ServerPac part of the design for
Internet delivery.)
As I hope everyone knows, we are shortly disallowing FTP connections
at our servers. The use of FTPS or HTTPS will be required to download
z/OS platform products and PTFs. Secure delivery using HTTPS or FTPS
uses different algorithms for securing the link, and happens to pass
through a package that has a SHA-1 hash of its content.
So...with all that in mind...what is the actual requirement here? Does
anyone think the probability of an undetected data integrity exposure
is too high because we're using SHA-1? Are auditors reflexively
telling you that any use of SHA-1 for anything at all is not
acceptable whether or not it's security related? Something else?
If the FTPS/HTTPS connections use SHA-2 and SHA-1 is only being used to
verify the data transferred inside that connection you would hope that
auditors would be satisfied.
Presumably they would accept data transferred securely without any
additional verification step, so adding SHA-1 shouldn't cause an issue.
But in that case the SHA-1 step should also not be visible to the
network, firewalls etc. to trigger a warning.
What I would like to see is proper digital signatures for z/OS software
packaging - for IBM and other vendors. That solves the problem of
ensuring what you send is what you get as well as verifying the origin,
whatever transport is used. It might only be a matter of time before
auditors start asking for it.
Alternatively, if the FTPS/HTTPS certificates are using SHA-1 I think
the momentum of the rest of the world will force change, whether or not
it is a significant security exposure.
Andrew Rowley
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
