Ask a Question

What Windows Operating Systems Support SHA2 Functionality?

Solution

Below is a list of Windows Operating Systems that support SHA2 functionality and recommendations on how to update Windows Operating Systems to support SHA2.

Windows XP:

Prior to Windows XP Service Pack 3, the SHA2 functionality was not supported on the Windows XP Operating System. With the release of Service Pack 3 some limited functionality for SHA2 was added to the crypto module rsaenh.dll. This includes the following SHA2 hashes: SHA-256, SHA-384 and SHA-512. SHA-224 was not included in this update.

Windows Server 2003:

IMPORTANT: We recommend that you contact your server vendor for further assistance installing suggested hotfix from Microsoft. For more information how to list software updates applied on Microsoft system, click here.

Windows Server 2003 Service Pack 1 and Service Pack 2 does not inherently support SHA2.
However a Hotfix can be downloaded for this Operating System by clicking the following Microsoft Knowledge Base Articles links at KB938397 and KB968730.

Note: It was discovered that Windows 2003 Service Pack 2 with KB938397 installed cannot request a SHA2 certificate from a Windows 2008 server.  KB968730 addresses this issue. However, KB968730 supersedes KB938397. So if Windows Server 2003 Service Pack 1 or 2 needs to enroll for and process a SHA2 certificate from Windows Server 2008, only KB968730 would need to be installed.

Windows Vista, Windows 7, Server 2008 and Server 2008 R2:

Starting with Windows Vista and Server 2008, the Cryptography Next Generation (CNG) Suite B algorithms (including SHA2) are included in the operating system and support SHA2.

Note: Even though the algorithms are available, it is up to the individual applications to implement support.

Outlook and S/MIME:

Outlook 2003, 2007 and 2010 running on Windows XP Service Pack 3 can sign and validate certificates when the certificate is SHA2 signed. Outlook 2003, 2007 and 2010 running on Windows XP Service Pack 3 cannot validate email messages when the message is signed with SHA2 regardless of the certificate used. Outlook 2003, 2007 and 2010 running on Windows XP Service Pack 3 cannot sign a message with SHA2, only SHA1 and MD5 are supported.

In order to validate SHA2 messages, Windows Vista with Outlook 2003 or newer is needed. In order to both sign and validate SHA2 messages, Windows Vista or Windows 7 with Outlook 2007 or Outlook 2010 is needed.

Note: Regardless of the functionality Windows and Outlook provide, in order for mail to be delivered between two users, there are a number of spam filters, relays, mailboxes, etc between sender and recipient as well as a wide range of vendors running on a wide range of platforms that need to be tested before deploying SHA2 to ensure compatibility.

Recommendations:

For organizations looking to deploy SHA2 the following is recommended:

  • For Windows XP users, Service Pack 3 should be deployed.
  • If Windows XP system needs to be used to enroll for a SHA2 certificate, KB968730 should be deployed.
  • For Windows Server 2003, Service Pack 1 or 2 and KB938397 should be deployed.
  • If Windows Server 2003 needs to be used to enroll for a SHA2 certificate, Service Pack 2 and KB968730 should be deployed. If planning on deploying KB968730, installing KB938397 is not necessary.
  • If S/MIME using SHA2 is needed for sending email messages, the workstations will need to be updated to Windows Vista running Office 2003 or newer.

 

Summary Chart:

Additional Information about SHA2 compatibility and Windows Operating Systems can be located at the links below.

SHA2 and Windows:
http://blogs.technet.com/b/pki/archive/2010/09/30/sha2-and-windows.aspx

National Institute of Standards and Technologies (NIST) SHA2 Recommendations:
http://csrc.nist.gov/publications/nistpubs/800-78-3/sp800-78-3.pdf
http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57-Part1-revised2_Mar08-2007.pdf