MS creates security algorithm black list


MS creates security algorithm black list

Microsoft has banned its developers from using a number of security algorithms because they deem them to have become unsafe. The company has said its developers should not use DES, MD4, MD5 and, in some cases, the SHA1 encryption algorithm.

The MD4 and MD5 algorithms – part of the message digest algorithm developed at MIT in the early 1990s - are used to encrypt information in Microsoft applications and for digital signatures. DES (Data Encryption Standard) is a longstanding encryption method used in networking protocols.

In their place Microsoft recommended use of the Secure Hash Algorithm 256 (SHA256) encryption algorithm and AES (Advanced Encryption Standard).

Microsoft developers who write any of the proscribed algorithms into software will be alerted by automated code scanning tools and prompted to use more secure methods.

Butler senior research analyst Michael Azoff said users should check that no software in their organisation relies on these forms of encryption.

“Where you are using Microsoft applications with these forms of encryption you will want to update these to more recent, more powerful standards. The first step should be to audit the applications you have that use Microsoft security components. In most cases it is probably a straightforward update that will be covered by a patch, but if you are not certain about the security of software then you should consider not using it until a fix can be found, especially in cases where older software is being linked up to the web,” he said.

Email Alerts

Register now to receive IT-related news, guides and more, delivered to your inbox.
By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

COMMENTS powered by Disqus  //  Commenting policy